From 14f3dca08f75a667350ba1d89bcc47bf3b36af99 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Wed, 22 Apr 2026 12:23:36 -0700 Subject: [PATCH 01/14] Added missing examples, descriptions, summaries, etc for OAS --- oas_docs/output/kibana.serverless.yaml | 149358 ++++--------- oas_docs/output/kibana.yaml | 163602 ++++----------- .../kbn-openapi-bundler/src/openapi_merger.ts | 35 +- .../create_exception_list.schema.yaml | 10 + .../create_exception_list_item.schema.yaml | 15 + .../create_rule_exceptions.schema.yaml | 20 + .../delete_exception_list.schema.yaml | 3 + .../delete_exception_list_item.schema.yaml | 12 +- .../duplicate_exception_list.schema.yaml | 11 +- .../export_exception_list.schema.yaml | 4 + .../find_exception_list_items.schema.yaml | 2 + .../import_exceptions.schema.yaml | 10 + .../read_exception_list.schema.yaml | 3 + .../read_exception_list_item.schema.yaml | 3 + .../read_exception_list_summary.schema.yaml | 3 + .../update_exception_list.schema.yaml | 9 + .../update_exception_list_item.schema.yaml | 8 + ...eptions_api_2023_10_31.bundled.schema.yaml | 173 +- ...eptions_api_2023_10_31.bundled.schema.yaml | 173 +- .../create_list_index.schema.yaml | 23 +- .../api/delete_list/delete_list.schema.yaml | 1 + .../delete_list_index.schema.yaml | 20 + .../export_list_items.schema.yaml | 11 + .../find_list_items.schema.yaml | 3 + .../import_list_items.schema.yaml | 9 + .../api/patch_list/patch_list.schema.yaml | 5 + .../patch_list_item.schema.yaml | 5 + .../api/read_list/read_list.schema.yaml | 1 + .../read_list_index.schema.yaml | 21 + .../read_list_privileges.schema.yaml | 10 + .../api/update_list/update_list.schema.yaml | 6 + .../update_list_item.schema.yaml | 11 +- ...n_lists_api_2023_10_31.bundled.schema.yaml | 165 +- ...n_lists_api_2023_10_31.bundled.schema.yaml | 165 +- .../set_alert_assignees_route.schema.yaml | 84 +- .../set_alert_tags/set_alert_tags.schema.yaml | 19 +- .../create_index/create_index.schema.yaml | 25 + .../delete_index/delete_index.schema.yaml | 31 +- .../read_index/read_index.schema.yaml | 25 + .../read_privileges.schema.yaml | 11 + .../delete_rule/delete_rule_route.schema.yaml | 29 + .../export_rules_route.schema.yaml | 13 + .../find_rules/find_rules_route.schema.yaml | 4 + .../import_rules_route.schema.yaml | 5 + .../rule_preview/rule_preview.schema.yaml | 53 +- .../query_signals_route.schema.yaml | 17 + .../set_signals_status_route.schema.yaml | 17 + .../create_signals_migration.schema.yaml | 25 +- .../delete_signals_migration.schema.yaml | 33 +- .../finalize_signals_migration.schema.yaml | 30 +- .../read_signals_migration_status.schema.yaml | 25 +- ...ections_api_2023_10_31.bundled.schema.yaml | 554 +- ...ections_api_2023_10_31.bundled.schema.yaml | 293 +- 53 files changed, 86507 insertions(+), 228696 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index e4696e257d931..064000d04e557 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -2,32 +2,52 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: | + description: > The Kibana REST APIs for Elastic serverless enable you to manage resources + such as connectors, data views, and saved objects. The API calls are + stateless. Each request that you make happens in isolation from other calls + and must include all of the necessary information for Kibana to fulfill the + request. API requests return JSON output, which is a format that is + machine-readable and works well for automation. + To interact with Kibana APIs, use the following operations: + - GET: Fetches the information. + - POST: Adds new information. + - PUT: Updates the existing information. + - DELETE: Removes the information. + You can prepend any Kibana API endpoint with `kbn:` and run the request in + **Dev Tools → Console**. For example: + ``` + GET kbn:/api/data_views + ``` + ## Documentation source and versions - This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + + This documentation is derived from the `main` branch of the + [kibana](https://github.com/elastic/kibana) repository. + + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 + International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana Serverless APIs version: '' x-doc-license: @@ -35,1207 +55,463 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: >- + https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: + - url: http://{kibana_host}:{port} + variables: + kibana_host: + default: localhost + port: + default: '5601' - url: https://{kibana_url} variables: kibana_url: - default: -security: - - apiKeyAuth: [] -tags: - - name: agent builder - description: | - Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. - Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. - externalDocs: - description: Agent Builder docs - url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access - x-displayName: Agent Builder - - name: alerting - description: | - Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. - externalDocs: - description: Alerting documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts - x-displayName: Alerting - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: | - Configure APM agent keys to authorize requests from APM agents to the APM Server. - name: APM agent keys - - description: | - Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: | - Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. - For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. - name: APM sourcemaps - - name: connectors - description: | - Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. - externalDocs: - description: Connector documentation - url: https://www.elastic.co/docs/reference/kibana/connectors-kibana - x-displayName: Connectors - - name: Data streams - description: | - Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. - x-displayName: Data streams - - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. - name: data views - x-displayName: Data views - - name: Elastic Agent actions - description: | - Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. - x-displayName: Elastic Agent actions - - name: Elastic Agent binary download sources - description: | - Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. - x-displayName: Elastic Agent binary download sources - - name: Elastic Agent policies - description: | - Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. - x-displayName: Elastic Agent policies - - name: Elastic Agent status - description: | - Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. - x-displayName: Elastic Agent status - - name: Elastic Agents - description: | - Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. - x-displayName: Elastic Agents - - name: Elastic Package Manager (EPM) - description: | - Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. - x-displayName: Elastic Package Manager (EPM) - - name: Fleet agentless policies - - name: Fleet cloud connectors - description: | - Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. - x-displayName: Fleet cloud connectors - - name: Fleet enrollment API keys - description: | - Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. - x-displayName: Fleet enrollment API keys - - name: Fleet internals - description: | - Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. - x-displayName: Fleet internals - - name: Fleet outputs - description: | - Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. - x-displayName: Fleet outputs - - name: Fleet package policies - description: | - Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. - x-displayName: Fleet package policies - - name: Fleet proxies - description: | - Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. - x-displayName: Fleet proxies - - name: Fleet Server hosts - description: | - Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. - x-displayName: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - description: | - Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. - x-displayName: Fleet uninstall tokens - - name: maintenance-window - description: | - You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. - externalDocs: - description: Maintenance window documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows - x-displayName: Maintenance windows - - name: Message Signing Service - description: | - Enables you to rotate message signing key pairs for secure Fleet communication. - x-displayName: Fleet Message Signing Service - - description: | - Enables you to synchronize machine learning saved objects. - name: ml - x-displayName: Machine learning - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - name: roles - x-displayName: Roles - description: Manage the roles that grant Elasticsearch and Kibana privileges. - externalDocs: - description: Kibana role management - url: https://www.elastic.co/docs/deploy-manage/users-roles/serverless-custom-roles - - name: saved objects - x-displayName: Saved objects - description: | - Export or import sets of saved objects. - - To manage a specific type of saved object, use the corresponding APIs. - For example, use: - - [Data views](../group/endpoint-data-views). - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: | - Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. - - This API supports both key-based authentication and basic authentication. - - To use key-based authentication, create an API key, then specify the key in the header of your API calls. - - To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. - - In both cases, the API key is subsequently used for authorization when the rule runs. - > warn - > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. - - > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. - - To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: | - Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. - name: Security Entity Analytics API - x-displayName: Security entity analytics - - name: Security entity store - - description: | - Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. - - Exceptions are made up of: - - * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. - * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. - - For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. - > info - > You cannot use lists with endpoint rule exceptions. - - > info - > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. - - ## Exceptions requirements - - Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: | - Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. - - Lists are made up of: - - * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception prevents an alert from being generated. - - All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: - 1. `192.168.1.1` - 2. `192.168.1.3` - 3. `192.168.1.18` - 4. `192.168.1.12` - 5. `192.168.1.7` - - To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. - > info - > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. - - ## Lists requirements - - Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - x-displayName: Service level objectives - - name: spaces - x-displayName: Spaces - description: Manage your Kibana spaces. - externalDocs: - url: https://www.elastic.co/docs/deploy-manage/manage-spaces - description: Space overview - - name: streams - description: | - Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: - * **Wired** streams are managed by Kibana. They route documents to child streams based on - field conditions and support custom field mappings and processing steps. - - * **Classic** streams map to existing Elasticsearch data streams. You can add processing - steps to classic streams without changing their underlying index template. - - * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate - data from multiple streams into a single logical view without duplicating documents. - x-displayName: Streams - externalDocs: - description: Streams documentation - url: https://www.elastic.co/docs/solutions/observability/streams - - name: system - x-displayName: System - description: | - Get information about the system status, resource usage, features, and installed plugins. - - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager - - name: workflows - description: | - Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. - - Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. - externalDocs: - description: Workflows documentation - url: https://www.elastic.co/docs/explore-analyze/workflows - x-displayName: Workflows + default: localhost:5601 + - url: / paths: - /api/actions/connector_types: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector_types
+ /api/apm/agent_keys: + post: + description: > + Create a new agent key for APM. - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + The user creating an APM agent API key must have at least the + `manage_own_api_key` cluster privilege and the APM application-level + privileges that it wishes to grant. - You do not need any Kibana feature privileges to run this API. - operationId: get-actions-connector-types + After it is created, you can copy the API key (Base64 encoded) and use + it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey parameters: - - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). - in: query - name: feature_id - required: false - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true responses: '200': content: application/json: - schema: - items: - additionalProperties: false - type: object - properties: - allow_multiple_system_actions: - description: Indicates whether multiple instances of the same system action connector can be used in a single rule. - type: boolean - enabled: - description: Indicates whether the connector is enabled. - type: boolean - enabled_in_config: - description: Indicates whether the connector is enabled in the Kibana configuration. - type: boolean - enabled_in_license: - description: Indicates whether the connector is enabled through the license. - type: boolean - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_system_action_type: - description: Indicates whether the action is a system action. - type: boolean - minimum_license_required: - description: The minimum license required to enable the connector. - enum: - - basic - - standard - - gold - - platinum - - enterprise - - trial - type: string - name: - description: The name of the connector type. - type: string - source: - description: The source of the connector type definition. - enum: - - yml - - spec - - stack - type: string - sub_feature: - description: Indicates the sub-feature type the connector is grouped under. - enum: - - endpointSecurity - type: string - supported_feature_ids: - description: The list of supported features - items: - type: string - type: array - required: - - id - - name - - enabled - - enabled_in_config - - enabled_in_license - - minimum_license_required - - supported_feature_ids - - is_system_action_type - - is_deprecated - - source - type: array examples: - getConnectorTypesServerlessResponse: - $ref: '#/components/examples/get_connector_types_generativeai_response' - description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Get connector types - tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/actions/connector/_oauth_callback: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector/_oauth_callback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. - operationId: get-actions-connector-oauth-callback - parameters: - - description: The authorization code returned by the OAuth provider. - in: query - name: code - required: false - schema: - type: string - - description: The state parameter for CSRF protection. - in: query - name: state - required: false - schema: - type: string - - description: Error code if the authorization failed. - in: query - name: error - required: false - schema: - type: string - - description: Human-readable error description. - in: query - name: error_description - required: false - schema: - type: string - - description: Session state from the OAuth provider (e.g., Microsoft). - in: query - name: session_state - required: false - schema: - type: string - responses: - '200': - description: Returns an HTML callback page. - '302': - description: Redirects to the return URL with authorization result query parameters. + createAgentKeyResponse1: + $ref: >- + #/components/examples/APM_UI_agent_keys_object_post_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': - description: User is not authenticated. - summary: Handle OAuth callback - tags: - - connectors - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/actions/connector/_oauth_callback_script: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector/_oauth_callback_script
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns the OAuth callback script - operationId: get-actions-connector-oauth-callback-script - parameters: [] - responses: - '200': - description: Returns the OAuth callback script - summary: '' - tags: [] - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/actions/connector/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - WARNING: When you delete a connector, it cannot be recovered. - operationId: delete-actions-connector-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Delete a connector - tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - operationId: get-actions-connector-id - parameters: - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '200': content: application/json: schema: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - examples: - getConnectorResponse: - $ref: '#/components/examples/get_connector_response' - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Get connector information + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + - APM agent keys + /api/apm/fleet/apm_server_schema: post: - operationId: post-actions-connector-id + deprecated: true + description: > + DEPRECATED: This endpoint is intended for internal use by Fleet + integrations to push the APM Server configuration schema. Do not use for + new integrations. It stores the provided schema object as a Kibana saved + object. If Fleet migration is not available on the current deployment, + the API returns a 404. + operationId: saveApmServerSchema parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - maxLength: 36 - minLength: 1 - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: - additionalProperties: false type: object properties: - connector_type_id: - description: The type of connector. - type: string - name: - description: The display name for the connector. - type: string - config: - additionalProperties: {} - default: {} - description: The connector configuration details. - oneOf: - - $ref: '#/components/schemas/bedrock_config' - - $ref: '#/components/schemas/crowdstrike_config' - - $ref: '#/components/schemas/d3security_config' - - $ref: '#/components/schemas/email_config' - - $ref: '#/components/schemas/gemini_config' - - $ref: '#/components/schemas/resilient_config' - - $ref: '#/components/schemas/index_config' - - $ref: '#/components/schemas/jira_config' - - $ref: '#/components/schemas/genai_azure_config' - - $ref: '#/components/schemas/genai_openai_config' - - $ref: '#/components/schemas/genai_openai_other_config' - - $ref: '#/components/schemas/opsgenie_config' - - $ref: '#/components/schemas/pagerduty_config' - - $ref: '#/components/schemas/sentinelone_config' - - $ref: '#/components/schemas/servicenow_config' - - $ref: '#/components/schemas/servicenow_itom_config' - - $ref: '#/components/schemas/slack_api_config' - - $ref: '#/components/schemas/swimlane_config' - - $ref: '#/components/schemas/thehive_config' - - $ref: '#/components/schemas/tines_config' - - $ref: '#/components/schemas/torq_config' - - $ref: '#/components/schemas/webhook_config' - - $ref: '#/components/schemas/cases_webhook_config' - - $ref: '#/components/schemas/xmatters_config' - secrets: - additionalProperties: {} - default: {} - oneOf: - - $ref: '#/components/schemas/bedrock_secrets' - - $ref: '#/components/schemas/crowdstrike_secrets' - - $ref: '#/components/schemas/d3security_secrets' - - $ref: '#/components/schemas/email_secrets' - - $ref: '#/components/schemas/gemini_secrets' - - $ref: '#/components/schemas/resilient_secrets' - - $ref: '#/components/schemas/jira_secrets' - - $ref: '#/components/schemas/defender_secrets' - - $ref: '#/components/schemas/teams_secrets' - - $ref: '#/components/schemas/genai_secrets' - - $ref: '#/components/schemas/opsgenie_secrets' - - $ref: '#/components/schemas/pagerduty_secrets' - - $ref: '#/components/schemas/sentinelone_secrets' - - $ref: '#/components/schemas/servicenow_secrets' - - $ref: '#/components/schemas/slack_api_secrets' - - $ref: '#/components/schemas/swimlane_secrets' - - $ref: '#/components/schemas/thehive_secrets' - - $ref: '#/components/schemas/tines_secrets' - - $ref: '#/components/schemas/torq_secrets' - - $ref: '#/components/schemas/webhook_secrets' - - $ref: '#/components/schemas/cases_webhook_secrets' - - $ref: '#/components/schemas/xmatters_secrets' - required: - - name - - connector_type_id - examples: - createEmailConnectorRequest: - $ref: '#/components/examples/create_email_connector_request' - createIndexConnectorRequest: - $ref: '#/components/examples/create_index_connector_request' - createWebhookConnectorRequest: - $ref: '#/components/examples/create_webhook_connector_request' - createXmattersConnectorRequest: - $ref: '#/components/examples/create_xmatters_connector_request' + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true responses: '200': content: application/json: + examples: + saveApmServerSchemaResponseExample1: + $ref: >- + #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false + description: The response body is intentionally empty for this endpoint. type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - examples: - createEmailConnectorResponse: - $ref: '#/components/examples/create_email_connector_response' - createIndexConnectorResponse: - $ref: '#/components/examples/create_index_connector_response' - createWebhookConnectorResponse: - $ref: '#/components/examples/create_webhook_connector_response' - createXmattersConnectorResponse: - $ref: '#/components/examples/get_connector_response' - description: Indicates a successful call. + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Create a connector + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - operationId: put-actions-connector-id + - APM server schema + /api/apm/services/{serviceName}/annotation: + post: + description: Create a new annotation for a specific service. + operationId: createAnnotation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service in: path - name: id + name: serviceName required: true schema: type: string requestBody: content: application/json: - schema: - additionalProperties: false - type: object - properties: - name: - description: The display name for the connector. - type: string - config: - additionalProperties: {} - default: {} - description: The connector configuration details. - oneOf: - - $ref: '#/components/schemas/bedrock_config' - - $ref: '#/components/schemas/crowdstrike_config' - - $ref: '#/components/schemas/d3security_config' - - $ref: '#/components/schemas/email_config' - - $ref: '#/components/schemas/gemini_config' - - $ref: '#/components/schemas/resilient_config' - - $ref: '#/components/schemas/index_config' - - $ref: '#/components/schemas/jira_config' - - $ref: '#/components/schemas/defender_config' - - $ref: '#/components/schemas/genai_azure_config' - - $ref: '#/components/schemas/genai_openai_config' - - $ref: '#/components/schemas/opsgenie_config' - - $ref: '#/components/schemas/pagerduty_config' - - $ref: '#/components/schemas/sentinelone_config' - - $ref: '#/components/schemas/servicenow_config' - - $ref: '#/components/schemas/servicenow_itom_config' - - $ref: '#/components/schemas/slack_api_config' - - $ref: '#/components/schemas/swimlane_config' - - $ref: '#/components/schemas/thehive_config' - - $ref: '#/components/schemas/tines_config' - - $ref: '#/components/schemas/torq_config' - - $ref: '#/components/schemas/webhook_config' - - $ref: '#/components/schemas/cases_webhook_config' - - $ref: '#/components/schemas/xmatters_config' - secrets: - additionalProperties: {} - default: {} - oneOf: - - $ref: '#/components/schemas/bedrock_secrets' - - $ref: '#/components/schemas/crowdstrike_secrets' - - $ref: '#/components/schemas/d3security_secrets' - - $ref: '#/components/schemas/email_secrets' - - $ref: '#/components/schemas/gemini_secrets' - - $ref: '#/components/schemas/resilient_secrets' - - $ref: '#/components/schemas/jira_secrets' - - $ref: '#/components/schemas/teams_secrets' - - $ref: '#/components/schemas/genai_secrets' - - $ref: '#/components/schemas/opsgenie_secrets' - - $ref: '#/components/schemas/pagerduty_secrets' - - $ref: '#/components/schemas/sentinelone_secrets' - - $ref: '#/components/schemas/servicenow_secrets' - - $ref: '#/components/schemas/slack_api_secrets' - - $ref: '#/components/schemas/swimlane_secrets' - - $ref: '#/components/schemas/thehive_secrets' - - $ref: '#/components/schemas/tines_secrets' - - $ref: '#/components/schemas/torq_secrets' - - $ref: '#/components/schemas/webhook_secrets' - - $ref: '#/components/schemas/cases_webhook_secrets' - - $ref: '#/components/schemas/xmatters_secrets' - required: - - name examples: - updateIndexConnectorRequest: - $ref: '#/components/examples/update_index_connector_request' + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true responses: '200': content: application/json: + examples: + createAnnotationResponse1: + $ref: >- + #/components/examples/APM_UI_annotation_object_post_200_response1 schema: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Update a connector + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/actions/connector/{id}/_execute: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/actions/connector/{id}/_execute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. - operationId: post-actions-connector-id-execute + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + /api/apm/services/{serviceName}/annotation/search: + get: + description: Search for annotations related to a specific service. + operationId: getAnnotation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName required: true schema: - example: 'true' type: string - - description: An identifier for the connector. - in: path - name: id - required: true + - description: The environment to filter annotations by + in: query + name: environment + required: false schema: type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - params: - additionalProperties: {} - oneOf: - - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - - $ref: '#/components/schemas/run_documents' - - $ref: '#/components/schemas/run_message_email' - - $ref: '#/components/schemas/run_message_serverlog' - - $ref: '#/components/schemas/run_message_slack' - - $ref: '#/components/schemas/run_trigger_pagerduty' - - $ref: '#/components/schemas/run_addevent' - - $ref: '#/components/schemas/run_closealert' - - $ref: '#/components/schemas/run_closeincident' - - $ref: '#/components/schemas/run_createalert' - - $ref: '#/components/schemas/run_fieldsbyissuetype' - - $ref: '#/components/schemas/run_getagentdetails' - - $ref: '#/components/schemas/run_getagents' - - $ref: '#/components/schemas/run_getchoices' - - $ref: '#/components/schemas/run_getfields' - - $ref: '#/components/schemas/run_getincident' - - $ref: '#/components/schemas/run_issue' - - $ref: '#/components/schemas/run_issues' - - $ref: '#/components/schemas/run_issuetypes' - - $ref: '#/components/schemas/run_postmessage' - - $ref: '#/components/schemas/run_pushtoservice' - - $ref: '#/components/schemas/run_validchannelid' - required: - - params - examples: - runIndexConnectorRequest: - $ref: '#/components/examples/run_index_connector_request' - runJiraConnectorRequest: - $ref: '#/components/examples/run_jira_connector_request' - runServerLogConnectorRequest: - $ref: '#/components/examples/run_servicenow_itom_connector_request' - runSlackConnectorRequest: - $ref: '#/components/examples/run_slack_api_connector_request' - runSwimlaneConnectorRequest: - $ref: '#/components/examples/run_swimlane_connector_request' + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string responses: '200': content: application/json: schema: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations + tags: + - APM annotations + /api/apm/settings/agent-configuration: + delete: + description: > + Delete an existing agent configuration. You must have `all` privileges + for the APM and User Experience feature in Kibana. When successful, the + configuration is removed and, if Fleet is enabled, APM package policies + are synchronized accordingly. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + deleteAgentConfigurationRequest1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true + responses: + '200': + content: + application/json: examples: - runIndexConnectorResponse: - $ref: '#/components/examples/run_index_connector_response' - runJiraConnectorResponse: - $ref: '#/components/examples/run_jira_connector_response' - runServerLogConnectorResponse: - $ref: '#/components/examples/run_server_log_connector_response' - runServiceNowITOMConnectorResponse: - $ref: '#/components/examples/run_servicenow_itom_connector_response' - runSlackConnectorResponse: - $ref: '#/components/examples/run_slack_api_connector_response' - runSwimlaneConnectorResponse: - $ref: '#/components/examples/run_swimlane_connector_response' - description: Indicates a successful call. + deleteAgentConfigurationResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 + schema: + $ref: >- + #/components/schemas/APM_UI_delete_agent_configurations_response + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Run a connector + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/actions/connectors: + - APM agent configuration get: - operationId: get-actions-connectors - parameters: [] + description: > + Retrieve all agent configurations. You must have `read` privileges for + the APM and User Experience feature in Kibana. If agent configuration is + not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: - schema: - items: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - referenced_by_count: - description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. - type: number - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - - referenced_by_count - type: array examples: - getConnectorsResponse: - $ref: '#/components/examples/get_connectors_response' - description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Get all connectors + getAgentConfigurationsResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations tags: - - connectors - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/agent_builder/a2a/{agentId}: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/a2a/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - > warn - > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-a2a-agentid + - APM agent configuration + put: + description: > + Create or update an agent configuration. You must have `all` privileges + for the APM and User Experience feature in Kibana. When updating an + existing configuration, the `?overwrite=true` query parameter is + required. If the configuration already exists and `overwrite` is not set + to `true`, the API returns a 400 error. When successful and Fleet is + enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration parameters: - - description: The unique identifier of the agent to send the A2A task to. - in: path - name: agentId - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite schema: - type: string + type: boolean requestBody: content: application/json: examples: - a2aTaskRequestExample: - description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' - value: - id: task-123 - jsonrpc: '2.0' - method: complete - params: - messages: - - content: Hello from A2A protocol - role: user - schema: {} + createUpdateAgentConfigurationRequestExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true responses: '200': content: application/json: examples: - a2aTaskResponseExample: - description: Example response from A2A Task Endpoint with results of task execution - value: - id: task-123 - jsonrpc: '2.0' - result: - conversation_id: conv-456 - response: - message: Hello! How can I help you today? - type: response - description: Indicates a successful response - summary: Send A2A task + createUpdateAgentConfigurationResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/a2a/{agentId}.json: + - APM agent configuration + /api/apm/settings/agent-configuration/agent_name: get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-a2a-agentid.json + description: Retrieve `agentName` for a service. + operationId: getAgentNameForService parameters: - - description: The unique identifier of the agent to get A2A metadata for. - in: path - name: agentId + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName required: true schema: type: string @@ -1243,522 +519,156 @@ paths: '200': content: application/json: - examples: - a2aAgentCardResponseExample: - description: Example response card of Elastic AI Agent - value: - capabilities: - pushNotifications: false - stateTransitionHistory: false - streaming: false - defaultInputModes: - - text/plain - defaultOutputModes: - - text/plain - description: Elastic AI Agent - name: Elastic AI Agent - protocolVersion: 0.3.0 - provider: - organization: Elastic - url: https://elastic.co - securitySchemes: - authorization: - description: Authentication token - in: header - name: Authorization - type: apiKey - skills: - - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. - examples: [] - id: platform.core.search - inputModes: - - text/plain - - application/json - name: platform.core.search - outputModes: - - text/plain - - application/json - tags: - - tool - supportsAuthenticatedExtendedCard: false - url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent - version: 0.1.0 - description: Indicates a successful response - summary: Get A2A agent card - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/a2a/{agentId}.json - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/agents: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-agents - parameters: [] - responses: - '200': + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': content: application/json: - examples: - listAgentsResponseExample: - description: Example response that returns one built-in Elastic agent and one created by the user - value: - results: - - configuration: - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Elastic AI Agent - id: elastic-ai-agent - name: Elastic AI Agent - type: chat - - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: List agents + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/agents" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/agents - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: post-agent-builder-agents + - APM agent configuration + /api/apm/settings/agent-configuration/environments: + get: + description: > + Retrieve the available environments for a given service, to be used in + agent configuration. You must have `read` privileges for the APM and + User Experience feature in Kibana. If `serviceName` is omitted, + environments across all services are returned. + operationId: getEnvironmentsForService parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: >- + The name of the service. If omitted, environments across all + services are returned. + example: opbeans-node + in: query + name: serviceName schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - createAgentRequestExample: - description: Example request for creating a custom agent with special prompt and tools - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - schema: - additionalProperties: false - type: object - properties: - avatar_color: - description: Optional hex color code for the agent avatar. - type: string - avatar_symbol: - description: Optional symbol/initials for the agent avatar. - type: string - configuration: - additionalProperties: false - description: Configuration settings for the agent. - type: object - properties: - enable_elastic_capabilities: - description: When true, enables built-in Elastic capabilities for the agent. - type: boolean - instructions: - description: Optional system instructions that define the agent behavior. - type: string - plugin_ids: - description: Array of plugin IDs to assign to the agent. - items: - description: Plugin ID to assign to the agent. - type: string - maxItems: 100 - type: array - skill_ids: - description: Array of skill IDs to be available to the agent. - items: - description: Skill ID to be available to the agent. - type: string - maxItems: 100 - type: array - tools: - items: - additionalProperties: false - description: Tool selection configuration for the agent. - type: object - properties: - tool_ids: - description: Array of tool IDs that the agent can use. - items: - description: Tool ID to be available to the agent. - type: string - type: array - required: - - tool_ids - type: array - workflow_ids: - items: - description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. - type: string - maxItems: 100 - type: array - required: - - tools - description: - description: Description of what the agent does. - type: string - id: - description: Unique identifier for the agent. - type: string - labels: - description: Optional labels for categorizing and organizing agents. - items: - description: Label for categorizing the agent. - type: string - type: array - name: - description: Display name for the agent. - type: string - visibility: - description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' - enum: - - public - - shared - - private - type: string - required: - - id - - name - - description - - configuration responses: '200': content: application/json: examples: - createAgentResponseExample: - description: Example response returning the definition of an agent created as a result of the request - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: Create an agent + getEnvironmentsForServiceResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_environments_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/agents" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "id": "new-agent-id", - "name": "Search Index Helper", - "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", - "labels": ["custom-indices", "department-search"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [ - { - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - } - ] - } - }' - - lang: Console - source: | - POST kbn://api/agent_builder/agents - { - "id": "new-agent-id", - "name": "Search Index Helper", - "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", - "labels": ["custom-indices", "department-search"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [ - { - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - } - ] - } - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/agents/{agent_id}/consumption: + - APM agent configuration + /api/apm/settings/agent-configuration/search: post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: post-agent-builder-agents-agent-id-consumption + deprecated: true + description: > + DEPRECATED: This endpoint is intended for internal use by APM agents to + fetch their configuration and mark it as applied. Do not use for new + integrations. It searches for a single agent configuration matching the + given service, and optionally updates the `applied_by_agent` field when + the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the agent. - in: path - name: agent_id - required: true - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - consumptionDefaultExample: - description: Get consumption data for an agent with default pagination - value: - size: 25 - sort_field: updated_at - sort_order: desc - consumptionFilteredExample: - description: Get consumption data filtered by username with warnings - value: - has_warnings: true - size: 10 - sort_field: total_tokens - sort_order: desc - usernames: - - elastic - - admin + searchSingleConfigurationRequest1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 schema: - additionalProperties: false - type: object - properties: - has_warnings: - description: Filter to conversations with or without high-token warnings. - type: boolean - search: - description: Free-text search filter on conversation title. - type: string - search_after: - description: Cursor for pagination. Pass the search_after value from the previous response. - items: - nullable: true - maxItems: 10000 - type: array - size: - default: 25 - description: Number of results per page. - maximum: 100 - minimum: 1 - type: number - sort_field: - default: updated_at - description: Field to sort results by. - enum: - - updated_at - - total_tokens - - round_count - type: string - sort_order: - default: desc - description: Sort direction. - enum: - - asc - - desc - type: string - usernames: - description: Filter results to conversations by these usernames. - items: - type: string - maxItems: 10000 - type: array + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true responses: '200': content: application/json: examples: - consumptionResponseExample: - description: Example response with per-conversation token usage data - value: - aggregations: - total_with_warnings: 0 - usernames: - - elastic - - admin - results: - - conversation_id: conv-abc123 - created_at: '2025-03-01T10:00:00Z' - llm_calls: 8 - round_count: 5 - title: Help me search my data - token_usage: - input_tokens: 15000 - output_tokens: 3000 - total_tokens: 18000 - updated_at: '2025-03-01T10:15:00Z' - user: - id: uid-1 - username: elastic - warnings: [] - - conversation_id: conv-def456 - created_at: '2025-03-02T14:00:00Z' - llm_calls: 20 - round_count: 12 - title: Analyze server logs - token_usage: - input_tokens: 250000 - output_tokens: 8000 - total_tokens: 258000 - updated_at: '2025-03-02T14:30:00Z' - user: - id: uid-2 - username: admin - warnings: - - input_tokens: 250000 - round_id: round-7 - type: high_input_tokens - search_after: - - 1709391000000 - - '2025-03-02T14:30:00Z' - total: 2 - description: Indicates a successful response - summary: Get agent consumption data + searchSingleConfigurationResponse1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 + schema: + $ref: >- + #/components/schemas/APM_UI_search_agent_configuration_response + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -H "elastic-api-version: 2023-10-31" \ - -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' - - lang: Console - source: | - POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption - {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/agents/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/agents/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: delete-agent-builder-agents-id + - APM agent configuration + /api/apm/settings/agent-configuration/view: + get: + description: > + Retrieve a single agent configuration matching the given service name + and environment. You must have `read` privileges for the APM and User + Experience feature in Kibana. If no matching configuration is found, the + API returns a 404. + operationId: getSingleAgentConfiguration parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name schema: - example: 'true' type: string - - description: The unique identifier of the agent to delete. - in: path - name: id - required: true + - description: Service environment + example: prod + in: query + name: environment schema: type: string responses: @@ -1766,408 +676,191 @@ paths: content: application/json: examples: - deleteAgentResponseExample: - description: Example response showing that deletion of the agent has been successful - value: - success: true - description: Indicates a successful response - summary: Delete an agent + getSingleAgentConfigurationResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 + schema: + $ref: >- + #/components/schemas/APM_UI_single_agent_configuration_response + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/agent_builder/agents/{id} - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name + - APM agent configuration + /api/apm/sourcemaps: get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/agents/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-agents-id + description: > + Get an array of Fleet artifacts, including source map uploads. You must + have `read` or `all` Kibana privileges for the APM and User Experience + feature. + operationId: getSourceMaps parameters: - - description: The unique identifier of the agent to retrieve. - in: path - name: id - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page schema: - type: string + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number responses: '200': content: application/json: examples: - getAgentByIdResponseExample: - description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: Get an agent by ID - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/agents/{id} - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/agents/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: put-agent-builder-agents-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the agent to update. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createAgentRequestExample: - description: Example request for updating custom agent - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Updated description - Search for anything in "content-*" indices! - id: created-agent-id - labels: - - custom-indices - - department-search - - elastic-employees - name: Search Index Helper - schema: - additionalProperties: false - type: object - properties: - avatar_color: - description: Updated hex color code for the agent avatar. - type: string - avatar_symbol: - description: Updated symbol/initials for the agent avatar. - type: string - configuration: - additionalProperties: false - description: Updated configuration settings for the agent. - type: object - properties: - enable_elastic_capabilities: - description: When true, enables built-in Elastic capabilities for the agent. - type: boolean - instructions: - description: Updated system instructions that define the agent behavior. - type: string - plugin_ids: - description: Array of plugin IDs to assign to the agent. - items: - description: Plugin ID to assign to the agent. - type: string - maxItems: 100 - type: array - skill_ids: - description: Array of skill IDs to be available to the agent. - items: - description: Skill ID to be available to the agent. - type: string - maxItems: 100 - type: array - tools: - items: - additionalProperties: false - description: Tool selection configuration for the agent. - type: object - properties: - tool_ids: - description: Array of tool IDs that the agent can use. - items: - description: Tool ID to be available to the agent. - type: string - type: array - required: - - tool_ids - type: array - workflow_ids: - items: - description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. - type: string - maxItems: 100 - type: array - description: - description: Updated description of what the agent does. - type: string - labels: - description: Updated labels for categorizing and organizing agents. - items: - description: Updated label for categorizing the agent. - type: string - type: array - name: - description: Updated display name for the agent. - type: string - visibility: - description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' - enum: - - public - - shared - - private - type: string - responses: - '200': + getSourceMapsResponse1: + $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_source_maps_response' + description: Successful response + '400': content: application/json: - examples: - updateAgentResponseExample: - description: Example response returning the agent definition with the changes applied from the request - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Updated description - Search for anything in "content-*" indices! - id: created-agent-id - labels: - - custom-indices - - department-search - - elastic-employees - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: Update an agent + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps tags: - - agent builder + - APM sourcemaps x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "name": "Search Index Helper", - "description": "Updated description - Search for anything in \"content-*\" indices!", - "labels": ["custom-indices", "department-search", "elastic-employees"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [{ - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - }] - } - }' - - lang: Console + - lang: Curl source: | - PUT kbn://api/agent_builder/agents/{id} - { - "name": "Search Index Helper", - "description": "Updated description - Search for anything in \"content-*\" indices!", - "labels": ["custom-indices", "department-search", "elastic-employees"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [{ - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - }] - } - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/conversations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + post: + description: > + Upload a source map for a specific service and version. You must have + `all` Kibana privileges for the APM and User Experience feature. + + The maximum payload size is `1mb`. If you attempt to upload a source map + that exceeds the maximum payload size, you will get a 413 error. Before + uploading source maps that exceed this default, change the maximum + payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap parameters: - - description: Optional agent ID to filter conversations by a specific agent. - in: query - name: agent_id - required: false - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/APM_UI_upload_source_map_object' + required: true responses: '200': content: application/json: examples: - listConversationsResponseExample: - description: Example response containing the list of conversations with all agents - value: - results: - - agent_id: elastic-ai-agent - created_at: '2025-09-19T17:45:39.554Z' - id: bcc176c5-38f6-40be-be0c-898e34fa1480 - title: General Greeting - updated_at: '2025-09-19T17:45:39.554Z' - user: - username: elastic - description: Indicates a successful response - summary: List conversations + uploadSourceMapResponse1: + $ref: >- + #/components/examples/APM_UI_source_maps_upload_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map tags: - - agent builder + - APM sourcemaps x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/conversations - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations/{conversation_id}: - delete: - description: |- - **Spaces method and path for this operation:** + - lang: Curl + source: > + curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ -
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ -H 'Content-Type: multipart/form-data' \ - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + -H 'kbn-xsrf: true' \ - Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: delete-agent-builder-conversations-conversation-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation to delete. - in: path - name: conversation_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteConversationResponseExample: - description: Example response showing that deletion of conversation has been successful - value: - success: true - description: Indicates a successful response - summary: Delete conversation by ID - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/agent_builder/conversations/{conversation_id} - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** + -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ + + -F 'service_name="foo"' \ -
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ -F 'service_version="1.0.0"' \ - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ - Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations-conversation-id + -F + 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' + /api/apm/sourcemaps/{id}: + delete: + description: > + Delete a previously uploaded source map. You must have `all` Kibana + privileges for the APM and User Experience feature. + operationId: deleteSourceMap parameters: - - description: The unique identifier of the conversation to retrieve. + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: Source map identifier in: path - name: conversation_id + name: id required: true schema: type: string @@ -2176,96172 +869,25351 @@ paths: content: application/json: examples: - getConversationByIdResponseExample: - description: Example response containing the contents of a convesation with the chat agent - value: - agent_id: elastic-ai-agent - created_at: '2025-09-19T17:45:39.554Z' - id: bcc176c5-38f6-40be-be0c-898e34fa1480 - rounds: - - id: 170ec3b2-0f5a-4538-8b60-549572386d2a - input: - message: Hello, how are you? - response: - message: |- - Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. - - Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? - steps: [] - title: General Greeting - updated_at: '2025-09-19T17:45:39.554Z' - user: - username: elastic - description: Indicates a successful response - summary: Get conversation by ID + deleteSourceMapResponseExample1: + $ref: >- + #/components/examples/APM_UI_source_maps_delete_200_response1 + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map tags: - - agent builder + - APM sourcemaps x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/conversations/{conversation_id} - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments: - get: - description: |- - **Spaces method and path for this operation:** + - lang: Curl + source: > + curl -X DELETE + "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ -
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ -H 'Content-Type: application/json' \ - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + -H 'kbn-xsrf: true' \ - List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations-conversation-id-attachments + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + /api/asset_criticality: + delete: + description: Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord parameters: - - description: The unique identifier of the conversation. - in: path - name: conversation_id + - description: The ID value of the asset. + example: my_host + in: query + name: id_value required: true schema: type: string - - description: Whether to include deleted attachments in the list. + - description: The field representing the ID. + example: host.name in: query - name: include_deleted - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - listAttachmentsResponseExample: - description: Example response containing active attachments for a conversation - value: - results: - - active: true - current_version: 2 - description: My text file - id: attachment-1 - type: text - versions: - - content_hash: abc123 - created_at: '2025-01-01T10:00:00.000Z' - data: Initial content - estimated_tokens: 3 - version: 1 - - content_hash: def456 - created_at: '2025-01-01T11:00:00.000Z' - data: Updated content - estimated_tokens: 3 - version: 2 - - active: true - current_version: 1 - description: Configuration data - id: attachment-2 - type: json - versions: - - content_hash: ghi789 - created_at: '2025-01-01T12:00:00.000Z' - data: - key: value - nested: - field: 123 - estimated_tokens: 15 - version: 1 - total_token_estimate: 21 - description: Indicates a successful response - summary: List conversation attachments - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-conversations-conversation-id-attachments - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + name: id_field required: true schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false schema: + enum: + - wait_for type: string - requestBody: - content: - application/json: - examples: - createHiddenAttachmentExample: - description: Example request for creating a hidden attachment - value: - data: Internal system data - description: System context - hidden: true - type: text - createJsonAttachmentExample: - description: Example request for creating a JSON attachment with custom ID - value: - data: - configuration: - enabled: true - threshold: 50 - metadata: - source: user_input - description: Application settings - id: custom-attachment-id - type: json - createTextAttachmentExample: - description: Example request for creating a text attachment - value: - data: This is the content of my text attachment - description: Meeting notes - type: text - schema: - additionalProperties: false - type: object - properties: - data: - description: The attachment data/content. Required unless origin is provided. - nullable: true - description: - description: Human-readable description of the attachment. - type: string - hidden: - description: Whether the attachment should be hidden from the user. - type: boolean - id: - description: Optional custom ID for the attachment. - type: string - origin: - description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. - type: string - type: - description: The type of the attachment (e.g., text, esql, visualization). - type: string - required: - - type - - data responses: '200': content: application/json: - examples: - createAttachmentResponseExample: - description: Example response returning the created attachment - value: - attachment: - active: true - current_version: 1 - description: Meeting notes - id: att-abc123 - type: text - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: This is the content of my text attachment - estimated_tokens: 12 - version: 1 - description: Indicates a successful response - summary: Create conversation attachment + schema: + type: object + properties: + deleted: + description: >- + True if the record was deleted or false if the record did + not exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id + - Security Entity Analytics API + get: + description: Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to delete. - in: path - name: attachment_id + - description: The ID value of the asset. + example: my_host + in: query + name: id_value required: true schema: type: string - - description: If true, permanently removes the attachment (only for unreferenced attachments). + - description: The field representing the ID. + example: host.name in: query - name: permanent - required: false + name: id_field + required: true schema: - type: boolean + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: - examples: - permanentDeleteAttachmentResponseExample: - description: Example response for permanent delete (cannot be restored) - value: - permanent: true - success: true - softDeleteAttachmentResponseExample: - description: Example response for soft delete (can be restored) - value: - permanent: false - success: true - description: Indicates a successful response - summary: Delete conversation attachment + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ - Security Entity Analytics API + post: + description: > + Create or update an asset criticality record for a specific entity. - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to rename. - in: path - name: attachment_id - required: true - schema: - type: string + If a record already exists for the specified entity, that record is + overwritten with the specified value. If a record doesn't exist for the + specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord requestBody: content: application/json: - examples: - renameAttachmentExample: - description: Example request for renaming an attachment - value: - description: Updated attachment name schema: - additionalProperties: false - type: object - properties: - description: - description: The new description/name for the attachment. - type: string - required: - - description + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host + required: true responses: '200': content: application/json: - examples: - renameAttachmentResponseExample: - description: Example response returning the renamed attachment (version unchanged) - value: - attachment: - active: true - current_version: 1 - description: Updated attachment name - id: att-abc123 - type: text - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: Content remains the same - estimated_tokens: 10 - version: 1 - success: true - description: Indicates a successful response - summary: Rename attachment + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ - Security Entity Analytics API + /api/asset_criticality/bulk: + post: + description: > + Bulk upsert up to 1000 asset criticality records. - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to update. - in: path - name: attachment_id - required: true - schema: - type: string + If asset criticality records already exist for the specified entities, + those records are overwritten with the specified values. If asset + criticality records don't exist for the specified entities, new records + are created. + operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: - examples: - updateAttachmentContentExample: - description: Example request for updating attachment content - value: - data: This is the updated content - updateAttachmentWithDescriptionExample: - description: Example request for updating both content and description - value: - data: New content version - description: Updated meeting notes - v2 schema: - additionalProperties: false + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 type: object properties: - data: - description: The new attachment data/content. - nullable: true - description: - description: Optional new description for the attachment. - type: string + records: + items: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array required: - - data + - records responses: '200': content: application/json: - examples: - updateAttachmentResponseExample: - description: Example response returning the updated attachment with new version - value: - attachment: - active: true - current_version: 2 - description: Meeting notes - id: att-abc123 - type: text - versions: - - content_hash: sha256-abc - created_at: '2025-01-06T10:00:00.000Z' - data: Original content - estimated_tokens: 10 - version: 1 - - content_hash: sha256-def - created_at: '2025-01-06T11:00:00.000Z' - data: This is the updated content - estimated_tokens: 12 - version: 2 - new_version: 2 - description: Indicates a successful response - summary: Update conversation attachment + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore + - Security Entity Analytics API + /api/asset_criticality/list: + get: + description: List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The field to sort by. + in: query + name: sort_field + required: false schema: - example: 'true' + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true + - description: The order to sort by. + in: query + name: sort_direction + required: false schema: + enum: + - asc + - desc type: string - - description: The unique identifier of the attachment to restore. - in: path - name: attachment_id - required: true + - description: The page number to return. + in: query + name: page + required: false schema: - type: string - responses: - '200': - content: - application/json: - examples: - restoreAttachmentResponseExample: - description: Example response returning the restored attachment - value: - attachment: - active: true - current_version: 1 - description: Restored attachment - id: att-abc123 - type: text - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: Restored content - estimated_tokens: 10 - version: 1 - success: true - description: Indicates a successful response - summary: Restore deleted attachment - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to update. - in: path - name: attachment_id - required: true + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false schema: - type: string - requestBody: - content: - application/json: - examples: - updateOriginExample: - description: Example request for linking an attachment to a saved visualization - value: - origin: abc123 - schema: - additionalProperties: false - type: object - properties: - origin: - description: The origin string (e.g., saved object ID for visualizations and dashboards). - type: string - required: - - origin - responses: - '200': - content: - application/json: - examples: - updateOriginResponseExample: - description: Example response returning the attachment with updated origin - value: - attachment: - active: true - current_version: 1 - description: Sales chart - id: att-123 - origin: abc123 - type: visualization - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: - chart_type: bar - esql: FROM sales | STATS count=COUNT(*) BY month - query: Show monthly sales - visualization: {} - estimated_tokens: 50 - version: 1 - success: true - description: Indicates a successful response - summary: Update attachment origin - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/stale: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations-conversation-id-attachments-stale - parameters: - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false schema: type: string responses: '200': content: application/json: - examples: - checkStaleAttachmentsResponseExample: - description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' - value: - attachments: - - id: att-text-meeting-notes - is_stale: false - - id: att-lens-active-users - is_stale: false - - error: Origin could not be resolved - id: att-query-attachment - is_stale: false - - data: This is the content of my text attachment - hidden: false - id: att-text-runbook - is_stale: true - origin: document:hr-onboarding-v2 - type: text - description: Indicates a successful response - summary: Check attachment staleness + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/converse: + - Security Entity Analytics API + /api/attack_discovery/_bulk: post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/converse
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-converse - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: >- + Performs bulk updates on multiple Attack discoveries, including workflow + status changes and visibility settings. This endpoint allows efficient + batch processing of alert modifications without requiring individual API + calls for each alert. + operationId: PostAttackDiscoveryBulk requestBody: content: application/json: - examples: - converseRequestExample: - description: Example request to send a message to the agent as a part of the conversation - value: - agent_id: elastic-ai-agent - connector_id: my-connector-id - input: What is Elasticsearch? - converseRequestInferenceExample: - description: Example using inference_id (mutually exclusive with connector_id) - value: - agent_id: elastic-ai-agent - inference_id: my-inference-endpoint-id - input: What is Elasticsearch? + example: + update: + enable_field_rendering: false + ids: + - >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - >- + 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true schema: - additionalProperties: false type: object properties: - _execution_mode: - description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' - enum: - - local - - task_manager - type: string - action: - description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. - enum: - - regenerate - type: string - agent_id: - default: elastic-ai-agent - description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. - type: string - attachments: - description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' - items: - additionalProperties: false - type: object - properties: - data: - additionalProperties: - nullable: true - description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). - type: object - hidden: - description: When true, the attachment will not be displayed in the UI. - type: boolean - id: - description: Optional id for the attachment. - type: string - origin: - description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. - type: string - type: - description: Type of the attachment. - type: string - required: - - type - type: array - browser_api_tools: - description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. - items: - additionalProperties: false - type: object - properties: - description: - description: Description of what the browser API tool does. - type: string - id: - description: Unique identifier for the browser API tool. - type: string - schema: - description: JSON Schema defining the tool parameters (JsonSchema7Type). - nullable: true - required: - - id - - description - - schema - type: array - capabilities: - additionalProperties: false - description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + update: + description: >- + Configuration object containing all parameters for the bulk + update operation type: object properties: - visualizations: - description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + enable_field_rendering: + default: false + description: >- + Enables a markdown syntax used to render pivot fields, + for example `{{ user.name james }}`. When disabled, the + same example would be rendered as `james`. This is + primarily used for Attack Discovery views within Kibana. + Defaults to `false`. + example: false type: boolean - configuration_overrides: - additionalProperties: false - description: Runtime configuration overrides. These override the stored agent configuration for this execution only. - type: object - properties: - instructions: - description: Custom instructions for the agent. - type: string - tools: - description: Tool selection to enable for this execution. + ids: + description: Array of Attack Discovery IDs to update + example: + - >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - >- + 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 items: - additionalProperties: false - type: object - properties: - tool_ids: - items: - type: string - type: array - required: - - tool_ids + type: string type: array - connector_id: - description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. - nullable: true - type: string - conversation_id: - description: Optional existing conversation ID to continue a previous conversation. - type: string - inference_id: - description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. - nullable: true - type: string - input: - description: The user input message to send to the agent. - type: string - prompts: - additionalProperties: - additionalProperties: false - type: object - properties: - allow: - type: boolean - required: - - allow - description: Can be used to respond to a confirmation prompt. - type: object + kibana_alert_workflow_status: + description: >- + When provided, update the kibana.alert.workflow_status + of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: >- + When provided, update the visibility of the alert, as + determined by the kibana.alert.attack_discovery.users + field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: >- + When true, returns the updated Attack discoveries with + text replacements applied to the detailsMarkdown, + entitySummaryMarkdown, summaryMarkdown, and title + fields. This substitutes anonymized values with + human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries + required: true responses: '200': content: application/json: - examples: - converseResponseExample: - description: Example response containing the chain of events representing a conversation with the agent - value: - conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 - response: - message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. - steps: - - reasoning: Searching for official documentation or content that explains what Elasticsearch is - type: reasoning - - params: - query: what is elasticsearch definition overview introduction - progression: - - message: Selecting the best target for this query - results: - - data: - message: Could not figure out which index to use - type: error - tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ - tool_id: platform.core.search - type: tool_call - description: Indicates a successful response - summary: Send chat message - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/converse" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "input": "What is Elasticsearch?", - "agent_id": "elastic-ai-agent"}' - - lang: Console - source: | - POST kbn://api/agent_builder/converse - { - "input": "What is Elasticsearch?", - "agent_id": "elastic-ai-agent" - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/converse/async: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/converse/async
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. - - ## Event types - - The endpoint emits Server-Sent Events (SSE) with the following custom event types: - - `conversation_id_set` - - Sets the conversation ID. - - Schema: - ```json - { - "conversation_id": "uuid" - } - ``` - - --- - - `conversation_created` - - Fires when a new conversation is persisted and assigned an ID. - - Schema: - ```json - { - "conversation_id": "uuid", - "title": "conversation title" - } - ``` - - --- - - `conversation_updated` - - Fires when a conversation is updated. - - Schema: - ```json - { - "conversation_id": "uuid", - "title": "updated conversation title" - } - ``` - - --- - - `reasoning` - - Handles reasoning-related data. - - Schema: - ```json - { - "reasoning": "plain text reasoning content", - "transient": false - } - ``` - - --- - - `tool_call` - - Triggers when a tool is invoked. - - Schema: - ```json - { - "tool_call_id": "uuid", - "tool_id": "tool_name", - "params": {} - } - ``` - - --- - - `tool_progress` - - Reports progress of a running tool. - - Schema: - ```json - { - "tool_call_id": "uuid", - "message": "progress message" - } - ``` - - --- - - `tool_result` - - Returns results from a completed tool call. - - Schema: - ```json - { - "tool_call_id": "uuid", - "tool_id": "tool_name", - "results": [] - } - ``` - - **Note:** `results` is an array of `ToolResult` objects. - - --- - - `message_chunk` - - Streams partial text chunks. - - Schema: - ```json - { - "message_id": "uuid", - "text_chunk": "partial text" - } - ``` - - --- - - `message_complete` - - Indicates message stream is finished. - - Schema: - ```json - { - "message_id": "uuid", - "message_content": "full text content of the message" - } - ``` - - --- - - `thinking_complete` - - Marks the end of the thinking/reasoning phase. - - Schema: - ```json - { - "time_to_first_token": 0 - } - ``` - - **Note:** `time_to_first_token` is in milliseconds. - - --- - - `round_complete` - - Marks end of one conversation round. - - Schema: - ```json - { - "round": {} - } - ``` - - **Note:** `round` contains the full round json object. - - --- - - ## Event flow - - A typical conversation round emits events in this sequence: - - 1. `reasoning` (potentially multiple, some transient) - 2. `tool_call` (if tools are used) - 3. `tool_progress` (zero or more progress updates) - 4. `tool_result` (when tool completes) - 5. `thinking_complete` - 6. `message_chunk` (multiple, as text streams) - 7. `message_complete` - 8. `round_complete` - -

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-converse-async - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - converseAsyncRequestExample: - description: Example request to send a message to the agent as a part of the conversation - value: - agent_id: elastic-ai-agent - conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 - input: Hello - converseAsyncRequestInferenceExample: - description: Example using inference_id (mutually exclusive with connector_id) - value: - agent_id: elastic-ai-agent - inference_id: my-inference-endpoint-id - input: Hello - schema: - additionalProperties: false - type: object - properties: - _execution_mode: - description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' - enum: - - local - - task_manager - type: string - action: - description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. - enum: - - regenerate - type: string - agent_id: - default: elastic-ai-agent - description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. - type: string - attachments: - description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' - items: - additionalProperties: false - type: object - properties: - data: - additionalProperties: - nullable: true - description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). - type: object - hidden: - description: When true, the attachment will not be displayed in the UI. - type: boolean - id: - description: Optional id for the attachment. - type: string - origin: - description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. - type: string - type: - description: Type of the attachment. - type: string - required: - - type - type: array - browser_api_tools: - description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. - items: - additionalProperties: false - type: object - properties: - description: - description: Description of what the browser API tool does. - type: string - id: - description: Unique identifier for the browser API tool. - type: string - schema: - description: JSON Schema defining the tool parameters (JsonSchema7Type). - nullable: true - required: - - id - - description - - schema - type: array - capabilities: - additionalProperties: false - description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. - type: object - properties: - visualizations: - description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. - type: boolean - configuration_overrides: - additionalProperties: false - description: Runtime configuration overrides. These override the stored agent configuration for this execution only. - type: object - properties: - instructions: - description: Custom instructions for the agent. - type: string - tools: - description: Tool selection to enable for this execution. - items: - additionalProperties: false - type: object - properties: - tool_ids: - items: - type: string - type: array - required: - - tool_ids - type: array - connector_id: - description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. - nullable: true - type: string - conversation_id: - description: Optional existing conversation ID to continue a previous conversation. - type: string - inference_id: - description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. - nullable: true - type: string - input: - description: The user input message to send to the agent. - type: string - prompts: - additionalProperties: - additionalProperties: false - type: object - properties: - allow: - type: boolean - required: - - allow - description: Can be used to respond to a confirmation prompt. - type: object - responses: - '200': + example: + data: + - id: >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + workflow_status: acknowledged + schema: + type: object + properties: + data: + description: >- + Array of updated Attack Discovery alert objects. Each item + includes the applied modifications from the bulk update + request. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + type: array + required: + - data + description: Indicates a successful call. + '400': content: - text/event-stream: - examples: - converseAsyncResponseExample: - description: Example stream containing the chain of events representing a conversation with the agent - value: - - data: - data: - conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 - event: conversation_id_set - - data: - data: - reasoning: Starting with a general search to understand what content is available. - event: reasoning - - data: - data: - params: - query: latest documents - tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg - tool_id: platform.core.search - event: tool_call - - data: - data: - results: - - data: - message: Could not figure out which index to use - type: error - tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg - event: tool_result - - data: - data: - round: - id: a5692d54-bc06-4a6e-aea1-412779c73f66 - input: - message: Hello - response: - message: Hello! How can I help you today? - event: round_complete - description: Indicates a successful response - summary: Send chat message (streaming) + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: >- + Human-readable error message describing what went wrong + with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries tags: - - agent builder - x-codeSamples: - - lang: curl + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl source: | curl \ - -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "input": "Hello again let us have an async chat", - "agent_id": "elastic-ai-agent", - "conversation_id": "" - }' - - lang: Console - source: | - POST kbn://api/agent_builder/converse/async - { - "input": "Hello again let's have an async chat", - "agent_id": "elastic-ai-agent", - "conversation_id": "" - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/mcp: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/mcp
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - > warn - > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. - To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-mcp + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + /api/attack_discovery/_find: + get: + description: >- + Find Attack discoveries that match the search criteria. Supports free + text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind parameters: - - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. + - description: >- + Filter results to Attack discoveries that include any of the + provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: >- + Filter results to Attack discoveries created by any of the provided + human readable connector names. Note that values must match the + human readable `connector_name` property of an Attack discovery, + e.g. "GPT-5 Chat", which are distinct from `connector_id` values + used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: >- + Enables a markdown syntax used to render pivot fields, for example + `{{ user.name james }}`. When disabled, the same example would be + rendered as `james`. This is primarily used for Attack Discovery + views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: >- + End of the time range for the search. Accepts absolute timestamps + (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now in: query - name: namespace + name: end required: false schema: type: string - requestBody: - content: - application/json: - examples: - mcpInitializeRequestExample: - description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' - value: - id: 1 - jsonrpc: '2.0' - method: initialize - params: - capabilities: {} - clientInfo: - name: test-client - version: 1.0.0 - protocolVersion: '2024-11-05' - schema: {} - responses: - '200': - content: - application/json: - examples: - mcpInitializeResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - id: 1 - jsonrpc: '2.0' - result: - capabilities: - tools: - listChanged: true - protocolVersion: '2024-11-05' - serverInfo: - name: elastic-mcp-server - version: 0.0.1 - description: Indicates a successful response - summary: MCP server - tags: - - agent builder - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/plugins: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/plugins
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-plugins - parameters: [] - responses: - '200': - content: - application/json: - examples: - listPluginsResponseExample: - description: Example response that returns one installed plugin - value: - results: - - created_at: '2025-01-01T00:00:00.000Z' - description: Financial analysis tools and skills for Claude - id: financial-analysis - manifest: - author: - name: Anthropic - url: https://www.anthropic.com - keywords: - - finance - - analysis - repository: https://github.com/anthropics/financial-services-plugins - name: financial-analysis - skill_ids: - - financial-analysis-analyze-portfolio - source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - unmanaged_assets: - agents: [] - hooks: [] - lsp_servers: [] - mcp_servers: [] - output_styles: [] - updated_at: '2025-01-01T00:00:00.000Z' - version: 1.0.0 - description: Indicates a successful response - summary: List plugins - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/plugins - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/plugins/{pluginId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an installed plugin by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:write. - operationId: delete-agent-builder-plugins-pluginid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the plugin. - in: path - name: pluginId - required: true + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false schema: - type: string - - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. + items: + type: string + type: array + - description: >- + If `true`, the response will include `unique_alert_ids` and + `unique_alert_ids_count` aggregated across the matched Attack + discoveries + example: false in: query - name: force + name: include_unique_alert_ids required: false schema: - default: false type: boolean - responses: - '200': - content: - application/json: - examples: - deletePluginResponseExample: - description: Example response showing that deletion of the plugin has been successful - value: - success: true - description: Indicates a successful response - summary: Delete a plugin - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/agent_builder/plugins/{id} - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific plugin by ID.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-plugins-pluginid - parameters: - - description: The unique identifier of the plugin. - in: path - name: pluginId - required: true + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPluginByIdResponseExample: - description: Example response returning a single installed plugin - value: - created_at: '2025-01-01T00:00:00.000Z' - description: Financial analysis tools and skills for Claude - id: financial-analysis - manifest: - author: - name: Anthropic - url: https://www.anthropic.com - keywords: - - finance - - analysis - repository: https://github.com/anthropics/financial-services-plugins - name: financial-analysis - skill_ids: - - financial-analysis-analyze-portfolio - source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - unmanaged_assets: - agents: [] - hooks: [] - lsp_servers: [] - mcp_servers: [] - output_styles: [] - updated_at: '2025-01-01T00:00:00.000Z' - version: 1.0.0 - description: Indicates a successful response - summary: Get a plugin by id - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/plugins/{id} - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/plugins/install: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/plugins/install
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.

[Required authorization] Route required privileges: agentBuilder:write. - operationId: post-agent-builder-plugins-install - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + default: 1 + minimum: 1 + type: integer + - description: >- + Number of Attack discoveries to return per page (used for + pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: >- + Free-text search query applied to relevant text fields of Attack + discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - installPluginFromGithubExample: - description: Example request for installing a plugin from a GitHub URL - value: - url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - installPluginFromZipExample: - description: Example request for installing a plugin from a direct zip URL - value: - url: https://my-server.example.com/my-plugin.zip - installPluginWithNameOverrideExample: - description: Example request for installing a plugin with a custom name - value: - plugin_name: my-custom-plugin-name - url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - schema: - additionalProperties: false - type: object - properties: - plugin_name: - description: Optional name override for the plugin. Defaults to the manifest name. - type: string - url: - description: URL to install the plugin from (GitHub URL or direct zip URL). - type: string - required: - - url - responses: - '200': - content: - application/json: - examples: - installPluginResponseExample: - description: Example response returning the definition of the installed plugin - value: - created_at: '2025-01-01T00:00:00.000Z' - description: Financial analysis tools and skills for Claude - id: financial-analysis - manifest: - author: - name: Anthropic - url: https://www.anthropic.com - keywords: - - finance - - analysis - repository: https://github.com/anthropics/financial-services-plugins - name: financial-analysis - skill_ids: - - financial-analysis-analyze-portfolio - source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - unmanaged_assets: - agents: [] - hooks: [] - lsp_servers: [] - mcp_servers: [] - output_styles: [] - updated_at: '2025-01-01T00:00:00.000Z' - version: 1.0.0 - description: Indicates a successful response - summary: Install a plugin - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" - }' - - lang: Console - source: | - POST kbn://api/agent_builder/plugins/install - { - "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" - } - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/skills: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/skills
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all available skills (built-in and user-created).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-skills - parameters: - - description: Set to true to include skills from plugins. + - description: >- + Whether to filter by shared visibility. If omitted, both shared and + privately visible Attack discoveries are returned. Use `true` to + return only shared discoveries, `false` to return only those visible + to the current user. in: query - name: include_plugins + name: shared required: false schema: - default: false type: boolean - responses: {} - summary: List skills - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/skills
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new user-defined skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. - operationId: post-agent-builder-skills - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: >- + Whether to filter by scheduled or ad-hoc attack discoveries. If + omitted, both types of attack discoveries are returned. Use `true` + to return only scheduled discoveries or `false` to return only + ad-hoc discoveries. + in: query + name: scheduled + required: false schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - content: - description: Skill instructions content (markdown). - type: string - description: - description: Description of what the skill does. - type: string - id: - description: Unique identifier for the skill. - type: string - name: - description: Human-readable name for the skill. - type: string - referenced_content: - items: - additionalProperties: false - type: object - properties: - content: - description: Content of the reference. - type: string - name: - description: Name of the referenced content. - type: string - relativePath: - description: Relative path of the referenced content. - type: string - required: - - name - - relativePath - - content - maxItems: 100 - type: array - tool_ids: - default: [] - description: Tool IDs from the tool registry that this skill references. - items: - description: Tool ID from the tool registry. - type: string - maxItems: 100 - type: array - required: - - id - - name - - description - - content - responses: {} - summary: Create a skill - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/skills/{skillId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/skills/{skillId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.

[Required authorization] Route required privileges: agentBuilder:manageSkills. - operationId: delete-agent-builder-skills-skillid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + type: boolean + - description: >- + Field used to sort results. See `AttackDiscoveryFindSortField` for + allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false schema: - example: 'true' - type: string - - description: The unique identifier of the skill. - in: path - name: skillId - required: true + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField + default: '@timestamp' + - description: >- + Sort order direction `asc` for ascending or `desc` for descending. + Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: >- + Start of the time range for the search. Accepts absolute timestamps + (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false schema: - maxLength: 512 - minLength: 1 type: string - - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + - description: >- + Filter by alert workflow status. Provide one or more of the allowed + workflow states. + example: + - open + - acknowledged in: query - name: force + name: status required: false schema: - default: false + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: >- + When true, return the created Attack discoveries with text + replacements applied to the detailsMarkdown, entitySummaryMarkdown, + summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true type: boolean responses: '200': content: application/json: - examples: - deleteSkillResponseExample: - description: Example response showing that the deletion operation was successful - value: - success: true - description: Indicates a successful response - summary: Delete a skill - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn:/api/agent_builder/skills/{skillId} - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/skills/{skillId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific skill by ID.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-skills-skillid - parameters: - - description: The unique identifier of the skill. - in: path - name: skillId - required: true - schema: - maxLength: 512 - minLength: 1 - type: string - responses: {} - summary: Get a skill by id - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/skills/{skillId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing user-created skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. - operationId: put-agent-builder-skills-skillid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the skill. - in: path - name: skillId - required: true - schema: - maxLength: 512 - minLength: 1 - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - content: - description: Updated skill instructions content. - type: string - description: - description: Updated description. - type: string - name: - description: Updated name for the skill. - type: string - referenced_content: - items: - additionalProperties: false - type: object - properties: - content: - description: Content of the reference. - type: string - name: - description: Name of the referenced content. - type: string - relativePath: - description: Relative path of the referenced content. - type: string - required: - - name - - relativePath - - content - maxItems: 100 - type: array - tool_ids: - description: Updated tool IDs from the tool registry. - items: - description: Updated tool ID. - type: string - maxItems: 100 - type: array - responses: {} - summary: Update a skill - tags: - - agent builder - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/tools: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/tools
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-tools - parameters: [] - responses: - '200': + example: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: >- + List of human readable connector names that are present in + the matched Attack discoveries. Useful for building client + filters or summaries. + items: + type: string + type: array + data: + description: >- + Array of matched Attack discovery objects. Each item + follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: >- + Total number of Attack discoveries matching the query + (across all pages). + type: integer + unique_alert_ids: + description: >- + List of unique alert IDs aggregated from the matched + Attack discoveries. Only present if + `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: >- + Number of unique alert IDs across all matched Attack + discoveries. Only present if + `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': content: application/json: - examples: - listToolsResponseExample: - description: Example response returning a list of existing tools - value: - results: - - configuration: {} - description: |- - A powerful tool for searching and analyzing data within your Elasticsearch cluster. - It supports both full-text relevance searches and structured analytical queries. - - Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. - - Examples of queries: - - "find articles about serverless architecture" - - "search for support tickets mentioning 'billing issue' or 'refund request'" - - "what is our policy on parental leave?" - - "list all products where the category is 'electronics'" - - "show me the last 5 documents from that index" - - "show me the sales over the last year break down by month" - - Note: - - The 'index' parameter can be used to specify which index to search against. - If not provided, the tool will decide itself which is the best index to use. - - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already - know about the index and fields you want to search on, e.g. if the user explicitly specified it. - id: platform.core.search - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - index: - description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. - type: string - query: - description: A natural language query expressing the search request - type: string - required: - - query - tags: [] - type: builtin - - configuration: {} - description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. - id: platform.core.get_document_by_id - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - id: - description: ID of the document to retrieve - type: string - index: - description: Name of the index to retrieve the document from - type: string - required: - - id - - index - tags: [] - type: builtin - - configuration: {} - description: |- - Execute an ES|QL query and return the results in a tabular format. - - **IMPORTANT**: This tool only **runs** queries; it does not write them. - Think of this as the final step after a query has been prepared. - - You **must** get the query from one of two sources before calling this tool: - 1. The output of the `platform.core.generate_esql` tool (if the tool is available). - 2. A verbatim query provided directly by the user. - - Under no circumstances should you invent, guess, or modify a query yourself for this tool. - If you need a query, use the `platform.core.generate_esql` tool first. - id: platform.core.execute_esql - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - query: - description: The ES|QL query to execute - type: string - required: - - query - tags: [] - type: builtin - - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - required: - - startTime - - limit - tags: - - analytics - - finance - type: esql - - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - type: index_search - description: Indicates a successful response - summary: List tools + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria tags: - - agent builder - x-codeSamples: - - lang: curl + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl source: | curl \ - -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn:/api/agent_builder/tools - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/_generate: post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/tools
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. - operationId: post-agent-builder-tools - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: >- + Initiates the generation of attack discoveries by analyzing security + alerts using AI. Returns an execution UUID that can be used to track the + generation progress and retrieve results. Results may also be retrieved + via the find endpoint. + operationId: PostAttackDiscoveryGenerate requestBody: content: application/json: - examples: - createEsqlToolRequest: - description: Example request to create an ESQL query tool with a pre-defined query - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - tags: - - analytics - - finance - type: esql - createIndexSearchToolRequest: - description: Example request to create an index_search tool with a pre-defined index pattern - value: - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - tags: - - search - - finance - type: index_search + example: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI schema: - additionalProperties: false - type: object - properties: - configuration: - additionalProperties: - nullable: true - description: Tool-specific configuration parameters. See examples for details. - type: object - description: - default: '' - description: Description of what the tool does. - type: string - id: - description: Unique identifier for the tool. - type: string - tags: - default: [] - description: Optional tags for categorizing and organizing tools. - items: - description: Tag for categorizing the tool. - type: string - type: array - type: - description: The type of tool to create (e.g., esql, index_search). - enum: - - esql - - index_search - - workflow - - mcp - type: string - required: - - id - - type - - configuration + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig + required: true responses: '200': content: application/json: - examples: - createEsqlToolExample: - description: Example response returning a definition of ESQL tool created - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - required: - - startTime - - limit - tags: - - analytics - - finance - type: esql - createIndexSearchToolExample: - description: Example response returning a definition of search tool tool created - value: - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - type: index_search - description: Indicates a successful response - summary: Create a tool + example: + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier for the attack discovery generation + process. Use this UUID to track the generation progress + and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts tags: - - agent builder - x-codeSamples: - - lang: curl + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl source: | curl \ - -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "id": "example-esql-tool", - "type": "esql", - "description": "Example ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" - }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - }' - - lang: Console - source: | - POST kbn:/api/agent_builder/tools - { - "id": "example-esql-tool", - "type": "esql", - "description": "An ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance", "updated"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/tools/_execute: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/tools/_execute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-tools-execute - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - executeBuiltinEsqlToolRequest: - description: Example request executing platform.core.execute_esql tool - value: - tool_id: platform.core.execute_esql - tool_params: - query: FROM financial_trades | LIMIT 3 - executeBuiltinToolRequest: - description: Example request executing platform.core.get_document_by_id tool - value: - tool_id: platform.core.get_document_by_id - tool_params: - id: TRD-20250805-0820a89f - index: financial_trades - executeCustomEsqlToolRequest: - description: Example request executing custom example-esql-tool tool - value: - tool_id: example-esql-tool - tool_params: - limit: 3 - startTime: '2024-01-01T00:00:00Z' - executeIndexSearchToolRequest: - description: Example request executing custom example-index-search-tool tool - value: - tool_id: example-index-search-tool - tool_params: - nlQuery: find trades with high execution prices above 100 - schema: - additionalProperties: false - type: object - properties: - connector_id: - description: Optional connector ID for tools that require external integrations. - type: string - tool_id: - description: The ID of the tool to execute. - type: string - tool_params: - additionalProperties: - nullable: true - description: Parameters to pass to the tool execution. See examples for details - type: object - required: - - tool_id - - tool_params - responses: - '200': - content: - application/json: - examples: - executeBuiltinEsqlToolExample: - description: Example response calling built-in platform.core.execute_esql tool - value: - results: - - data: - esql: FROM financial_trades | LIMIT 3 - type: query - - data: - columns: - - name: account_id - type: keyword - - name: execution_price - type: double - - name: symbol - type: keyword - - name: trade_type - type: keyword - query: FROM financial_trades | LIMIT 3 - source: esql - values: - - - ACC00179-1f91 - - 43.77000045776367 - - CVX - - sell - - - ACC00407-0bbb - - 660.4199829101562 - - V - - buy - - - ACC00179-1f91 - - 440.3599853515625 - - KO - - buy - tool_result_id: xTpT - type: esql_results - executeBuiltinToolExample: - description: Example response calling built-in platform.core.get_document_by_id tool - value: - results: - - data: - content: - account_id: ACC00271-fb5c - execution_price: 488.54 - execution_timestamp: '2025-08-05T08:04:11.649855' - last_updated: '2025-09-15T13:23:36' - order_status: executed - order_type: market - quantity: 131 - status_reason: fully_filled - symbol: EWL - trade_cost: 63998.74 - trade_id: TRD-20250805-0820a89f - trade_type: sell - partial: false - reference: - id: TRD-20250805-0820a89f - index: financial_trades - type: resource - executeCustomEsqlToolExample: - description: Example response calling custom example-esql-tool tool - value: - results: - - data: - columns: - - name: trade_count - type: long - - name: avg_price - type: double - - name: symbol - type: keyword - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - source: esql - values: - - - 2115 - - 89.33911587329621 - - US_T_BOND_20YR - - - 2112 - - 104.20854155945055 - - INTL_CORP_ASIA_D - - - 2105 - - 89.93244177666526 - - INTL_CORP_EU_B - tool_result_id: Voy8 - type: esql_results - executeIndexSearchToolExample: - description: Example response calling custom example-index-search-tool tool - value: - results: - - data: - esql: |- - FROM financial_trades - | WHERE execution_price > 100 - | LIMIT 100 - type: query - - data: - columns: - - name: account_id - type: keyword - - name: execution_price - type: double - - name: execution_timestamp - type: date - - name: symbol - type: keyword - - name: trade_type - type: keyword - query: |- - FROM financial_trades - | WHERE execution_price > 100 - | LIMIT 100 - source: esql - values: - - - ACC00407-0bbb - - 660.4199829101562 - - '2020-09-25T11:06:08.687Z' - - V - - buy - - - ACC00179-1f91 - - 440.3599853515625 - - '2025-08-07T21:56:45.377Z' - - KO - - buy - - - ACC00407-0bbb - - 132.8800048828125 - - '2020-11-19T04:39:13.655Z' - - JAP_JGB_10YR - - sell - tool_result_id: uE8y - type: esql_results - description: Indicates a successful response - summary: Run a tool - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "tool_id": "platform.core.search", - "tool_params": { - "query": "can you find john doe's email from the employee index?"} - } - }' - - lang: Console - source: | - POST kbn:/api/agent_builder/tools/_execute - { - "tool_id": "platform.core.search", - "tool_params": { - "query": "can you find john doe's email from the employee index?" - } - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/agent_builder/tools/{toolId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/tools/{toolId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. - operationId: delete-agent-builder-tools-toolid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the tool to delete. - in: path - name: toolId - required: true - schema: - type: string - - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. - in: query - name: force - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteAgentResponseExample: - description: Example response showing that the deletion operation was successful - value: - success: true - description: Indicates a successful response - summary: Delete a tool - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn:/api/agent_builder/tools/{toolId} - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/tools/{toolId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-tools-toolid - parameters: - - description: The unique identifier of the tool to retrieve. - in: path - name: toolId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBuiltinToolExample: - description: Example response returning built-in platform.core.search tool - value: - configuration: {} - description: |- - A powerful tool for searching and analyzing data within your Elasticsearch cluster. - It supports both full-text relevance searches and structured analytical queries. - - Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. - - Examples of queries: - - "find articles about serverless architecture" - - "search for support tickets mentioning 'billing issue' or 'refund request'" - - "what is our policy on parental leave?" - - "list all products where the category is 'electronics'" - - "show me the last 5 documents from that index" - - "show me the sales over the last year break down by month" - - Note: - - The 'index' parameter can be used to specify which index to search against. - If not provided, the tool will decide itself which is the best index to use. - - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already - know about the index and fields you want to search on, e.g. if the user explicitly specified it. - id: platform.core.search - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - index: - description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. - type: string - query: - description: A natural language query expressing the search request - type: string - required: - - query - tags: [] - type: builtin - getEsqlToolExample: - description: Example response returning custom example-esql-tool tool - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - required: - - startTime - - limit - tags: - - analytics - - finance - type: esql - getIndexSearchToolExample: - description: Example response returning custom example-index-search-tool tool - value: - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - type: index_search - description: Indicates a successful response - summary: Get a tool by id - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn:/api/agent_builder/tools/{toolId} - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/tools/{toolId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. - operationId: put-agent-builder-tools-toolid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the tool to update. - in: path - name: toolId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateEsqlToolRequest: - description: Example request to update the custom ESQL tool - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - symbolPattern: - description: Pattern to filter symbols (e.g., 'US_*' for US instruments) - type: keyword - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering - tags: - - analytics - - finance - - reporting - updateIndexSearchToolRequest: - description: Example request to update the custom Search tool - value: - description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring - tags: - - search - - finance - - compliance - - reporting - schema: - additionalProperties: false - type: object - properties: - configuration: - additionalProperties: - nullable: true - description: Updated tool-specific configuration parameters. See examples for details. - type: object - description: - description: Updated description of what the tool does. - type: string - tags: - description: Updated tags for categorizing and organizing tools. - items: - description: Updated tag for categorizing the tool. - type: string - type: array - responses: - '200': - content: - application/json: - examples: - updateEsqlToolExample: - description: Example response showing the updated ESQL tool - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - symbolPattern: - description: Pattern to filter symbols (e.g., 'US_*' for US instruments) - type: keyword - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the enhanced query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - symbolPattern: - description: Pattern to filter symbols (e.g., 'US_*' for US instruments) - type: string - required: - - startTime - - symbolPattern - - limit - tags: - - analytics - - finance - - reporting - type: esql - updateIndexSearchToolExample: - description: Example response showing the updated Search tool - value: - configuration: - pattern: financial_* - description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - - compliance - - reporting - type: index_search - description: Indicates a successful response - summary: Update a tool - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance", "updated"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" - }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - }' - - lang: Console - source: | - PUT kbn:/api/agent_builder/tools/{toolId} - { - "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance", "updated"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - } - x-state: '' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/alerting/rule/{id}: - delete: - operationId: delete-alerting-rule-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Delete a rule - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: get-alerting-rule-id - parameters: - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getRuleResponse: - description: A response that contains information about an index threshold rule. - summary: Get an index threshold rule - value: - actions: [] - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - mute_all: false - muted_alert_ids: [] - name: my alert - notify_when: onActionGroupChange - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - throttle: null - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Get rule details - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: post-alerting-rule-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. If it is omitted, an ID is randomly generated. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createEsQueryEsqlRuleRequest: - description: | - Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. - summary: Elasticsearch query rule (ES|QL) - value: - actions: - - frequency: - notify_when: onActiveAlert - summary: false - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: |- - Elasticsearch query rule '{{rule.name}}' is active: - - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} - consumer: stackAlerts - name: my Elasticsearch query ESQL rule - params: - esqlQuery: - esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 - searchType: esqlQuery - size: 0 - threshold: - - 0 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - rule_type_id: .es-query - schedule: - interval: 1d - createEsQueryKqlRuleRequest: - description: Create an Elasticsearch query rule that uses Kibana query language (KQL). - summary: Elasticsearch query rule (KQL) - value: - consumer: alerts - name: my Elasticsearch query KQL rule - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - query: - language: kuery - query: '""geo.src : "US" ""' - searchType: searchSource - size: 100 - threshold: - - 1000 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - rule_type_id: .es-query - schedule: - interval: 1m - createEsQueryRuleRequest: - description: | - Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. - summary: Elasticsearch query rule (DSL) - value: - actions: - - frequency: - notify_when: onThrottleInterval - summary: true - throttle: 1d - group: query matched - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - - frequency: - notify_when: onActionGroupChange - summary: false - group: recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: Recovered - consumer: alerts - name: my Elasticsearch query rule - params: - esQuery: '"""{"query":{"match_all" : {}}}"""' - index: - - kibana_sample_data_logs - size: 100 - threshold: - - 100 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - rule_type_id: .es-query - schedule: - interval: 1d - createIndexThresholdRuleRequest: - description: | - Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. - summary: Index threshold rule - value: - actions: - - frequency: - notify_when: onActionGroupChange - summary: false - group: threshold met - id: 48de3460-f401-11ed-9f8e-399c75a2deeb - params: - level: info - message: |- - Rule '{{rule.name}}' is active for group '{{context.group}}': - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - alert_delay: - active: 3 - consumer: alerts - name: my rule - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - createTrackingContainmentRuleRequest: - description: | - Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. - summary: Tracking containment rule - value: - consumer: alerts - name: my tracking rule - params: - boundaryGeoField: location - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - boundaryIndexTitle: boundary* - boundaryNameField: name - boundaryType: entireIndex - dateField": '@timestamp' - entity: agent.keyword - geoField: geo.coordinates - index: kibana_sample_data_logs - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - rule_type_id: .geo-containment - schedule: - interval: 1h - schema: - anyOf: - - discriminator: - propertyName: rule_type_id - oneOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' - - additionalProperties: false - type: object - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the rule. - type: object - rule_type_id: - description: The rule type identifier. - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - responses: - '200': - content: - application/json: - examples: - createEsQueryEsqlRuleResponse: - description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). - summary: Elasticsearch query rule (ES|QL) - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onActiveAlert - summary: false - throttle: null - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: |- - Elasticsearch query rule '{{rule.name}}' is active: - - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} - uuid: bfe370a3-531b-4855-bbe6-ad739f578844 - api_key_created_by_user: false - api_key_owner: elastic - consumer: stackAlerts - created_at: '2023-11-01T19:00:10.453Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2023-11-01T19:00:10.453Z' - status: pending - id: e0d62360-78e8-11ee-9177-f7d404c8c945 - mute_all: false - muted_alert_ids: [] - name: my Elasticsearch query ESQL rule - notify_when: null - params: - aggType: count - esqlQuery: - esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 - excludeHitsFromPreviousRun": true, - groupBy: all - searchType: esqlQuery - size: 0 - threshold: - - 0 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - revision: 0 - rule_type_id: .es-query - running: false - schedule: - interval: 1d - scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 - tags: [] - throttle: null - updated_at: '2023-11-01T19:00:10.453Z' - updated_by: elastic", - createEsQueryKqlRuleResponse: - description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). - summary: Elasticsearch query rule (KQL) - value: - actions: [] - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2023-07-14T20:24:50.729Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2023-07-14T20:24:50.729Z' - status: pending - id: 7bd506d0-2284-11ee-8fad-6101956ced88 - mute_all: false - muted_alert_ids: [] - name: my Elasticsearch query KQL rule" - notify_when: null - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - query: - language: kuery - query: '""geo.src : "US" ""' - searchType: searchSource - size: 100 - threshold: - - 1000 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .es-query - running: false - schedule: - interval: 1m - scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 - tags: [] - throttle: null - updated_at: '2023-07-14T20:24:50.729Z' - updated_by: elastic - createEsQueryRuleResponse: - description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). - summary: Elasticsearch query rule (DSL) - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onThrottleInterval - summary: true - throttle: 1d - group: query matched - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: Recovered - uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2023-08-22T00:03:38.263Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2023-08-22T00:03:38.263Z' - status: pending - id: 58148c70-407f-11ee-850e-c71febc4ca7f - mute_all: false - muted_alert_ids: [] - name: my Elasticsearch query rule - notify_when: null - params: - aggType: count - esQuery: '"""{"query":{"match_all" : {}}}"""' - excludeHitsFromPreviousRun: true - groupBy: all - index: - - kibana_sample_data_logs - searchType: esQuery - size: 100 - threshold: - - 100 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - revision: 0 - rule_type_id: .es-query - running: false - schedule: - interval: 1d - scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f - tags: [] - throttle: null - updated_at: '2023-08-22T00:03:38.263Z' - updated_by: elastic - createIndexThresholdRuleResponse: - description: The response for successfully creating an index threshold rule. - summary: Index threshold rule - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: threshold met - id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group} : - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - alert_delay: - active: 3 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2022-06-08T17:20:31.632Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2022-06-08T17:20:31.632Z' - status: pending - id: 41893910-6bca-11eb-9e0d-85d233e3ee35 - mute_all: false - muted_alert_ids: [] - name: my rule - notify_when: null - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - running: false - schedule: - interval: 1m - scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 - tags: - - cpu - throttle: null - updated_at: '2022-06-08T17:20:31.632Z' - updated_by: elastic - createTrackingContainmentRuleResponse: - description: The response for successfully creating a tracking containment rule. - summary: Tracking containment rule - value: - actions: [] - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2024-02-14T19:52:55.920Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 74 - last_execution_date: '2024-02-15T03:25:38.125Z' - status: ok - id: b6883f9d-5f70-4758-a66e-369d7c26012f - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: null - outcome_order: 0 - warning: null - mute_all: false - muted_alert_ids: [] - name: my tracking rule - next_run: '2024-02-15T03:26:38.033Z' - notify_when: null - params: - boundaryGeoField: location - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - boundaryIndexTitle: boundary* - boundaryNameField: name - boundaryType: entireIndex - dateField: '@timestamp' - entity: agent.keyword - geoField: geo.coordinates - index: kibana_sample_data_logs - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - revision: 1 - rule_type_id: .geo-containment - running: false - schedule: - interval: 1h - scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f - tags: [] - throttle: null - updated_at: '2024-02-15T03:24:32.574Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '409': - description: Indicates that the rule id is already in use. - summary: Create a rule - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - operationId: put-alerting-rule-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateRuleRequest: - description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. - summary: Index threshold rule - value: - actions: - - frequency: - notify_when: onActionGroupChange - summary: false - group: threshold met - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - name: new name - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .updated-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - schedule: - interval: 1m - tags: [] - schema: - additionalProperties: false - type: object - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the rule. - type: object - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - items: - description: The tags for the rule. - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - schedule - responses: - '200': - content: - application/json: - examples: - updateRuleResponse: - description: The response for successfully updating an index threshold rule. - summary: Index threshold rule - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: threshold met - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date} - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2024-03-26T23:13:20.985Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 52 - last_execution_date: '2024-03-26T23:22:51.390Z' - status: ok - id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: null - warning: null - mute_all: false - muted_alert_ids: [] - name: new name - next_run: '2024-03-26T23:23:51.316Z' - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .updated-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 1 - rule_type_id: .index-threshold - running: false - schedule: - interval: 1m - scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea - tags: [] - throttle: null - updated_at: '2024-03-26T23:22:59.949Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - '409': - description: Indicates that the rule has already been updated by another user. - summary: Update a rule - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_disable: - post: - operationId: post-alerting-rule-id-disable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - disableRuleRequest: - description: A request that disables a rule and untracks all alerts that were generated by the rule. - summary: Disable a rule and untrack its alerts - value: - untrack: true - schema: - additionalProperties: false - nullable: true - type: object - properties: - untrack: - description: Defines whether this rule's alerts should be untracked. - type: boolean - x-oas-optional: true - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Disable a rule - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_enable: - post: - operationId: post-alerting-rule-id-enable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Enable a rule - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_mute_all: - post: - operationId: post-alerting-rule-id-mute-all - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Mute all alerts - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_unmute_all: - post: - operationId: post-alerting-rule-id-unmute-all - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Unmute all alerts - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_update_api_key: - post: - operationId: post-alerting-rule-id-update-api-key - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - '409': - description: Indicates that the rule has already been updated by another user. - summary: Update the API key for a rule - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/snooze_schedule: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. - operationId: post-alerting-rule-id-snooze-schedule - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Identifier of the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - snoozeRuleRecurringRequest: - description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. - summary: Snooze a rule on a recurring weekly schedule - value: - schedule: - custom: - duration: 8h - recurring: - every: 1w - occurrences: 4 - onWeekDay: - - MO - start: '2025-03-17T09:00:00.000Z' - timezone: UTC - snoozeRuleRequest: - description: A request that snoozes a rule for 24 hours starting now. - summary: Snooze a rule for 24 hours - value: - schedule: - custom: - duration: 24h - start: '2025-03-12T12:00:00.000Z' - timezone: UTC - schema: - additionalProperties: false - type: object - properties: - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - schedule - responses: - '200': - content: - application/json: - examples: - snoozeRuleResponse: - description: A response that contains the created snooze schedule. - summary: Snooze schedule response - value: - schedule: - custom: - duration: 24h - start: '2025-03-12T12:00:00.000Z' - timezone: UTC - id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 - schema: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - id: - description: Identifier of the snooze schedule. - type: string - required: - - id - required: - - schedule - required: - - body - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given id does not exist. - summary: Schedule a snooze for the rule - tags: - - alerting - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: - post: - operationId: post-alerting-rule-rule-id-alert-alert-id-mute - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: rule_id - required: true - schema: - type: string - - description: The identifier for the alert. - in: path - name: alert_id - required: true - schema: - type: string - - description: Whether to validate the existence of the alert. - in: query - name: validate_alerts_existence - required: false - schema: - type: boolean - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule or alert with the given ID does not exist. - summary: Mute an alert - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: - post: - operationId: post-alerting-rule-rule-id-alert-alert-id-unmute - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: rule_id - required: true - schema: - type: string - - description: The identifier for the alert. - in: path - name: alert_id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule or alert with the given ID does not exist. - summary: Unmute an alert - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: - delete: - operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: ruleId - required: true - schema: - type: string - - description: The identifier for the snooze schedule. - in: path - name: scheduleId - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given id does not exist. - summary: Delete a snooze schedule for a rule - tags: - - alerting - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/_find: - get: - operationId: get-alerting-rules-find - parameters: - - description: The number of rules to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 0 - type: number - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: An Elasticsearch simple_query_string query that filters the objects in the response. - in: query - name: search - required: false - schema: - type: string - - description: The default operator to use for the simple_query_string. - in: query - name: default_search_operator - required: false - schema: - default: OR - enum: - - OR - - AND - type: string - - description: The fields to perform the simple_query_string parsed query against. - in: query - name: search_fields - required: false - schema: - items: - type: string - type: array - - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. - in: query - name: sort_field - required: false - schema: - type: string - - description: Determines the sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. - in: query - name: has_reference - required: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - - description: The fields to return in the `attributes` key of the response. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' - in: query - name: filter - required: false - schema: - type: string - - in: query - name: filter_consumers - required: false - schema: - items: - description: List of consumers to filter. - type: string - type: array - responses: - '200': - content: - application/json: - examples: - findConditionalActionRulesResponse: - description: A response that contains information about an index threshold rule. - summary: Index threshold rule - value: - data: - - actions: - - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: threshold met - id: 9dca3e00-74f5-11ed-9801-35303b735aef - params: - connector_type_id: .server-log - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 48 - last_execution_date: '2022-12-06T01:44:23.983Z' - status: ok - id: 3583a470-74f6-11ed-9801-35303b735aef - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: null - warning: null - mute_all: false - muted_alert_ids: [] - name: my alert - next_run: '2022-12-06T01:45:23.912Z' - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 1 - rule_type_id: .index-threshold - schedule: - interval: 1m - scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef - tags: - - cpu - throttle: null - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - findRulesResponse: - description: A response that contains information about a security rule that has conditional actions. - summary: Security rule - value: - data: - - actions: - - alerts_filter: - query: - filters: - - $state: - store: appState - meta: - alias: null - disabled: false - field: client.geo.region_iso_code - index: c4bdca79-e69e-4d80-82a1-e5192c621bea - key: client.geo.region_iso_code - negate: false - params: - query: CA-QC - type: phrase - query: - match_phrase: - client.geo.region_iso_code: CA-QC - kql: '' - timeframe: - days: - - 7 - hours: - end: '17:00' - start: '08:00' - timezone: UTC - connector_type_id: .index - frequency: - notify_when: onActiveAlert - summary: true - throttle: null - group: default - id: 49eae970-f401-11ed-9f8e-399c75a2deeb - params: - documents: - - alert_id: - '[object Object]': null - context_message: - '[object Object]': null - rule_id: - '[object Object]': null - rule_name: - '[object Object]': null - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - api_key_created_by_user: false - api_key_owner: elastic - consumer: siem - created_at: '2023-05-16T15:50:28.358Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 166 - last_execution_date: '2023-05-16T20:26:49.590Z' - status: ok - id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: - - Rule execution completed successfully - outcome_order: 0 - warning: null - mute_all: false - muted_alert_ids: [] - name: security_rule - next_run: '2023-05-16T20:27:49.507Z' - notify_when: null - params: - author: [] - description: A security threshold rule. - exceptionsList: [] - falsePositives: [] - filters: [] - from: now-3660s - immutable: false - index: - - kibana_sample_data_logs - language: kuery - license: '' - maxSignals: 100 - meta: - from: 1h - kibana_siem_app_url: https://localhost:5601/app/security - outputIndex: '' - query: '*' - references: [] - riskScore: 21 - riskScoreMapping: [] - ruleId: an_internal_rule_id - severity: low - severityMapping: [] - threat: [] - threshold: - cardinality: [] - field: - - bytes - value: 1 - to: now - type: threshold - version: 1 - revision: 1 - rule_type_id: siem.thresholdRule - running: false - schedule: - interval: 1m - scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - tags: [] - throttle: null - updated_at: '2023-05-16T20:25:42.559Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Get information about rules - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rules/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/backfill/_find: - post: - operationId: post-alerting-rules-backfill-find - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The end date for filtering backfills. - in: query - name: end - required: false - schema: - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: The number of backfills to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 0 - type: number - - description: A comma-separated list of rule identifiers. - in: query - name: rule_ids - required: false - schema: - type: string - - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. - in: query - name: initiator - required: false - schema: - enum: - - user - - system - type: string - - description: The start date for filtering backfills. - in: query - name: start - required: false - schema: - type: string - - description: The field to sort backfills by. - in: query - name: sort_field - required: false - schema: - enum: - - createdAt - - start - type: string - - description: The sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - examples: - findBackfillResponse: - summary: Find backfills response - value: - data: - - created_at: '2024-01-30T00:00:00.000Z' - duration: 12h - enabled: true - id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 - initiator: user - rule: - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - name: my alert - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schedule: - - interval: 12h - run_at: '2024-01-01T12:00:00.000Z' - status: pending - - interval: 12h - run_at: '2024-01-02T00:00:00.000Z' - status: pending - space_id: default - start: '2024-01-01T00:00:00.000Z' - status: pending - page: 1 - per_page: 10 - total: 1 - schema: - additionalProperties: false - type: object - properties: - data: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - duration: - type: string - enabled: - type: boolean - end: - type: string - id: - type: string - initiator: - enum: - - user - - system - type: string - initiator_id: - type: string - rule: - additionalProperties: false - type: object - properties: - api_key_created_by_user: - nullable: true - type: boolean - api_key_owner: - nullable: true - type: string - consumer: - type: string - created_at: - type: string - created_by: - nullable: true - type: string - enabled: - type: boolean - id: - type: string - name: - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - type: number - rule_type_id: - type: string - schedule: - additionalProperties: false - type: object - properties: - interval: - type: string - required: - - interval - tags: - items: - type: string - type: array - updated_at: - type: string - updated_by: - nullable: true - type: string - required: - - id - - name - - tags - - rule_type_id - - params - - api_key_owner - - consumer - - enabled - - schedule - - created_by - - updated_by - - created_at - - updated_at - - revision - schedule: - items: - additionalProperties: false - type: object - properties: - interval: - type: string - run_at: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - run_at - - status - - interval - type: array - space_id: - type: string - start: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - id - - created_at - - duration - - enabled - - rule - - space_id - - initiator - - start - - status - - schedule - type: array - page: - type: number - per_page: - type: number - total: - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Find backfills for rules - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rules/backfill/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/backfill/_schedule: - post: - operationId: post-alerting-rules-backfill-schedule - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - scheduleBackfillRequest: - summary: Schedule a backfill for an index threshold rule - value: - - ranges: - - end: '2024-01-02T00:00:00.000Z' - start: '2024-01-01T00:00:00.000Z' - rule_id: 3583a470-74f6-11ed-9801-35303b735aef - schema: - items: - additionalProperties: false - type: object - properties: - ranges: - items: - additionalProperties: false - type: object - properties: - end: - type: string - start: - type: string - required: - - start - - end - type: array - rule_id: - type: string - run_actions: - type: boolean - required: - - rule_id - - ranges - maxItems: 100 - minItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - scheduleBackfillResponse: - summary: Schedule backfill response - value: - - created_at: '2024-01-30T00:00:00.000Z' - duration: 12h - enabled: true - id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 - initiator: user - rule: - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - name: my alert - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schedule: - - interval: 12h - run_at: '2024-01-01T12:00:00.000Z' - status: pending - - interval: 12h - run_at: '2024-01-02T00:00:00.000Z' - status: pending - space_id: default - start: '2024-01-01T00:00:00.000Z' - status: pending - schema: - items: - anyOf: - - additionalProperties: false - type: object - properties: - created_at: - type: string - duration: - type: string - enabled: - type: boolean - end: - type: string - id: - type: string - initiator: - enum: - - user - - system - type: string - initiator_id: - type: string - rule: - additionalProperties: false - type: object - properties: - api_key_created_by_user: - nullable: true - type: boolean - api_key_owner: - nullable: true - type: string - consumer: - type: string - created_at: - type: string - created_by: - nullable: true - type: string - enabled: - type: boolean - id: - type: string - name: - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - type: number - rule_type_id: - type: string - schedule: - additionalProperties: false - type: object - properties: - interval: - type: string - required: - - interval - tags: - items: - type: string - type: array - updated_at: - type: string - updated_by: - nullable: true - type: string - required: - - id - - name - - tags - - rule_type_id - - params - - api_key_owner - - consumer - - enabled - - schedule - - created_by - - updated_by - - created_at - - updated_at - - revision - schedule: - items: - additionalProperties: false - type: object - properties: - interval: - type: string - run_at: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - run_at - - status - - interval - type: array - space_id: - type: string - start: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - id - - created_at - - duration - - enabled - - rule - - space_id - - initiator - - start - - status - - schedule - - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - rule: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - status: - type: number - required: - - message - - rule - required: - - error - type: array - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Schedule a backfill for rules - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rules/backfill/_schedule
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/backfill/{id}: - delete: - operationId: delete-alerting-rules-backfill-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the backfill. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a backfill with the given ID does not exist. - summary: Delete a backfill by ID - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/alerting/rules/backfill/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: get-alerting-rules-backfill-id - parameters: - - description: The identifier for the backfill. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBackfillResponse: - summary: Get a backfill for an index threshold rule - value: - created_at: '2024-01-30T00:00:00.000Z' - duration: 12h - enabled: true - id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 - initiator: user - rule: - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - name: my alert - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schedule: - - interval: 12h - run_at: '2024-01-01T12:00:00.000Z' - status: pending - - interval: 12h - run_at: '2024-01-02T00:00:00.000Z' - status: pending - space_id: default - start: '2024-01-01T00:00:00.000Z' - status: pending - schema: - additionalProperties: false - type: object - properties: - created_at: - type: string - duration: - type: string - enabled: - type: boolean - end: - type: string - id: - type: string - initiator: - enum: - - user - - system - type: string - initiator_id: - type: string - rule: - additionalProperties: false - type: object - properties: - api_key_created_by_user: - nullable: true - type: boolean - api_key_owner: - nullable: true - type: string - consumer: - type: string - created_at: - type: string - created_by: - nullable: true - type: string - enabled: - type: boolean - id: - type: string - name: - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - type: number - rule_type_id: - type: string - schedule: - additionalProperties: false - type: object - properties: - interval: - type: string - required: - - interval - tags: - items: - type: string - type: array - updated_at: - type: string - updated_by: - nullable: true - type: string - required: - - id - - name - - tags - - rule_type_id - - params - - api_key_owner - - consumer - - enabled - - schedule - - created_by - - updated_by - - created_at - - updated_at - - revision - schedule: - items: - additionalProperties: false - type: object - properties: - interval: - type: string - run_at: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - run_at - - status - - interval - type: array - space_id: - type: string - start: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - id - - created_at - - duration - - enabled - - rule - - space_id - - initiator - - start - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a backfill with the given ID does not exist. - summary: Get a backfill by ID - tags: - - alerting - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rules/backfill/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/apm/agent_keys: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/agent_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent key for APM. - The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. - After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true - responses: - '200': - content: - application/json: - examples: - createAgentKeyResponse1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key - tags: - - APM agent keys - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/fleet/apm_server_schema: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/fleet/apm_server_schema
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. - operationId: saveApmServerSchema - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - schema: - type: object - properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true - responses: - '200': - content: - application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema - tags: - - APM server schema - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/services/{serviceName}/annotation: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/services/{serviceName}/annotation
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new annotation for a specific service. - operationId: createAnnotation - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true - responses: - '200': - content: - application/json: - examples: - createAnnotationResponse1: - $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation - tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/services/{serviceName}/annotation/search: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Search for annotations related to a specific service. - operationId: getAnnotation - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false - schema: - format: date-time - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations - tags: - - APM annotations - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/settings/agent-configuration: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/apm/settings/agent-configuration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. - operationId: deleteAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - deleteAgentConfigurationRequest1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' - schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true - responses: - '200': - content: - application/json: - examples: - deleteAgentConfigurationResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - responses: - '200': - content: - application/json: - examples: - getAgentConfigurationsResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/apm/settings/agent-configuration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite - schema: - type: boolean - requestBody: - content: - application/json: - examples: - createUpdateAgentConfigurationRequestExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true - responses: - '200': - content: - application/json: - examples: - createUpdateAgentConfigurationResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/settings/agent-configuration/agent_name: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve `agentName` for a service. - operationId: getAgentNameForService - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/settings/agent-configuration/environments: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration/environments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. - operationId: getEnvironmentsForService - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service. If omitted, environments across all services are returned. - example: opbeans-node - in: query - name: serviceName - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnvironmentsForServiceResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/settings/agent-configuration/search: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/settings/agent-configuration/search
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - searchSingleConfigurationRequest1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' - schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true - responses: - '200': - content: - application/json: - examples: - searchSingleConfigurationResponse1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/settings/agent-configuration/view: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration/view
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. - operationId: getSingleAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name - schema: - type: string - - description: Service environment - example: prod - in: query - name: environment - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getSingleAgentConfigurationResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/sourcemaps: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/sourcemaps
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. - operationId: getSourceMaps - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page - schema: - type: number - - description: Number of records per page - in: query - name: perPage - schema: - type: number - responses: - '200': - content: - application/json: - examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/sourcemaps
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. - The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true - responses: - '200': - content: - application/json: - examples: - uploadSourceMapResponse1: - $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: | - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: multipart/form-data' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - -F 'service_name="foo"' \ - -F 'service_version="1.0.0"' \ - -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ - -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/apm/sourcemaps/{id}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/apm/sourcemaps/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. - operationId: deleteSourceMap - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteSourceMapResponseExample1: - $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: | - curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/asset_criticality: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/asset_criticality
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. - in: query - name: refresh - required: false - schema: - enum: - - wait_for - type: string - responses: - '200': - content: - application/json: - schema: - type: object - properties: - deleted: - description: True if the record was deleted or false if the record did not exist. - type: boolean - record: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/asset_criticality
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/asset_criticality
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update an asset criticality record for a specific entity. - - If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json: - schema: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - - type: object - properties: - refresh: - description: If 'wait_for' the request will wait for the index refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/asset_criticality/bulk: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/asset_criticality/bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk upsert up to 1000 asset criticality records. - - If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. - operationId: BulkUpsertAssetCriticalityRecords - requestBody: - content: - application/json: - schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 - type: object - properties: - records: - items: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - - type: object - properties: - criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array - required: - - records - responses: - '200': - content: - application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' - type: array - stats: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/asset_criticality/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/asset_criticality/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords - parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false - schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' - type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. - operationId: PostAttackDiscoveryBulk - requestBody: - content: - application/json: - example: - update: - enable_field_rendering: false - ids: - - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true - schema: - type: object - properties: - update: - description: Configuration object containing all parameters for the bulk update operation - type: object - properties: - enable_field_rendering: - default: false - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. - example: false - type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - items: - type: string - type: array - kibana_alert_workflow_status: - description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids - required: - - update - description: Bulk update parameters for Attack discoveries - required: true - responses: - '200': - content: - application/json: - example: - data: - - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - workflow_status: acknowledged - schema: - type: object - properties: - data: - description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' - type: array - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind - parameters: - - description: Filter results to Attack discoveries that include any of the provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. - in: query - name: connector_names - required: false - schema: - items: - type: string - type: array - - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false - schema: - type: string - - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' - default: '@timestamp' - - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false - schema: - type: string - - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false - schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean - responses: - '200': - content: - application/json: - example: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. - items: - type: string - type: array - data: - description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: Total number of Attack discoveries matching the query (across all pages). - type: integer - unique_alert_ids: - description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/_generate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/_generate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. - operationId: PostAttackDiscoveryGenerate - requestBody: - content: - application/json: - example: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' - required: true - responses: - '200': - content: - application/json: - example: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.dataset", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "caiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.module", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.outcome", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "c6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.Ext.original.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "daiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "d6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "e6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "faiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "f6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.original_time", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.risk_score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.description", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "g6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.references", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "haiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "h6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "i6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.severity", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "j6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.workflow_status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "message", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "network.protocol", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.bytes_compressed_present", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.all_names", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "naiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.matches", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.signature.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "n6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.token.integrity_level_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "k6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.signing_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "laiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "l6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "maiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.exit_code", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "m6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.md5", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha1", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "o6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "paiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args_count", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "p6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "q6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "raiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pe.original_file_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pid", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "r6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.working_directory", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "u6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "source.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "v6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "waiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "w6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "x6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.domain", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "yaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "y6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.target.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "zKiJW5gB4U27o8XO8oLg" - } - ], - "replacements": {}, - "size": 100, - "subAction": "invokeAI", - "apiConfig": { - "connectorId": "12345678-1234-1234-1234-123456789012", - "actionTypeId": ".gen-ai" - }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/generations: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/generations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. - operationId: GetAttackDiscoveryGenerations - parameters: - - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: The maximum number of generations to retrieve - example: 50 - in: query - name: size - required: false - schema: - default: 50 - minimum: 1 - type: number - - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false - schema: - type: string - responses: - '200': - content: - application/json: - example: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded - schema: - type: object - properties: - generations: - description: List of Attack Discovery generations - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' - type: array - required: - - generations - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Get the latest Attack Discovery generations metadata for the current user - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/generations/{execution_uuid}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. - operationId: GetAttackDiscoveryGeneration - parameters: - - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean - responses: - '200': - content: - application/json: - example: - data: - - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded - schema: - type: object - properties: - data: - description: Array of Attack discoveries generated during this execution. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' - type: array - generation: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' - description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong with the request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss - parameters: - - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed - schema: - type: object - properties: - alerts_context_count: - description: The number of alerts that were sent as context to the LLM for this generation. - example: 75 - type: number - connector_id: - description: The unique identifier of the connector used to generate the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: The average duration in nanoseconds for successful generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: The total number of Attack discoveries successfully created for this generation - example: 2 - type: number - discoveries: - description: The number of attack discoveries that were generated during this execution. - example: 3 - type: number - end: - description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. - example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. - type: string - reason: - description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string - status: - description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string - required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type or category - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong with the request. - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/schedules: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/schedules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules - requestBody: - content: - application/json: - example: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' - description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions - required: true - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - description: The Attack Discovery schedule was successfully created. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Create Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/schedules/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/schedules/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules - parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - type: number - - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - type: number - - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. - example: name - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. - example: asc - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - example: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - schema: - type: object - properties: - data: - description: Array of matched Attack Discovery schedule objects. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - type: array - page: - description: Current page number of the paginated result set. - type: number - per_page: - description: Number of items requested per page. - type: number - total: - description: Total number of Attack Discovery schedules matching the query (across all pages). - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/schedules/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/attack_discovery/schedules/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Permanently deletes an Attack Discovery schedule and all associated configuration. - operationId: DeleteAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier of the deleted Attack Discovery schedule - required: - - id - description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Delete Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/schedules/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Get Attack Discovery schedule by ID - tags: - - Security Attack discovery API - x-code-samples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/attack_discovery/schedules/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - requestBody: - content: - application/json: - example: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' - description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. - required: true - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - description: Successfully updated Attack Discovery schedule with the new configuration and metadata - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Update Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/schedules/{id}/_disable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier of the disabled Attack Discovery schedule - required: - - id - description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Disable Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/attack_discovery/schedules/{id}/_enable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. - operationId: EnableAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier of the enabled Attack Discovery schedule - required: - - id - description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Enable Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/data_views: - get: - operationId: getAllDataViewsDefault - responses: - '200': - content: - application/json: - examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' - schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view: - post: - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view/{viewId}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/data_views/data_view/{viewId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - WARNING: When you delete a data view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json: - examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views/data_view/{viewId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view/{viewId}/fields: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update fields presentation metadata such as count, customLabel, customDescription, and format. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update data view fields metadata - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/data_views/data_view/{viewId}/runtime_field: - post: - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - operationId: createUpdateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field from a data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json: - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true - responses: - '200': - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/default: - get: - operationId: getDefaultDataViewDefault - responses: - '200': - content: - application/json: - examples: - getDefaultDataViewResponse: - $ref: '#/components/examples/Data_views_get_default_data_view_response' - schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views/default
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: | - The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/default
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/swap_references: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/swap_references
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. - operationId: swapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/data_views/swap_references/_preview: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/swap_references/_preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Preview the impact of swapping saved object references from one data view identifier to another. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: '#/components/examples/Data_views_preview_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview a saved object reference swap - tags: - - data views - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/privileges: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves whether or not the user is authenticated, and the user's Kibana - space and index privileges, which determine if the user can create an - index for the Elastic Security alerts generated by - detection engine rules. - operationId: ReadPrivileges - responses: - '200': - content: - application/json: - examples: - success: - value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic - schema: - type: object - properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean - required: - - is_authenticated - - has_encryption_key - description: Successful response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a detection rule using the `rule_id` or `id` field. - - The URL query must include one of the following: - - * `id` - `DELETE /api/detection_engine/rules?id=` - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - operationId: DeleteRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_UUID' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a detection rule using the `rule_id` or `id` field. - - The URL query must include one of the following: - - * `id` - `GET /api/detection_engine/rules?id=` - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_UUID' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for a retrieved rule - value: - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low - tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: | - Indicates a successful call. - > info - > These fields are under development and their usage or schema may change: execution_summary. - summary: Retrieve a detection rule - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update specific fields of an existing detection rule using the `rule_id` or `id` field. - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - operationId: PatchRule - requestBody: - content: - application/json: - examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: | - FROM logs-abc* - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' - example7: - summary: Patch machine learning rule - value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new detection rule. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - - You can create the following types of rules: - - * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. - * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. - * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. - * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. - * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. - > info - > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. - - To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: - - ```json - ... - "job_id": "linux_anomalous_network_activity_ecs", - "job_type": "anomaly_detector", - "job_version": "7.7.0", - "groups": [ - "auditbeat", - "process", - "siem" - ], - ... - ``` - - Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: - - * Slack - * Email - * PagerDuty - * Webhook - * Microsoft Teams - * IBM Resilient - * Jira - * ServiceNow ITSM - > info - > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - - To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. - - For detailed information on Kibana actions and alerting, and additional API calls, see: - - * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) - * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) - * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule - requestBody: - content: - application/json: - examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address - summary: Threshold rule - value: - description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: host.name:prml-19 and event.category:authentication and event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: | - Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: Checks for bad IP addresses listed in the ip-threat-list index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: New terms rule that creates alerts a new IP address is detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: esql rule that creates alerts from events that match an Excel parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period - summary: Query rule 2 - value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true - responses: - '200': - content: - application/json: - examples: - example1: - description: Example response for a query rule - summary: Query rule response - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response - value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response - value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: host.name:prml-19 and event.category:authentication and event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response - value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response - value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Checks for bad IP addresses listed in the ip-threat-list index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response - value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response - value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - operationId: UpdateRule - requestBody: - content: - application/json: - examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule - value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' - risk_score: 21 - severity: low - tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: | - FROM logs* - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ - | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: | - > info - > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules/_bulk_action: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. - - The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. - The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - operationId: PerformRulesBulkAction - parameters: - - description: | - Enables dry run mode for the request call. - - Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. - - To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. - > info - > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. - in: query - name: dry_run - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: The following request runs the rule with the specified ID within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: The following request exports the rules with the specified IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: The following request adds investigation field to the rules with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - value: - - field1 - - field2 - example18: - description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) schedule for rules (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: '2023-10-31T00:00:00.000Z' - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: The following request set alert suppression to the rules with the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: The following request set alert suppression to threshold rules with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: The following request triggers the filling of gaps for the specified rule ids and time range - summary: Fill Gaps - Manually trigger the filling of gaps for specified rules - value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' - - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' - responses: - '200': - content: - application/json: - examples: - example01: - description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: Successful response - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: Partial failure - value: - value: - attributes: - errors: - - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: | - event.kind:alert and not event.module:(endgame or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: Dry run - value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: Idempotent behavior of set_tags - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: Idempotent behavior of add_tags - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' - description: OK - summary: Apply a bulk action to detection rules - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules/_export: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: - - Actions - - Exception lists - > info - > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. - - > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. - - > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: | - File name for saving the exported rules. - > info - > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string - requestBody: - content: - application/json: - schema: - nullable: true - type: object - properties: - objects: - description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - required: - - rule_id - type: array - required: - - objects - required: false - responses: - '200': - content: - application/ndjson: - schema: - description: | - An `.ndjson` file containing the returned rules. - - Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/rules/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. - operationId: FindRules - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: | - Search query - - Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: - - name - - enabled - - tags - - createdBy - - interval - - updatedBy - > info - > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start - in: query - name: gaps_range_start - required: false - schema: - type: string - - description: Gaps range end - in: query - name: gaps_range_end - required: false - schema: - type: string - - description: Gap fill statuses - in: query - name: gap_fill_statuses - required: false - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: Gap auto fill scheduler ID used to determine gap fill status for rules - in: query - name: gap_auto_fill_scheduler_id - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - example1: - value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 - schema: - type: object - properties: - data: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_WarningSchema' - type: array - required: - - page - - perPage - - total - - data - description: | - Successful response - > info - > These fields are under development and their usage or schema may change: execution_summary. - summary: List all detection rules - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules/_import: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: - - The `Content-Type: multipart/form-data` HTTP header. - - A link to the `.ndjson` file containing the rules. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - > info - > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. - - > info - > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. - - > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. - - > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. - operationId: ImportRules - parameters: - - description: Determines whether existing rules with the same `rule_id` are overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Import rules with success - value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 - schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_WarningSchema' - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer - required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules/{id}/exceptions: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - requestBody: - content: - application/json: - schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object - properties: - items: - items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' - type: array - required: - - items - description: Rule exception items. - required: true - responses: - '200': - content: - application/json: - examples: - ruleExceptionItems: - value: - - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - schema: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 - badRequest: - value: - error: Bad Request - message: '[request params]: id: Invalid uuid' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create rule exception items - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/rules/preview: - post: - operationId: RulePreview - parameters: - - description: Enables logging and returning in response ES queries, performed during rule execution - in: query - name: enable_logged_requests - required: false - schema: - type: boolean - requestBody: - content: - application/json: - schema: - anyOf: - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - discriminator: - propertyName: type - description: An object containing tags to add or remove and alert ids the changes will be applied - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' - type: array - previewId: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - logs - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/detection_engine/signals/assignees: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/assignees
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees - requestBody: - content: - application/json: - examples: - add: - $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' - remove: - $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' - required: true - responses: - '200': - content: - application/ndjson: - examples: - add: - value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 76, - total: 1, - updated: 1, - version_conflicts: 0, - description: Indicates a successful call. - '400': - description: Invalid request. - summary: Assign and unassign users from detection alerts - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/signals/search: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/search
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: '2025-01-17T08:00:00.000Z' - lte: '2025-01-18T07:59:59.999Z' - runtime_mappings: {} - size: 0 - schema: - $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 - schema: - additionalProperties: true - description: Elasticsearch search response - type: object - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/signals/status: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json: - examples: - byId: - value: - signal_ids: - - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: - value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: '2024-10-23T07:00:00.000Z' - lte: '2025-01-21T20:12:11.704Z' - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: '2024-10-23T07:00:00.000Z' - lte: '2025-01-21T20:12:11.704Z' - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' - description: An object containing desired status and explicit alert ids or a query to select alerts - required: true - responses: - '200': - content: - application/json: - examples: - byId: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/signals/tags: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - And tags to detection alerts, and remove them from alerts. - > info - > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json: - examples: - add: - $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' - remove: - $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: An object containing tags to add or remove and alert ids the changes will be applied - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/detection_engine/tags: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json: - examples: - example1: - value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint_list: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint_list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. - operationId: CreateEndpointList - responses: - '200': - content: - application/json: - examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created - value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Create an Elastic Endpoint rule exception list - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint_list/items: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. - operationId: DeleteEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - responses: - '200': - content: - application/json: - examples: - deleted: - summary: Deleted endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Delete an Elastic Endpoint exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. - operationId: ReadEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - responses: - '200': - content: - application/json: - examples: - item: - summary: Endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. - operationId: CreateEndpointListItem - requestBody: - content: - application/json: - examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash - value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple - schema: - type: object - properties: - comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' - item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' - os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Endpoint exception list item created - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '409': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item already exists - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. - operationId: UpdateEndpointListItem - requestBody: - content: - application/json: - examples: - updateName: - summary: Update an endpoint exception list item - value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple - schema: - type: object - properties: - _version: - description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. - type: string - comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified - item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - description: Either `id` or `item_id` must be specified - meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' - os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - updated: - summary: Endpoint exception list item updated - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint_list/items/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint_list/items/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: | - Filters the returned results according to the value of the specified field, - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json: - examples: - foundItems: - summary: Found endpoint exception list items - value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - description: The list of endpoint exception list items. - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - type: array - page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string - total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Get Elastic Endpoint exception list items - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all response actions. - operationId: EndpointGetActionsList - parameters: - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - in: query - name: endDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - in: query - name: agentTypes - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - in: query - name: withOutputs - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - in: query - name: types - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' - description: Indicates a successful call. - summary: Get response actions - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/{action_id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/{action_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - in: path - name: action_id - required: true - schema: - description: The ID of the action to retrieve. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' - description: OK - summary: Get action details - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/{action_id}/file/{file_id}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: | - The file identifier is constructed in one of two ways: - - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: - `{file_id}` = `{action_id}.{agent_id}` - - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - properties: - data: - type: object - properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time - type: string - id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. - type: string - name: - description: The file name. - type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED - type: string - description: Indicates a successful call. - summary: Get file information - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/{action_id}/file/{file_id}/download: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. - > info - > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. - operationId: EndpointFileDownload - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: | - The file identifier is constructed in one of two ways: - - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: - `{file_id}` = `{action_id}.{agent_id}` - - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/octet-stream: - schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cancel a running or pending response action (Applies only to some agent types). - operationId: CancelAction - requestBody: - content: - application/json: - examples: - MicrosoftDefenderEndpoint: - summary: Cancel a response action on a Microsoft Defender for Endpoint host - value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - CancelSuccess: - summary: Cancel action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Cancel a response action - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/execute: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/execute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - ExecuteSuccess: - summary: Execute action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Run a command - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/get_file: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/get_file
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - GetFileSuccess: - summary: Get file action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Get a file - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/isolate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/isolate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Isolate an endpoint from the network. The endpoint remains isolated until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - required: true - responses: - '200': - content: - application/json: - examples: - IsolateSuccess: - summary: Isolate action successfully created - value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' - description: Indicates a successful call. - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/kill_process: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/kill_process
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - KillProcessSuccess: - summary: Kill process action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Terminate a process - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/memory_dump: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/memory_dump
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump - requestBody: - content: - application/json: - examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine - value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Generate a memory dump from the host machine - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/running_procs: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/running_procs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json: - examples: - singleEndpoint: - summary: Get running processes on a single endpoint - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - RunningProcsSuccess: - summary: Running processes action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Get running processes - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/runscript: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/runscript
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction - requestBody: - content: - application/json: - examples: - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent - value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - RunScriptSuccess: - summary: Run script action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Run a script - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/scan: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/scan
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json: - examples: - scanFile: - summary: Scan a file on an endpoint - value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - ScanSuccess: - summary: Scan action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Scan a file or directory - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/state: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/state
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a response actions state, which reports whether encryption is enabled. - operationId: EndpointGetActionsState - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' - description: OK - summary: Get actions state - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/suspend_process: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/suspend_process
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Suspend a process - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/unisolate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/unisolate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction - requestBody: - content: - application/json: - examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - required: true - responses: - '200': - content: - application/json: - examples: - UnisolateSuccess: - summary: Unisolate action successfully created - value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' - description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/action/upload: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/upload
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - UploadSuccess: - summary: Upload action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Upload a file - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/metadata: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/metadata
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList - parameters: - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - in: query - name: hostStatuses - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - in: query - name: sortDirection - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' - description: Indicates a successful call. - summary: Get a metadata list - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/metadata/{id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/metadata/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata - parameters: - - description: The agent ID of the endpoint. - in: path - name: id - required: true - schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' - description: Indicates a successful call. - summary: Get metadata - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/policy_response: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/policy_response
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse - parameters: - - description: The agent ID to retrieve the policy response for. - in: query - name: agentId - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' - description: Indicates a successful call. - summary: Get a policy response - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote - parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' - description: Indicates a successful call. - summary: Get a protection updates note - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - description: The package policy ID to create or update the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - type: object - properties: - note: - description: The note content. - type: string - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' - description: Indicates a successful call. - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/engine/delete: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully - value: - deleted: true - schema: - type: object - properties: - deleted: - type: boolean - required: - - deleted - description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/engine/disable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': - content: - application/json: - examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully - value: - status: disabled - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' - description: Successful response - summary: Disable the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/engine/init: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. - operationId: InitMonitoringEngine - responses: - '200': - content: - application/json: - examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully - value: - status: started - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' - description: Successful response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/engine/schedule_now: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine - responses: - '200': - content: - application/json: - examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully - value: - success: true - schema: - type: object - properties: - success: - description: Indicates the scheduling was successful - type: boolean - description: Successful response - '409': - content: - application/json: - schema: - type: object - properties: - message: - description: Error message indicating the engine is already running - type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/privileges/health: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. - operationId: PrivMonHealth - responses: - '200': - content: - application/json: - examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine - value: - status: started - users: - current_count: 42 - max_allowed: 1000 - schema: - type: object - properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: Maximum number of privileged users allowed to be monitored - type: integer - required: - - current_count - - max_allowed - required: - - status - description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check if the current user has all required permissions for Privilege Monitoring - operationId: PrivMonPrivileges - responses: - '200': - content: - application/json: - example: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' - description: Successful response - summary: Run a privileges check on Privilege Monitoring - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/users: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/users
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new privileged user to be monitored by the Privilege Monitoring Engine. - operationId: CreatePrivMonUser - requestBody: - content: - application/json: - examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true - responses: - '200': - content: - application/json: - examples: - CreatePrivMonUserResponse: - summary: Created monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' - description: User created successfully - summary: Create a new monitored user - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/users/_csv: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - responses: - '200': - content: - application/json: - schema: - example: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 1 - type: object - properties: - errors: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' - type: array - stats: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/users/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - DeletePrivMonUserResponse: - summary: User deleted successfully - value: - acknowledged: true - message: User deleted successfully - schema: - type: object - properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean - message: - description: A message providing additional information about the deletion status - type: string - required: - - success - description: User deleted successfully - summary: Delete a monitored user - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates the details of an existing monitored privileged user by their document ID. - operationId: UpdatePrivMonUser - parameters: - - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - required: true - responses: - '200': - content: - application/json: - examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' - description: User updated successfully - summary: Update a monitored user - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/monitoring/users/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/monitoring/users/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. - operationId: ListPrivMonUsers - parameters: - - description: KQL query to filter the list of monitored users - in: query - name: kql - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - ListPrivMonUsersResponse: - summary: List of monitored users - value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage - responses: - '200': - content: - application/json: - examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully - value: - message: Privileged access detection package installed successfully - schema: - type: object - properties: - message: - type: string - required: - - message - description: Successful response - summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': - content: - application/json: - examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running - value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete - schema: - type: object - properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete - type: string - package_installation_status: - enum: - - complete - - incomplete - type: string - required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/watchlists: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist - requestBody: - content: - application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources - value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' - identifierField: - description: Field used to query the entity store for index-type sources - type: string - indexPattern: - type: string - integrationName: - description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' - type: array - name: - type: string - queryRule: - description: KQL query used to filter data from the provided index patterns - type: string - range: - $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': - content: - application/json: - examples: - CreateWatchlistResponse: - summary: Created watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' - schema: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - - type: object - properties: - entitySources: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/watchlists/{id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/watchlists/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves the details of an entity analytics watchlist by its unique identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - GetWatchlistResponse: - summary: Watchlist details - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - description: Watchlist details - summary: Get a watchlist by ID - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_analytics/watchlists/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. - operationId: UpdateWatchlist - parameters: - - description: The ID of the watchlist to update - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdateWatchlistRequest: - summary: Update watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': - content: - application/json: - examples: - UpdateWatchlistResponse: - summary: Updated watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - description: Watchlist updated successfully - summary: Update an existing watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row - with a "type" column (user, host, service, or generic) and one or more ECS identity - fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. - - Matched entities are added to the watchlist and their `entity.attributes.watchlists` - field is updated in the entity store. - - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - multipart/form-data: - examples: - csvUpload: - summary: CSV file with user entities - value: - file: | - type,user.name - user,john.doe - user,jane.smith - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - required: true - responses: - '200': - content: - application/json: - examples: - CsvUploadResponse: - summary: CSV upload response with mixed results - value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 - schema: - type: object - properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' - type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer - required: - - successful - - failed - - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Assigns the provided entities to the specified watchlist using a "manual" source label. - The entities must already exist in the entity store. - - If an entity is already on the watchlist, no new document is created — the "manual" label - is added to its existing source labels instead. - operationId: AssignWatchlistEntities - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - assignEntities: - summary: Assign two entities to a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true - responses: - '200': - content: - application/json: - examples: - assignEntitiesResponse: - summary: Successful assignment of two entities - value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 - schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities - parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - unassignEntities: - summary: Unassign two entities from a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true - responses: - '200': - content: - application/json: - examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities - value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 - schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' - type: array - not_found: - description: Number of entities not found in the manual watchlist assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_analytics/watchlists/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/watchlists/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': - content: - application/json: - examples: - ListWatchlistsResponse: - summary: List of watchlists - value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - type: array - description: List of watchlists - summary: List all watchlists - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/enable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize the entire Entity Store, creating engines for all or specified entity types. - operationId: InitEntityStore - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - lookbackPeriod: - default: 3h - description: The amount of time the transform looks back to calculate the aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: The initial page size to use for the composite aggregation of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true - responses: - '200': - content: - application/json: - examples: - initEntityStoreExample: - description: The Entity Store was successfully initialized, creating host and user engines in the installing state. - summary: Entity Store initialized with host and user engines - value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true - schema: - type: object - properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean - description: Successful response - '400': - description: Invalid request - summary: Initialize the Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines - parameters: - - description: The entity type of the engine ('user', 'host', 'service', 'generic'). - examples: - hostAndService: - value: host,service - in: query - name: entityTypes - required: false - schema: - description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine - value: - deleted: - - host - still_running: - - generic - - user - - service - schema: - type: object - properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - still_running: - description: Entity types whose engines are still running. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_store/engines
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/engines
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': - content: - application/json: - examples: - listEntityEnginesExample: - description: Returns a list with one running host engine and one stopped user engine. - summary: Two engines installed - value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user - schema: - type: object - properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine - value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_store/engines/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/engines/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the engine descriptor for a specific entity type, including its configuration and current status. - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - getEntityEngineExample: - description: Returns the engine descriptor for a host engine that is currently running with default settings. - summary: A running host engine - value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - description: Successful response - summary: Get an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/engines/{entityType}/init: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/{entityType}/init
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine - parameters: - - description: The entity type of the engine. - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - lookbackPeriod: - default: 3h - description: The amount of time the transform looks back to calculate the aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: The initial page size to use for the composite aggregation of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. - type: string - description: Schema for the engine initialization - required: true - responses: - '200': - content: - application/json: - examples: - initEntityEngineExample: - description: A host engine was successfully initialized and is now in the installing state. - summary: Host engine initialized - value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - description: Successful response - '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/engines/{entityType}/start: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/{entityType}/start
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Start a previously stopped entity engine, resuming transform processing for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - startEntityEngineExample: - description: The engine was successfully started and is now processing data. - summary: Engine started successfully - value: - started: true - schema: - type: object - properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/engines/{entityType}/stop: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Stop a running entity engine, pausing transform processing for the given entity type. - operationId: StopEntityEngine - parameters: - - description: The entity type of the engine to stop. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - stopEntityEngineExample: - description: The engine was successfully stopped and is no longer processing data. - summary: Engine stopped successfully - value: - stopped: true - schema: - type: object - properties: - stopped: - description: Whether the engine was successfully stopped. - type: boolean - description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/engines/apply_dataview_indices: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': - content: - application/json: - examples: - applyDataviewIndicesExample: - description: All running engines were successfully updated with the current data view index patterns. - summary: All engines updated - value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true - schema: - type: object - properties: - result: - description: Per-engine update results. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': - content: - application/json: - examples: - partialSuccessExample: - description: The host engine was updated but the user engine failed due to insufficient privileges. - summary: One engine failed - value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false - schema: - type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': - content: - application/json: - examples: - serverErrorExample: - description: An unexpected error occurred while applying data view indices. - summary: Internal server error - value: - body: An internal error occurred while updating engine indices - statusCode: 500 - schema: - type: object - properties: - body: - description: Error message. - type: string - statusCode: - description: HTTP status code. - type: number - description: Error response - summary: Apply DataView indices to all installed engines - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/entities/{entityType}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a single entity in Entity Store. - The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. - operationId: DeleteSingleEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - id: - description: Identifier of the entity to be deleted, commonly entity.id value. - example: arn:aws:iam::123456789012:user/jane.doe - type: string - required: - - id - description: Schema for the deleting entity - required: true - responses: - '200': - content: - application/json: - examples: - deleteEntityExample: - description: The entity was found and successfully removed from the latest index. - summary: Entity deleted - value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled - summary: Delete an entity in Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update or create an entity in Entity Store. - If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. - > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. - > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. - operationId: UpsertEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: Conflict. The entity was updated while another update was happening in ElasticSearch - '503': - description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled - summary: Upsert an entity in Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/entities/bulk: - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_store/entities/bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update or create many entities in Entity Store. - If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. - The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. - operationId: UpsertEntitiesBulk - parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/entities/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/entities/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List entities records, paging, sorting and filtering as needed. - operationId: ListEntities - parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - responses: - '200': - content: - application/json: - schema: - type: object - properties: - inspect: - $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - type: array - total: - description: Total number of entities matching the query. - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/entity_store/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: If true, returns a detailed status of each engine including all its components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - entityStoreRunning: - description: The Entity Store is running with both host and user engines started and using default settings. - summary: Entity Store running with two engines - value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running - schema: - type: object - properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - - type: object - properties: - components: - description: Detailed component-level status. Only included when include_components is true. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' - type: array - type: array - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' - description: The overall status of the Entity Store. - required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList - parameters: - - description: Exception list's identifier. Either `id` or `list_id` must be specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - detectionExceptionList: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList - parameters: - - description: Exception list's identifier. Either `id` or `list_id` must be specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - detectionType: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. - > info - > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList - requestBody: - content: - application/json: - schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - type: object - properties: - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json: - examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: '2025-01-09T01:05:23.019Z' - created_by: elastic - description: This is a sample detection type exception with an autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: '2025-01-09T01:05:23.020Z' - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: '2025-01-09T01:10:36.369Z' - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: '2025-01-09T01:10:36.369Z' - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - typeEndpoint: - value: - _version: WzQsMV0= - created_at: '2025-01-09T01:07:49.658Z' - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: '2025-01-09T01:07:49.658Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList - requestBody: - content: - application/json: - schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection - type: object - properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json: - examples: - simpleList: - value: - _version: WzExLDFd - created_at: '2025-01-07T20:43:55.264Z' - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: '2025-01-07T21:32:03.726Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/_duplicate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/_duplicate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Duplicate an existing exception list. - operationId: DuplicateExceptionList - parameters: - - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true - type: string - responses: - '200': - content: - application/json: - examples: - detectionExceptionList: - value: - _version: WzExNDY1LDFd - created_at: '2025-01-09T16:19:50.280Z' - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: '2025-01-09T16:19:50.280Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Exception list not found - '405': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList - parameters: - - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. - example: true - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/ndjson: - examples: - exportSavedObjectsResponse: - value: | - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} - schema: - description: A `.ndjson` file containing specified exception list and its items - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: list_id: Required, namespace_type: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: | - Filters the returned results according to the value of the specified field. - - Uses the `so type.field name:field` value syntax, where `so type` can be: - - - `exception-list`: Specify a space-aware exception list. - - `exception-list-agnostic`: Specify an exception list that is shared across spaces. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - - description: | - Determines whether the returned containers are Kibana associated with a Kibana space - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: desc - type: string - responses: - '200': - content: - application/json: - examples: - simpleLists: - value: - data: - - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/_import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: | - Determines whether existing exception lists with the same `list_id` are overwritten. - If any exception items have the same `item_id`, those are also overwritten. - in: query - name: overwrite - required: false - schema: - default: false - example: false - type: boolean - - description: | - Determines whether the list being imported will have a new `list_id` generated. - Additional `item_id`'s are generated for each exception item. Both the exception - list and its items are overwritten. - in: query - name: as_new_list - required: false - schema: - default: false - example: false - type: boolean - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - example: | - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - withErrors: - value: - errors: - - error: - message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' - status_code: 400 - list_id: (unknown list_id) - - error: - message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: - value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, - schema: - type: object - properties: - errors: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/items: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem - parameters: - - description: Exception item's identifier. Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - simpleExceptionItem: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - example: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an exception list item using the `id` or `item_id` field. - operationId: ReadExceptionListItem - parameters: - - description: Exception list item's identifier. Either `id` or `item_id` must be specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - simpleListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an exception item and associate it with the specified exception list. - > info - > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem - requestBody: - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: '2025-01-09T01:16:23.322Z' - created_by: elastic - description: This is a sample exception that has no item_id so it is autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: '2025-01-09T01:16:23.322Z' - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withValueListEntry: - value: - _version: WzcsMV0= - comments: [] - created_at: '2025-01-09T01:31:12.614Z' - created_by: elastic - description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: '2025-01-09T01:31:12.614Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list item id: \"simple_list_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem - requestBody: - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - simpleListItem: - value: - _version: WzEyLDFd - comments: [] - created_at: '2025-01-07T21:12:25.512Z' - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: '2025-01-07T21:34:50.233Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: item_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/items/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/items/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems - parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id - required: true - schema: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - type: array - - description: | - Filters the returned results according to the value of the specified field, - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: array - - description: | - Determines whether the returned containers are Kibana associated with a Kibana space - or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - type: array - - in: query - name: search - required: false - schema: - example: host.name - type: string - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: desc - type: string - responses: - '200': - content: - application/json: - examples: - simpleListItems: - value: - data: - - _version: WzgsMV0= - comments: [] - created_at: '2025-01-07T21:12:25.512Z' - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: '2025-01-07T21:12:25.512Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exception_lists/summary: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/summary
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a summary of the specified exception list. - operationId: ReadExceptionListSummary - parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - - description: Search filter clause - in: query - name: filter - required: false - schema: - example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" - type: string - responses: - '200': - content: - application/json: - examples: - summary: - value: - linux: 0 - macos: 0 - total: 0 - windows: 0 - schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/exceptions/shared: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exceptions/shared
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. - > info - > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList - requestBody: - content: - application/json: - schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: object - properties: - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - required: - - name - - description - required: true - responses: - '200': - content: - application/json: - examples: - sharedList: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_download_sources: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_download_sources
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. - operationId: get-fleet-agent-download-sources - parameters: [] - responses: - '200': - content: - application/json: - examples: - getDownloadSourcesExample: - description: List of agent binary download sources - value: - items: - - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent binary download sources - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_download_sources
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-agent-download-sources - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDownloadSourceRequestExample: - description: Create a new agent binary download source - value: - host: https://my-custom-host.example.com/downloads/ - is_default: false - name: My custom download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host - responses: - '200': - content: - application/json: - examples: - postDownloadSourceExample: - description: The created agent binary download source - value: - item: - host: https://my-custom-host.example.com/downloads/ - id: download-source-id-2 - is_default: false - name: My custom download source - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_download_sources/{sourceId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-agent-download-sources-sourceid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: sourceId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteDownloadSourceExample: - description: The download source was successfully deleted - value: - id: download-source-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. - operationId: get-fleet-agent-download-sources-sourceid - parameters: - - in: path - name: sourceId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadSourceExample: - description: An agent binary download source - value: - item: - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-agent-download-sources-sourceid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: sourceId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putDownloadSourceRequestExample: - description: Update an agent binary download source - value: - host: https://updated-host.example.com/downloads/ - is_default: false - name: Updated download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host - responses: - '200': - content: - application/json: - examples: - putDownloadSourceExample: - description: The updated agent binary download source - value: - item: - host: https://updated-host.example.com/downloads/ - id: download-source-id-1 - is_default: false - name: Updated download source - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Download source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: get-fleet-agent-policies - parameters: - - in: query - name: page - required: false - schema: - type: number - - in: query - name: perPage - required: false - schema: - type: number - - in: query - name: sortField - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - in: query - name: kuery - required: false - schema: - type: string - - description: use withAgentCount instead - in: query - name: noAgentCount - required: false - schema: - deprecated: true - type: boolean - - description: get policies with agent count - in: query - name: withAgentCount - required: false - schema: - type: boolean - - description: get full policies with package policies populated - in: query - name: full - required: false - schema: - type: boolean - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPoliciesExample: - description: List of agent policies - value: - items: - - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent policies - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: sys_monitoring - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postAgentPolicyRequestExample: - description: Create a new agent policy - value: - description: A sample agent policy - monitoring_enabled: - - logs - - metrics - name: My agent policy - namespace: default - schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace - responses: - '200': - content: - application/json: - examples: - postAgentPolicyExample: - description: The created agent policy - value: - item: - description: A sample agent policy - id: agent-policy-id-2 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/_bulk_get: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies - value: - items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPolicyExample: - description: An agent policy - value: - item: - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putAgentPolicyRequestExample: - description: Update an agent policy - value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default - schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace - responses: - '200': - content: - application/json: - examples: - putAgentPolicyExample: - description: The updated agent policy - value: - item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy - value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 - schema: - additionalProperties: false - type: object - properties: - currentVersions: - items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: Number of agents that failed to upgrade to this version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get auto upgrade agent status - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name - value: - description: A copy of the original agent policy - name: Copy of my agent policy - schema: - additionalProperties: false - type: object - properties: - description: - type: string - name: - minLength: 1 - type: string - required: - - name - responses: - '200': - content: - application/json: - examples: - postCopyAgentPolicyExample: - description: The copied agent policy - value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Copy an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/download: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number - responses: - '200': - content: - application/json: - examples: - getDownloadAgentPolicyExample: - description: The agent policy download response - value: - item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' - schema: - type: string - description: Successful response — returns the agent policy as a YAML file download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/full: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number - responses: - '200': - content: - application/json: - examples: - getFullAgentPolicyExample: - description: The full agent policy configuration - value: - item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch - revision: 1 - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: - type: string - timeout: - type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: - type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: - type: boolean - monitoring: - additionalProperties: false - type: object - properties: - _runtime_experimental: - type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - signing_key: - type: string - uninstall_token_hash: - type: string - required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: - - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: - type: string - required: - - hosts - - protocol - required: - - kibana - id: - type: string - inputs: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: - items: - type: string - maxItems: 100 - type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true - type: object - properties: - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - type: - type: string - required: - - type - type: object - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10000 - type: array - service: - additionalProperties: false - type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: - additionalProperties: false - type: object - properties: - data: - type: string - signature: - type: string - required: - - data - - signature - required: - - id - - outputs - - inputs - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy - value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/delete: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean - required: - - agentPolicyId - responses: - '200': - content: - application/json: - examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted - value: - id: agent-policy-id-1 - name: My agent policy - schema: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/outputs: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: post-fleet-agent-policies-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies - value: - items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs for agent policies - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status - parameters: - - in: query - name: policyId - required: false - schema: - type: string - - in: query - name: policyIds - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentStatusExample: - description: Agent status summary for an agent policy - value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 - schema: - additionalProperties: false - type: object - properties: - results: - additionalProperties: false - type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active - required: - - results - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an agent status summary - tags: - - Elastic Agent status - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_status/data: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_status/data
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-status-data - parameters: - - in: query - name: agentsIds - required: true - schema: - items: - type: string - maxItems: 10000 - type: array - - in: query - name: pkgName - required: false - schema: - type: string - - in: query - name: pkgVersion - required: false - schema: - type: string - - in: query - name: previewData - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to - value: - items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host - total: 1 - totalMonitoring: 0 - schema: - additionalProperties: false - type: object - properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array - items: - items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object - maxItems: 10000 - type: array - required: - - items - - dataPreview - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get incoming agent data - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agentless_policies: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agentless_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an agentless policy - operationId: post-fleet-agentless-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The format of the response package policy. - in: query - name: format - required: false - schema: - default: simplified - enum: - - legacy - - simplified - type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: Example request to create agentless policy reusing an existing AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: Example request to create agentless policy with AWS cloud connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: Example request to create agentless policy with Azure cloud connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - cloud_connector: - additionalProperties: false - type: object - properties: - cloud_connector_id: - description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. - type: boolean - name: - description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: Target cloud service provider. If not provided, will be auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_template: - description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration - value: - item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - description: The created agentless package policy. - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Indicates a successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictErrorResponseExample: - description: Example of a conflict error response - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create an agentless policy - tags: - - Fleet agentless policies - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agentless_policies/{policyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the policy to delete. - in: path - name: policyId - required: true - schema: - type: string - - description: Force delete the policy even if the policy is managed. - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - schema: - additionalProperties: false - description: Response for deleting an agentless package policy. - type: object - properties: - id: - description: The ID of the deleted agentless package policy. - type: string - required: - - id - description: Indicates a successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictErrorResponseExample: - description: Example of a conflict error response - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Delete an agentless policy - tags: - - Fleet agentless policies - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents - parameters: - - in: query - name: page - required: false - schema: - type: number - - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - in: query - name: kuery - required: false - schema: - type: string - - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean - - in: query - name: showUpgradeable - required: false - schema: - default: false - type: boolean - - in: query - name: getStatusSummary - required: false - schema: - default: false - type: boolean - - in: query - name: sortField - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - - in: query - name: searchAfter - required: false - schema: - type: string - - in: query - name: openPit - required: false - schema: - type: boolean - - in: query - name: pitId - required: false - schema: - type: string - - in: query - name: pitKeepAlive - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentsExample: - description: List of agents - value: - items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - maxItems: 10000 - type: array - nextSearchAfter: - type: string - page: - type: number - perPage: - type: number - pit: - type: string - statusSummary: - additionalProperties: - type: number - type: object - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agents - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs - value: - actionIds: - - action-id-1 - - action-id-2 - schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 1000 - type: array - required: - - actionIds - responses: - '200': - content: - application/json: - examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions - value: - items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agents by action ids - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agents/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteAgentExample: - description: Agent successfully deleted - value: - id: agent-id-1 - success: true - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid - parameters: - - in: path - name: agentId - required: true - schema: - type: string - - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getAgentExample: - description: Agent details - value: - item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/agents/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: - nullable: true - type: object - responses: - '200': - content: - application/json: - examples: - putAgentExample: - description: Updated agent details - value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/actions: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/actions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent - value: - action: - type: UNENROLL - schema: - additionalProperties: false - type: object - properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action - responses: - '200': - content: - application/json: - examples: - postAgentActionExample: - description: Created agent action - value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an agent action - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/effective_config: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - effective_config: {} - schema: - additionalProperties: false - type: object - properties: - effective_config: - nullable: true - required: - - effective_config - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get an agent's effective config - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/migrate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster - value: - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - replace_token: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - uri - - enrollment_token - responses: - '200': - content: - application/json: - examples: - postMigrateAgentExample: - description: Agent migration initiated - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Migrate a single agent - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/privilege_level_change: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to change privilege level for - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - changeAgentPrivilegeLevelRequest: - value: - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - nullable: true - type: object - properties: - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Change agent privilege level - tags: - - Elastic Agents - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/reassign: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy - value: - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - policy_id: - type: string - required: - - policy_id - responses: - '200': - content: - application/json: - examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} - schema: - additionalProperties: false - type: object - properties: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Reassign an agent - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/request_diagnostics: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent - value: - additional_metrics: - - CPU - schema: - additionalProperties: false - nullable: true - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - postRequestDiagnosticsExample: - description: Diagnostics action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: Agent agent-id-1 does not support request diagnostics action. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Request agent diagnostics - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback an agent - tags: - - Elastic Agent actions - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/unenroll: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key - value: - revoke: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - revoke: - type: boolean - responses: - '200': - content: - application/json: - examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Unenroll an agent - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version - value: - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - skipRateLimitCheck: - type: boolean - source_uri: - type: string - version: - type: string - required: - - version - responses: - '200': - content: - application/json: - examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} - schema: - additionalProperties: false - type: object - properties: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade an agent - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/{agentId}/uploads: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads - parameters: - - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentUploadsExample: - description: List of files uploaded by the agent - value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string - required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent uploads - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/action_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/action_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status - parameters: - - in: query - name: page - required: false - schema: - default: 0 - type: number - - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - in: query - name: date - required: false - schema: - type: string - - in: query - name: latest - required: false - schema: - type: number - - in: query - name: errorSize - required: false - schema: - default: 5 - type: number - responses: - '200': - content: - application/json: - examples: - getActionStatusExample: - description: Status of recent agent actions - value: - items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: - items: - additionalProperties: false - description: latest errors that happened when the agents executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an agent action status - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/actions/{actionId}/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: actionId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} - responses: - '200': - content: - application/json: - examples: - postCancelActionExample: - description: Cancellation action created - value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Cancel an agent action - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/available_versions: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/available_versions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-available-versions - parameters: [] - responses: - '200': - content: - application/json: - examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade - value: - items: - - 8.17.0 - - 8.16.3 - - 8.16.2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get available agent versions - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_migrate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_migrate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token - responses: - '200': - content: - application/json: - examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Migrate multiple agents - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_privilege_level_change: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk change agent privilege level - tags: - - Elastic Agents - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_reassign: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_reassign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy - value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string - required: - - policy_id - - agents - responses: - '200': - content: - application/json: - examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk reassign agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_request_diagnostics: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents - value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 - schema: - additionalProperties: false - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk request diagnostics from agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionIds: - - actionId1 - - actionId2 - schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 10000 - type: array - required: - - actionIds - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback agents - tags: - - Elastic Agent actions - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_unenroll: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_unenroll
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: When passing agents by KQL query, unenrolls inactive agents too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk unenroll agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_update_agent_tags: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: - items: - type: string - maxItems: 10 - type: array - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk update agent tags - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/bulk_upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version - responses: - '200': - content: - application/json: - examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/files/{fileId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agents/files/{fileId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: fileId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted - value: - deleted: true - id: file-id-1 - schema: - additionalProperties: false - type: object - properties: - deleted: - type: boolean - id: - type: string - required: - - id - - deleted - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete an uploaded file - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/files/{fileId}/{fileName}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename - parameters: - - in: path - name: fileId - required: true - schema: - type: string - - in: path - name: fileName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: - schema: - type: object - description: Successful response — returns the uploaded file content - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an uploaded file - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/setup: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/setup
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] - responses: - '200': - content: - application/json: - examples: - agentsSetupNotReadyExample: - description: Fleet is not ready — a Fleet Server and API keys are required - value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met - value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC - schema: - additionalProperties: false - description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. - type: object - properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent setup info - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/setup
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: post-fleet-agents-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - agentsSetupSuccessExample: - description: Fleet setup initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - schema: - additionalProperties: false - description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Initiate Fleet setup - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agents/tags: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags - parameters: - - in: query - name: kuery - required: false - schema: - type: string - - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getAgentTagsExample: - description: List of tags used across agents - value: - items: - - production - - linux - - datacenter-1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent tags - tags: - - Elastic Agents - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/check-permissions: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/check-permissions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions - parameters: - - in: query - name: fleetServerSetup - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions - value: - success: true - schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Check permissions - tags: - - Fleet internals - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/cloud_connectors: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/cloud_connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors - parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - type: string - - description: KQL query to filter cloud connectors. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors - value: - items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connectors - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/cloud_connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector - value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - required: - - name - - cloudProvider - - vars - responses: - '200': - content: - application/json: - examples: - postCloudConnectorExample: - description: The created Fleet cloud connector - value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to delete. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: If true, forces deletion even if the cloud connector is in use. - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted - value: - id: cloud-connector-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete cloud connector (supports force deletion) - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getCloudConnectorExample: - description: A Fleet cloud connector - value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to update. - in: path - name: cloudConnectorId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector - value: - name: Updated AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - responses: - '200': - content: - application/json: - examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector - value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: The page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getCloudConnectorUsageResponseExample: - description: Example response showing package policies using the cloud connector - value: - items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - name: - type: string - package: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array - updated_at: - type: string - required: - - id - - name - - policy_ids - - created_at - - updated_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: Cloud connector not found - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/data_streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/data_streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] - responses: - '200': - content: - application/json: - examples: - getDataStreamsExample: - description: List of Fleet-managed data streams - value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics - schema: - additionalProperties: false - type: object - properties: - data_streams: - items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array - required: - - data_streams - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/enrollment_api_keys: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/enrollment_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys - parameters: - - in: query - name: page - required: false - schema: - default: 1 - type: number - - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys - value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - list: - deprecated: true - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - - list - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get enrollment API keys - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/enrollment_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy - value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - expiration: - type: string - name: - type: string - policy_id: - type: string - required: - - policy_id - responses: - '200': - content: - application/json: - examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key - value: - action: created - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - created - type: string - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item - - action - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an enrollment API key - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/enrollment_api_keys/{keyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked - value: - action: deleted - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke an enrollment API key - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid - parameters: - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnrollmentApiKeyExample: - description: An enrollment API key - value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an enrollment API key - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/bulk_assets: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/bulk_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - additionalProperties: false - type: object - properties: - assetIds: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - assetIds - responses: - '200': - content: - application/json: - examples: - postBulkGetAssetsExample: - description: Requested assets - value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false - type: object - properties: - description: - type: string - service: - type: string - title: - type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk get assets - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/categories: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/categories
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-categories - parameters: - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: include_policy_templates - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getCategoriesExample: - description: List of integration categories - value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - count: - type: number - id: - type: string - parent_id: - type: string - parent_title: - type: string - title: - type: string - required: - - id - - title - - count - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package categories - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/custom_integrations: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/custom_integrations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - datasets: - items: - additionalProperties: false - type: object - properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - required: - - name - - type - maxItems: 10 - type: array - force: - type: boolean - integrationName: - type: string - required: - - integrationName - - datasets - responses: - '200': - content: - application/json: - examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created - value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a custom integration - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/custom_integrations/{pkgName}: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - categories: - items: - type: string - maxItems: 10 - type: array - readMeData: - type: string - required: - - readMeData - responses: - '200': - content: - application/json: - examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update a custom integration - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/data_streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/data_streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams - parameters: - - in: query - name: type - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - in: query - name: datasetQuery - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string - - in: query - name: uncategorisedOnly - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getDataStreamsExample: - description: List of data streams from installed packages - value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages - parameters: - - in: query - name: category - required: false - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: excludeInstallStatus - required: false - schema: - type: boolean - - in: query - name: withPackagePoliciesCount - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackagesExample: - description: List of available integration packages - value: - items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: true - type: object - properties: - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - id: - type: string - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - integration: - type: string - internal: - type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - id - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: - schema: - format: binary - type: string - responses: - '200': - content: - application/gzip; application/zip: - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - application/json: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - description: Successful response - '400': - content: - application/gzip; application/zip: - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Install a package by upload - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - postBulkInstallPackagesExample: - description: Bulk install results - value: - items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - name: - type: string - result: - additionalProperties: false - type: object - properties: - assets: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - error: - nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed - type: string - required: - - error - - installType - version: - type: string - required: - - name - - version - - result - - additionalProperties: false - type: object - properties: - error: - anyOf: - - type: string - - nullable: true - name: - type: string - statusCode: - type: number - required: - - name - - statusCode - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk install packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk_rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackRequest: - value: - packages: - - name: system - schema: - additionalProperties: false - type: object - properties: - packages: - items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - taskId: taskId - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get Bulk rollback packages details - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk_uninstall: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated - value: - taskId: task-id-1 - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk uninstall packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task - value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk uninstall packages details - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk_upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions - value: - packages: - - name: system - - name: elastic_agent - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - prerelease: - type: boolean - upgrade_package_policies: - default: false - type: boolean - required: - - packages - responses: - '200': - content: - application/json: - examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated - value: - taskId: task-id-1 - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task - value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk upgrade packages details - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information about a package by name, returning the latest installed or available version. - operationId: get-fleet-epm-packages-pkgname - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: full - required: false - schema: - type: boolean - - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - additionalProperties: false - type: object - properties: - keepPoliciesUpToDate: - type: boolean - required: - - keepPoliciesUpToDate - responses: - '200': - content: - application/json: - examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: full - required: false - schema: - type: boolean - - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - additionalProperties: false - type: object - properties: - keepPoliciesUpToDate: - type: boolean - required: - - keepPoliciesUpToDate - responses: - '200': - content: - application/json: - examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: path - name: filePath - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package file - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: packagePolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted - value: - items: - - id: logs-my_package.access-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete assets for an input package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: - value: - items: [] - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - title - maxItems: 1000 - type: array - required: - - items - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - packageNotFoundResponse: - value: - message: '[my-package-1.0.0] package not found in registry' - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get package dependencies - tags: - - Elastic Package Manager (EPM) - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted - value: - items: - - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - space_ids: - description: When provided install assets in the specified spaces instead of the current space. - items: - type: string - maxItems: 100 - minItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed - value: - items: - - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json: - examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed - value: - items: - - id: rule-asset-id-1 - type: security_rule - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana alert rule for a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package - value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 - schema: - additionalProperties: false - type: object - properties: - transforms: - items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 - type: array - required: - - transforms - responses: - '200': - content: - application/json: - examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized - value: - - success: true - transformId: logs-transform-1 - schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Authorize transforms - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/review_upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to review upgrade for - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - acceptUpgrade: - value: - action: accept - target_version: 2.0.0 - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - accept - - decline - - pending - type: string - target_version: - type: string - required: - - action - - target_version - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - success: true - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations - tags: - - Elastic Package Manager (EPM) - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to roll back - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - success: true - version: 1.0.0 - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - version: - type: string - required: - - version - - success - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback a package to previous version - tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/stats: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPackageStatsExample: - description: Usage stats for a specific package - value: - response: - agent_policy_count: 3 - schema: - additionalProperties: false - type: object - properties: - response: - additionalProperties: false - type: object - properties: - agent_policy_count: - type: number - package_policy_count: - type: number - required: - - agent_policy_count - - package_policy_count - required: - - response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package stats - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/installed: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/installed
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed - parameters: - - in: query - name: dataStreamType - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - in: query - name: showOnlyActiveDataStreams - required: false - schema: - type: boolean - - in: query - name: nameQuery - required: false - schema: - type: string - - in: query - name: searchAfter - required: false - schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - in: query - name: perPage - required: false - schema: - default: 15 - type: number - - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - examples: - getInstalledPackagesExample: - description: List of installed integration packages - value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: - type: string - icons: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - name: - type: string - status: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - status - - dataStreams - maxItems: 10000 - type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array - total: - type: number - required: - - items - - total - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get installed packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/limited: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/limited
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] - responses: - '200': - content: - application/json: - examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled - value: - items: - - elastic_agent - - fleet_server - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a limited package list - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - default: json - enum: - - json - - yml - - yaml - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getInputsTemplateExample: - description: Inputs template for a package - value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text - schema: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - inputs: - items: - additionalProperties: false - type: object - properties: - id: - type: string - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: - additionalProperties: false - type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - required: - - inputs - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an inputs template - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/verification_key_id: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/verification_key_id
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] - responses: - '200': - content: - application/json: - examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures - value: - id: D27D666CD88E42B4 - schema: - additionalProperties: false - type: object - properties: - id: - nullable: true - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/fleet_server_hosts: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts - value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/fleet_server_hosts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host - value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - responses: - '200': - content: - application/json: - examples: - postFleetServerHostExample: - description: The created Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/fleet_server_hosts/{itemId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid - parameters: - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getFleetServerHostExample: - description: A Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host - value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - proxy_id - responses: - '200': - content: - application/json: - examples: - putFleetServerHostExample: - description: The updated Fleet Server host - value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/health_check: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/health_check
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - responses: - '200': - content: - application/json: - examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: Fleet Server host is not reachable (request timed out or aborted) - value: - host_id: fleet-server-host-id-1 - status: OFFLINE - schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response - '400': - content: - application/json: - examples: - badRequestExample: - description: The host ID exists but has no associated host URLs configured - value: - error: Bad Request - message: The requested host id fleet-server-host-id-1 does not have associated host urls. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: The requested host id fleet-server-host-id-1 does not exist. - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health - tags: - - Fleet internals - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/kubernetes: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent - value: - item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - additionalProperties: false - type: object - properties: - item: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/kubernetes/download: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - type: string - description: Successful response — returns the Kubernetes manifest as a YAML file download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No manifest was found - value: - error: Not Found - message: Agent manifest not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/logstash_api_keys: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/logstash_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-logstash-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - postLogstashApiKeyExample: - description: The generated Logstash API key - value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - rotateKeyPairSuccessExample: - description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. - value: - message: Key pair rotated successfully. - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully - '400': - content: - application/json: - examples: - acknowledgeRequiredExample: - description: Request was rejected because the acknowledge query parameter was not set to true - value: - error: Bad Request - message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available - value: - error: Internal Server Error - message: Failed to rotate key pair. Message signing service is unavailable! - statusCode: 500 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair - tags: - - Message Signing Service - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] - responses: - '200': - content: - application/json: - examples: - getOutputsExample: - description: List of Fleet outputs - value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postOutputRequestExample: - description: Create a new Elasticsearch output - value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' - responses: - '200': - content: - application/json: - examples: - postOutputExample: - description: The created Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/outputs/{outputId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteOutputExample: - description: The output was successfully deleted - value: - id: output-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Delete output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid - parameters: - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputExample: - description: A Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: outputId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putOutputRequestExample: - description: Update a Fleet output - value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' - responses: - '200': - content: - application/json: - examples: - putOutputExample: - description: The updated Fleet output - value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Update output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/outputs/{outputId}/health: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}/health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health - parameters: - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all package policies. - operationId: get-fleet-package-policies - parameters: - - in: query - name: page - required: false - schema: - type: number - - in: query - name: perPage - required: false - schema: - type: number - - in: query - name: sortField - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - in: query - name: kuery - required: false - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - - in: query - name: withAgentCount - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackagePoliciesExample: - description: List of package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy - value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Package policy unique identifier - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - name - - inputs - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - description: You should use inputs as an object and not use the deprecated inputs array. - responses: - '200': - content: - application/json: - examples: - postPackagePolicyExample: - description: The created package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictExample: - description: A package policy with the same name already exists - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/_bulk_get: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID - value: - ids: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more package policies were not found - value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: packagePolicyId - required: true - schema: - type: string - - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted - value: - id: package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - in: path - name: packagePolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getPackagePolicyExample: - description: A package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No package policy was found with the given ID - value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: packagePolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - type: boolean - inputs: - items: - additionalProperties: false - type: object - properties: - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - type: string - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '403': - content: - application/json: - examples: - forbiddenExample: - description: The update is not authorized for this package - value: - error: Forbidden - message: An error message describing what went wrong - statusCode: 403 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Forbidden - summary: Update a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/delete: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: post-fleet-package-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeletePackagePoliciesRequestExample: - description: Delete multiple package policies by ID - value: - packagePolicyIds: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json: - examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation - value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Use `policy_ids` instead - nullable: true - type: string - policy_ids: - items: - type: string - maxItems: 10000 - type: array - statusCode: - type: number - success: - type: boolean - required: - - id - - success - - policy_ids - - package - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk delete package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: post-fleet-package-policies-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postUpgradePackagePoliciesRequestExample: - description: Upgrade package policies to the latest version - value: - packagePolicyIds: - - package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json: - examples: - postUpgradePackagePoliciesExample: - description: Results of the upgrade operation - value: - - id: package-policy-id-1 - name: nginx-1 - success: true - schema: - items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - statusCode: - type: number - success: - type: boolean - required: - - id - - success - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/upgrade/dryrun: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. - operationId: post-fleet-package-policies-upgrade-dryrun - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDryRunPackagePoliciesRequestExample: - description: Dry run an upgrade of a package policy - value: - packagePolicyIds: - - package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - packageVersion: - type: string - required: - - packagePolicyIds - responses: - '200': - content: - application/json: - examples: - postDryRunPackagePoliciesExample: - description: Preview of the package policy upgrade diff - value: - - diff: - - id: package-policy-id-1 - name: nginx-1 - package: - name: nginx - version: 1.20.0 - - name: nginx-1 - package: - name: nginx - version: 1.21.0 - hasErrors: false - name: nginx-1 - schema: - items: - additionalProperties: false - type: object - properties: - agent_diff: - items: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - required: - - package - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - maxItems: 1 - type: array - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - diff: - items: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - - additionalProperties: true - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array - force: - type: boolean - id: - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - is_managed: - type: boolean - missingVars: - items: - type: string - maxItems: 100 - type: array - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - maxItems: 2 - type: array - hasErrors: - type: boolean - name: - type: string - statusCode: - type: number - required: - - hasErrors - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Dry run a package policy upgrade - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/proxies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/proxies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-proxies - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetProxiesExample: - description: List of Fleet proxies - value: - items: - - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get proxies - tags: - - Fleet proxies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/proxies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-proxies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postFleetProxyRequestExample: - description: Create a new Fleet proxy - value: - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - url - - name - responses: - '200': - content: - application/json: - examples: - postFleetProxyExample: - description: The created Fleet proxy - value: - item: - id: proxy-id-2 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/proxies/{itemId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/proxies/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-proxies-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetProxyExample: - description: The Fleet proxy was successfully deleted - value: - id: proxy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/proxies/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-proxies-itemid - parameters: - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getFleetProxyExample: - description: A Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/proxies/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-proxies-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putFleetProxyRequestExample: - description: Update a Fleet proxy - value: - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - certificate_authorities - - certificate - - certificate_key - responses: - '200': - content: - application/json: - examples: - putFleetProxyExample: - description: The updated Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/service_tokens: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/service_tokens
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-service-tokens - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postGenerateServiceTokenRequestExample: - description: Generate a service token for a remote Fleet Server - value: - remote: true - schema: - additionalProperties: false - nullable: true - type: object - properties: - remote: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - postGenerateServiceTokenExample: - description: The generated Fleet Server service token - value: - name: elastic/fleet-server/token-1234567890 - value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P - schema: - additionalProperties: false - type: object - properties: - name: - type: string - value: - type: string - required: - - name - - value - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a service token - tags: - - Fleet service tokens - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/settings: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-settings - parameters: [] - responses: - '200': - content: - application/json: - examples: - getSettingsExample: - description: The current Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: false - secret_storage_requirements_met: true - version: WzEsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get settings - tags: - - Fleet internals - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-settings - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - putSettingsRequestExample: - description: Update Fleet settings to enable pre-release integrations - value: - prerelease_integrations_enabled: true - schema: - additionalProperties: false - type: object - properties: - additional_yaml_config: - deprecated: true - type: string - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - has_seen_add_data_notice: - deprecated: true - type: boolean - integration_knowledge_enabled: - type: boolean - kibana_ca_sha256: - deprecated: true - type: string - kibana_urls: - deprecated: true - items: - format: uri - type: string - maxItems: 10 - type: array - prerelease_integrations_enabled: - type: boolean - responses: - '200': - content: - application/json: - examples: - putSettingsExample: - description: The updated Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: true - secret_storage_requirements_met: true - version: WzIsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Update settings - tags: - - Fleet internals - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/setup: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/setup
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: post-fleet-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - fleetSetupSuccessExample: - description: Fleet initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - fleetSetupWithNonFatalErrorsExample: - description: Fleet initialized but encountered non-fatal errors during setup - value: - isInitialized: true - nonFatalErrors: - - message: Package fleet_server not found in registry - name: PackageNotFoundError - schema: - additionalProperties: false - description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - internalErrorResponseExample: - description: Example of an internal server error response - value: - error: Internal Server Error - message: An error message describing what went wrong - statusCode: 500 - schema: - additionalProperties: false - description: Internal Server Error - type: object - properties: - message: - type: string - required: - - message - description: Internal Server Error - summary: Initiate Fleet setup - tags: - - Fleet internals - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/space_settings: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/space_settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the Fleet settings for the current Kibana space. - operationId: get-fleet-space-settings - parameters: [] - responses: - '200': - content: - application/json: - examples: - getSpaceSettingsExample: - description: The Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Get space settings - tags: [] - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/space_settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-space-settings - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - putSpaceSettingsRequestExample: - description: Update allowed namespace prefixes for the current Kibana space - value: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 10 - type: array - responses: - '200': - content: - application/json: - examples: - putSpaceSettingsExample: - description: The updated Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Create space settings - tags: [] - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/uninstall_tokens: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/uninstall_tokens
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens - parameters: - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - maxLength: 50 - type: string - - in: query - name: search - required: false - schema: - maxLength: 50 - type: string - - description: The number of items to return - in: query - name: perPage - required: false - schema: - minimum: 5 - type: number - - in: query - name: page - required: false - schema: - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getUninstallTokensExample: - description: List of uninstall token metadata for agent policies - value: - items: - - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - - created_at: '2024-01-02T00:00:00.000Z' - id: token-id-2 - namespaces: - - production - policy_id: policy-id-2 - policy_name: Production policy - page: 1 - perPage: 20 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - required: - - id - - policy_id - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - conflictingQueryParamsExample: - description: Both policyId and search query parameters were provided - value: - error: Bad Request - message: Query parameters `policyId` and `search` cannot be used at the same time. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get metadata for latest uninstall tokens - tags: - - Fleet uninstall tokens - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/uninstall_tokens/{uninstallTokenId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens-uninstalltokenid - parameters: - - in: path - name: uninstallTokenId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getUninstallTokenExample: - description: Decrypted uninstall token for an agent policy - value: - item: - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - token: CKHJsJcBqNwIRcRBNDaE - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - token: - type: string - required: - - id - - policy_id - - created_at - - token - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No uninstall token was found with the given ID - value: - error: Not Found - message: Uninstall Token not found with ID token-id-1 - statusCode: 404 - description: Not Found - summary: Get a decrypted uninstall token - tags: - - Fleet uninstall tokens - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList - parameters: - - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Determines whether exception items referencing this value list should be deleted. - in: query - name: deleteReferences - required: false - schema: - default: false - example: false - type: boolean - - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. - in: query - name: ignoreReferences - required: false - schema: - default: false - example: false - type: boolean - responses: - '200': - content: - application/json: - examples: - ipList: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:39:39.292Z' - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a value list using the list ID. - operationId: ReadList - parameters: - - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:21:53.843Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update specific fields of an existing list using the list `id`. - operationId: PatchList - requestBody: - content: - application/json: - schema: - example: - id: ip_list - name: Bad ips list - UPDATED - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:21:53.843Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new value list. - operationId: CreateList - requestBody: - content: - application/json: - examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: - value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword - schema: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer - required: - - name - - description - - type - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T04:47:34.273Z' - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-09T18:23:52.241Z' - created_at: '2025-01-09T18:23:52.241Z' - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: '2025-01-09T18:23:52.241Z' - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-09T18:24:55.786Z' - created_at: '2025-01-09T18:24:55.786Z' - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: '2025-01-09T18:24:55.786Z' - updated_by: elastic - version: 1 - keyword_custom_format: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-09T18:25:39.604Z' - created_at: '2025-01-09T18:25:39.604Z' - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: '2025-01-09T18:25:39.604Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - notFound: - value: - message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. - > info - > You cannot modify the `id` value. - operationId: UpdateList - requestBody: - content: - application/json: - schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - name - - description - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:39:39.292Z' - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. - operationId: FindLists - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - example: 1 - type: integer - - description: The number of value lists to return per page. - in: query - name: per_page - required: false - schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: asc - type: string - - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: | - Filters the returned results according to the value of the specified field, - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' - responses: - '200': - content: - application/json: - examples: - ipList: - value: - cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d - data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received nan' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/index: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/lists/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - deprecated: true - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create `.lists` and `.items` data streams in the relevant space. - operationId: CreateListIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: | - [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'data stream: \".lists-default\" and \".items-default\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/items: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a value list item using its `id`, or its `list_id` and `value` fields. - operationId: DeleteListItem - parameters: - - description: Value list item's identifier. Required if `list_id` and `value` are not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The value used to evaluate exceptions. Required if `id` is not specified. - in: query - name: value - required: false - schema: - example: 255.255.255.255 - type: string - - description: Determines when changes made by the request are made visible to search. - in: query - name: refresh - required: false - schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': '2025-01-08T05:15:05.159Z' - created_at: '2025-01-08T05:15:05.159Z' - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: '2025-01-08T05:44:14.009Z' - updated_by: elastic - value: 255.255.255.255 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either \"list_id\" or \"id\" needs to be defined in the request - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a value list item. - operationId: ReadListItem - parameters: - - description: Value list item identifier. Required if `list_id` and `value` are not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Value list item list's `id` identfier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The value used to evaluate exceptions. Required if `id` is not specified. - in: query - name: value - required: false - schema: - example: 127.0.0.2 - type: string - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzExLDFd - '@timestamp': '2025-01-08T05:16:25.882Z' - created_at: '2025-01-08T05:16:25.882Z' - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: '2025-01-08T05:16:25.882Z' - updated_by: elastic - value: 127.0.0.2 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either \"list_id\" or \"id\" needs to be defined in the request - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update specific fields of an existing value list item using the item `id`. - operationId: PatchListItem - requestBody: - content: - application/json: - schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: Determines when changes made by the request are made visible to search. - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ipItem: - value: - _version: WzE5LDFd - '@timestamp': '2025-01-08T05:15:05.159Z' - created_at: '2025-01-08T05:15:05.159Z' - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: '2025-01-08T05:23:37.602Z' - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a value list item and associate it with the specified value list. - - All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. - > info - > Before creating a list item, you must create a list. - operationId: CreateListItem - requestBody: - content: - application/json: - examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: - value: - list_id: keyword_list - value: zeek - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: Determines when changes made by the request are made visible to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:59:06.154Z' - created_at: '2025-01-08T04:59:06.154Z' - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: '2025-01-08T04:59:06.154Z' - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-09T18:33:08.202Z' - created_at: '2025-01-09T18:33:08.202Z' - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: '2025-01-09T18:33:08.202Z' - updated_by: elastic - value: 192.168.0.0/16 - keyword: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-09T18:34:29.422Z' - created_at: '2025-01-09T18:34:29.422Z' - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: '2025-01-09T18:34:29.422Z' - updated_by: elastic - value: zeek - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. - > info - > You cannot modify the `id` value. - operationId: UpdateListItem - requestBody: - content: - application/json: - example: - id: ip_item - value: 255.255.255.255 - schema: - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': '2025-01-08T05:15:05.159Z' - created_at: '2025-01-08T05:15:05.159Z' - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: '2025-01-08T05:44:14.009Z' - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/items/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/items/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export list item values from the specified value list. - operationId: ExportListItems - parameters: - - description: Value list's `id` to export. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/ndjson: - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/items/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/items/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get all value list items in the specified list. - operationId: FindListItems - parameters: - - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. - in: query - name: page - required: false - schema: - example: 1 - type: integer - - description: The number of list items to return per page. - in: query - name: per_page - required: false - schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: asc - type: string - - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: | - Filters the returned results according to the value of the specified field, - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' - responses: - '200': - content: - application/json: - examples: - ip: - value: - cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:59:06.154Z' - created_at: '2025-01-08T04:59:06.154Z' - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: '2025-01-08T04:59:06.154Z' - updated_by: elastic - value: 127.0.0.1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/items/_import: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/items/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. - - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. - - Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. - - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: Determines when changes made by the request are made visible to search. - in: query - name: refresh - required: false - schema: - enum: - - 'true' - - 'false' - - wait_for - example: true - type: string - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: A `.txt` or `.csv` file containing newline separated list items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T04:47:34.273Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/lists/privileges: - get: - operationId: ReadListPrivileges - responses: - '200': - content: - application/json: - examples: - privileges: - value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges - tags: - - Security Lists API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/maintenance_window: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/maintenance_window
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: post-maintenance-window - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - createMaintenanceWindowRequest: - description: | - Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. - summary: Create a maintenance window - value: - enabled: true - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - title: Weekly Maintenance Window - schema: - additionalProperties: false - type: object - properties: - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. - type: string - required: - - kql - required: - - query - required: - - alerting - title: - description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. - type: string - required: - - title - - schedule - responses: - '200': - content: - application/json: - examples: - createMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully created. - summary: Create a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Create a maintenance window. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/maintenance_window/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/maintenance_window/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: read-maintenance-window. - operationId: get-maintenance-window-find - parameters: - - description: The title of the maintenance window. - in: query - name: title - required: false - schema: - type: string - - description: The user who created the maintenance window. - in: query - name: created_by - required: false - schema: - type: string - - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". - in: query - name: status - required: false - schema: - items: - enum: - - running - - finished - - upcoming - - archived - - disabled - type: string - type: array - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - maximum: 100 - minimum: 1 - type: number - - description: The number of maintenance windows to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - maximum: 100 - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - findMaintenanceWindowsResponse: - description: | - The response returned when maintenance windows are successfully found. - summary: Find maintenance windows response - value: - maintenanceWindows: - - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - - created_at: '2025-03-10T09:00:00.000Z' - created_by: elastic - enabled: true - id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 - schedule: - custom: - duration: 1h - recurring: - end: '2025-12-31T00:00:00.000Z' - every: 2w - onWeekDay: - - FR - start: '2025-04-01T10:00:00.000Z' - timezone: US/Eastern - scope: - alerting: - query: - kql: 'kibana.alert.tags: "database"' - status: upcoming - title: Database Upgrade Window - updated_at: '2025-03-15T14:30:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 2 - schema: - additionalProperties: false - type: object - properties: - maintenanceWindows: - description: The list of maintenance windows. - items: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - type: array - page: - description: The current page number. - type: number - per_page: - description: The number of maintenance windows returned per page. - type: number - total: - description: The total number of maintenance windows that match the query. - type: number - required: - - page - - per_page - - total - - maintenanceWindows - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Search for a maintenance window. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/maintenance_window/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/maintenance_window/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: delete-maintenance-window-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window to be deleted. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Delete a maintenance window. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/maintenance_window/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: read-maintenance-window. - operationId: get-maintenance-window-id - parameters: - - description: The identifier for the maintenance window. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully retrieved. - summary: Get a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Get maintenance window details. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/maintenance_window/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: patch-maintenance-window-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateMaintenanceWindowRequest: - description: | - Update a maintenance window to change its title, schedule, and scope. - summary: Update a maintenance window - value: - enabled: true - schedule: - custom: - duration: 1h - recurring: - end: '2025-12-31T00:00:00.000Z' - every: 2w - onWeekDay: - - FR - start: '2025-04-01T10:00:00.000Z' - timezone: US/Eastern - scope: - alerting: - query: - kql: 'kibana.alert.tags: "database"' - title: Updated maintenance window - schema: - additionalProperties: false - type: object - properties: - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. - type: string - required: - - kql - required: - - query - required: - - alerting - title: - description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. - type: string - responses: - '200': - content: - application/json: - examples: - updateMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully updated. - summary: Update a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 1h - recurring: - end: '2025-12-31T00:00:00.000Z' - every: 2w - onWeekDay: - - FR - start: '2025-04-01T10:00:00.000Z' - timezone: US/Eastern - scope: - alerting: - query: - kql: 'kibana.alert.tags: "database"' - status: upcoming - title: Updated maintenance window - updated_at: '2025-03-15T14:30:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - '409': - description: Indicates that the maintenance window has already been updated by another user. - summary: Update a maintenance window. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/maintenance_window/{id}/_archive: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/maintenance_window/{id}/_archive
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: post-maintenance-window-id-archive - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window to be archived. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - archiveMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully archived. - summary: Archive a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: archived - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Archive a maintenance window. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/maintenance_window/{id}/_unarchive: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: post-maintenance-window-id-unarchive - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window to be unarchived. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - unarchiveMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully unarchived. - summary: Unarchive a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Unarchive a maintenance window. - tags: - - maintenance-window - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/ml/saved_objects/sync: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/ml/saved_objects/sync
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space - tags: - - ml - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/ml/saved_objects/update_jobs_spaces: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces - requestBody: - content: - application/json: - examples: - updateADJobSpacesRequest: - value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: - value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' - responses: - '200': - content: - application/json: - examples: - successADResponse: - value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: - value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces - tags: - - ml - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/ml/saved_objects/update_trained_models_spaces: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a list of trained models to add and/or remove them from given spaces. - operationId: mlUpdateTrainedModelsSpaces - requestBody: - content: - application/json: - examples: - updateTrainedModelsSpacesRequest: - value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' - responses: - '200': - content: - application/json: - examples: - successTMResponse: - value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces - tags: - - ml - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/note: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/note
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. - - The response has HTTP 200 with an empty body on success. - - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote - requestBody: - content: - application/json: - examples: - deleteOne: - summary: Delete a single note by id - value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: - type: string - nullable: true - type: array - required: - - noteIds - description: | - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. - `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. - required: true - responses: - '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/note
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns Security Timeline notes as saved objects. - - **Query modes (mutually exclusive branches on the server):** - - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). - - 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. - - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. - - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes - parameters: - - description: | - Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: | - Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: | - Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. - example: '1' - in: query - name: page - schema: - nullable: true - type: string - - description: | - Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. - example: '20' - in: query - name: perPage - schema: - nullable: true - type: string - - description: Search string for saved-objects find (list mode only). - in: query - name: search - schema: - nullable: true - type: string - - description: Field to sort by for saved-objects find (list mode only). - in: query - name: sortField - schema: - nullable: true - type: string - - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). - example: desc - in: query - name: sortOrder - schema: - nullable: true - type: string - - description: | - Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). - in: query - name: filter - schema: - nullable: true - type: string - - description: | - Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 - in: query - name: createdByFilter - schema: - nullable: true - type: string - - description: | - Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' - responses: - '200': - content: - application/json: - examples: - notesPage: - summary: Paged notes for a timeline - value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 - schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/note
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new note or updates an existing one. - - **Create:** Send `note` and omit `noteId` to create a new saved object. - - **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. - - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute - requestBody: - content: - application/json: - examples: - addNote: - summary: Add a note on an event - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: Note payload (timeline, text, optional event linkage, metadata). - noteId: - description: The `savedObjectId` of the note to update. Omit when creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: Saved object version string from a previous read; optional on update. - example: WzQ2LDFd - nullable: true - type: string - required: - - note - description: | - Body must include the `note` object. For updates, include `noteId` (and optionally `version`). - To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. - required: true - responses: - '200': - content: - application/json: - examples: - persisted: - summary: Persisted note wrapper - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/observability_ai_assistant/chat/complete: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/observability_ai_assistant/chat/complete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new chat completion by using the Observability AI Assistant. - - The API returns the model's response based on the current conversation context. - - It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). - - This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - operationId: observability-ai-assistant-chat-complete - requestBody: - content: - application/json: - examples: - chatCompleteRequestExample: - $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' - schema: - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: A unique identifier for the conversation if you are continuing an existing conversation. - type: string - disableFunctions: - description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. - type: boolean - instructions: - description: An array of instruction objects, which can be either simple strings or detailed objects. - items: - $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' - type: array - messages: - description: An array of message objects containing the conversation history. - items: - $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' - type: array - persist: - description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. - type: boolean - title: - description: A title for the conversation. - type: string - required: - - messages - - connectorId - - persist - responses: - '200': - content: - application/json: - examples: - chatCompleteResponseExample: - $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' - schema: - type: object - description: Successful response - summary: Generate a chat completion - tags: - - observability_ai_assistant - x-codeSamples: - - lang: cURL - source: | - curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - }' - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/history: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/history
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory - parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - in: query - name: nextPage - required: false - schema: - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - type: string - - description: A search string to filter history entries by pack name, query text, or query ID. - in: query - name: kuery - required: false - schema: - description: A search string to filter history entries by pack name, query text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false - schema: - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false - schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' - type: string - responses: - '200': - content: - application/json: - examples: - unifiedHistoryExample: - summary: Example unified history response - value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' - description: Indicates a successful call. - summary: Get unified query history - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/live_queries: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/live_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all live queries. - operationId: OsqueryFindLiveQueries - parameters: - - description: A KQL search string to filter live queries. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' - description: Indicates a successful call. - summary: Get live queries - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/live_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create and run a live query. - operationId: OsqueryCreateLiveQuery - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' - description: Indicates a successful call. - summary: Create a live query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/live_queries/{id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/live_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails - parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' - description: Indicates a successful call. - summary: Get live query details - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults - parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - - description: The ID of the query action. - in: path - name: actionId - required: true - schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' - description: Indicates a successful call. - summary: Get live query results - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/packs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/packs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all query packs. - operationId: OsqueryFindPacks - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/packs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' - description: Indicates a successful call. - summary: Create a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/packs/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/osquery/packs/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - schema: - example: {} - type: object - properties: {} - description: Indicates a successful call. - summary: Delete a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/packs/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/osquery/packs/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/packs/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/packs/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. - operationId: OsqueryCopyPacks - parameters: - - description: The ID of the pack to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - examples: - copyPackExample: - summary: Example response for copying a pack - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: Indicates a successful call. - summary: Copy a pack - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/saved_queries: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/saved_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' - description: Indicates a successful call. - summary: Get saved queries - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/saved_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create and save a query for later use. - operationId: OsqueryCreateSavedQuery - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' - description: Indicates a successful call. - summary: Create a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/saved_queries/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/osquery/saved_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' - description: Indicates a successful call. - summary: Delete a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/saved_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' - description: Indicates a successful call. - summary: Get saved query details - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/osquery/saved_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' - description: Indicates a successful call. - summary: Update a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/saved_queries/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - description: The ID of the saved query to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - examples: - copySavedQueryExample: - summary: Example response for copying a saved query - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' - description: Indicates a successful call. - summary: Copy a saved query - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - examples: - scheduledActionResultsExample: - summary: Example scheduled action results response - value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' - description: Indicates a successful call. - summary: Get scheduled action results - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string - responses: - '200': - content: - application/json: - examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response - value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' - description: Indicates a successful call. - summary: Get scheduled query results - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/pinned_event: - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/pinned_event
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute - requestBody: - content: - application/json: - examples: - pinEvent: - summary: Pin an event - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true - type: string - timelineId: - description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. - required: true - responses: - '200': - content: - application/json: - examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response - value: - unpinned: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' - description: Indicates a successful call. - summary: Pin/unpin an event - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/risk_score/engine/dangerously_delete_data: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cleaning up the the Risk Engine by removing the indices, mapping and transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json: - examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response - value: - cleanup_successful: true - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/risk_score/engine/saved_object/configure: - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject - requestBody: - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object - value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d - schema: - type: object - properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: - items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter - type: array - range: - type: object - properties: - end: - type: string - start: - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response - value: - risk_engine_saved_object_configured: true - schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' - description: Unexpected error - summary: Configure the Risk Engine Saved Object - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/risk_score/engine/schedule_now: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/risk_score/engine/schedule_now
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json: {} - responses: - '200': - content: - application/json: - examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response - value: - success: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' - description: Unexpected error - summary: Run the risk scoring engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/saved_objects/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. - - Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. - - NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. - - NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. - operationId: post-saved-objects-export - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - exportSavedObjectsRequest: - summary: Export a specific saved object. - value: - excludeExportDetails: true - includeReferencesDeep: false - objects: - - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - type: map - schema: - additionalProperties: false - type: object - properties: - excludeExportDetails: - default: false - description: Do not add export details entry at the end of the stream. - type: boolean - hasReference: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - maxItems: 100 - type: array - includeReferencesDeep: - default: false - description: Includes all of the referenced objects in the exported objects. - type: boolean - objects: - description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - maxItems: 10000 - type: array - search: - description: Search for documents to export using the Elasticsearch Simple Query String syntax. - type: string - type: - anyOf: - - type: string - - items: - type: string - maxItems: 100 - type: array - description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. - responses: - '200': - content: - application/x-ndjson: - examples: - exportSavedObjectsResponse: - summary: The export objects API response contains a JSON record for each exported object. - value: - attributes: - description: '' - layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' - mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - schema: {} - description: Indicates a successfull call. - '400': - content: - application/json: - schema: - additionalProperties: false - description: Indicates an unsuccessful response. - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: integer - required: - - error - - message - - statusCode - description: Bad request. - summary: Export saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/saved_objects/_import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. - - Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. - - NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. - operationId: post-saved-objects-import - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' - in: query - name: createNewCopies - required: false - schema: - default: false - type: boolean - - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' - in: query - name: compatibilityMode - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - importObjectsRequest: - value: - file: file.ndjson - schema: - additionalProperties: false - type: object - properties: - file: - description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' - type: object - required: - - file - responses: - '200': - content: - application/json: - examples: - importObjectsResponse: - summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. - value: - success: true - successCount: 1 - successResults: - - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - managed: false - meta: - icon: indexPatternApp - title: Kibana Sample Data Logs - type: index-pattern - schema: - additionalProperties: false - type: object - properties: - errors: - description: |- - Indicates the import was unsuccessful and specifies the objects that failed to import. - - NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. - items: - additionalProperties: true - type: object - properties: {} - type: array - success: - description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. - type: boolean - successCount: - description: Indicates the number of successfully imported records. - type: number - successResults: - description: |- - Indicates the objects that are successfully imported, with any metadata if applicable. - - NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. - items: - additionalProperties: true - type: object - properties: {} - type: array - required: - - success - - successCount - - errors - - successResults - description: Indicates a successful call. - '400': - content: - application/json: - schema: - additionalProperties: false - description: Indicates an unsuccessful response. - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: integer - required: - - error - - message - - statusCode - description: Bad request. - summary: Import saved objects - tags: - - saved objects - x-codeSamples: - - label: Import with createNewCopies - lang: cURL - source: | - curl \ - -X POST api/saved_objects/_import?createNewCopies=true - -H "kbn-xsrf: true" - --form file=@file.ndjson - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json: - schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 - type: object - properties: - create: - description: Array of anonymization fields to create. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' - type: array - delete: - description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: Array of anonymization fields to update. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' - type: array - responses: - '200': - content: - application/json: - example: - anonymization_fields_count: 5 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 1 - skipped: 1 - succeeded: 2 - total: 5 - message: Bulk action completed successfully - status_code: 200 - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request body - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. - type: string - statusCode: - description: Status code of the response. - type: number - description: Generic Error - summary: Apply a bulk action to anonymization fields - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/anonymization_fields/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all anonymization fields. - operationId: FindAnonymizationFields - parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - example: 'field: "user.name"' - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - example: created_at - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' - - description: Sort order - example: asc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page - in: query - name: all_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - example: - aggregations: - anonymized: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' - type: array - data: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get anonymization fields - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/chat/complete: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/chat/complete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a model response for the given chat conversation. - operationId: ChatComplete - parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - example: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: sk-abc123 - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream: - schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Generic Error - summary: Create a model response - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/current_user/conversations: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations - requestBody: - content: - application/json: - schema: - type: object - properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 - items: - type: string - type: array - required: false - responses: - '200': - content: - application/json: - example: - success: true - schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: Indicates a successful call. The conversations were deleted successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete conversations - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. - operationId: CreateConversation - requestBody: - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' - required: true - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was created successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. - summary: Create a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. - operationId: FindConversations - parameters: - - description: A list of fields to include in the response. If omitted, all fields are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: - type: string - type: array - - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. - in: query - name: filter - required: false - schema: - example: Security Issue - type: string - - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' - example: created_at - - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: The number of conversations to return per page. Default is 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. - in: query - name: is_owner - required: false - schema: - default: false - example: true - type: boolean - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: A list of conversations. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: The total number of conversations matching the filter criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response, returns a paginated list of conversations matching the specified criteria. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid filter query parameter - type: string - statusCode: - example: 400 - type: number - description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. - summary: Get conversations - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/current_user/conversations/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was deleted successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. - operationId: ReadConversation - parameters: - - description: The conversation's `id` value, a unique identifier for the conversation. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation details are returned. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. The request could not be processed due to an error. - summary: Get a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' - required: true - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was updated successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required field: title' - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. - summary: Update a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/knowledge_base: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Read a single KB - operationId: GetKnowledgeBase - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example2: - summary: A response that returns information about the knowledge base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Read a KnowledgeBase - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - operationId: PostKnowledgeBase - parameters: - - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: A response for a request that failed due to an invalid query parameter value. - value: | - statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Create a KnowledgeBase - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/security_ai_assistant/knowledge_base/{resource}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example1: - summary: A response that returns information about the knowledge base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Read a KnowledgeBase for a resource - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: - type: string - - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: A response for a request that failed due to an invalid query parameter value. - value: | - statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/knowledge_base/entries: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry - requestBody: - content: - application/json: - example: - content: To reset your password, go to the settings page and click 'Reset Password'. - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' - required: true - responses: - '200': - content: - application/json: - example: - content: To reset your password, go to the settings page and click 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - description: Successful request returning Knowledge Base Entries - '400': - content: - application/json: - example: - error: Invalid input - message: The 'title' field is required. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as invalid input or missing required fields. - summary: Create a Knowledge Base Entry - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction - requestBody: - content: - application/json: - schema: - type: object - properties: - create: - description: List of Knowledge Base Entries to create. - example: - - content: This is the content of the new entry. - title: New Entry - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' - type: array - delete: - type: object - properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - content: Updated content. - id: '123' - title: Updated Entry - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' - type: array - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' - description: Successful bulk operation request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: Generic Error - summary: Applies a bulk action to multiple Knowledge Base Entries - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: A list of fields to include in the response. If not provided, all fields will be included. - in: query - name: fields - required: false - schema: - example: - - title - - created_at - items: - type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' - type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Generic Error indicating an issue with the request. - summary: Finds Knowledge Base Entries that match the given query. - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/knowledge_base/entries/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' - description: Successful request returning the `id` of the deleted Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as an invalid `id` or the entry not being found. - summary: Deletes a single Knowledge Base Entry using the `id` field - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - content: To reset your password, go to the settings page and click 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as an invalid `id` or the entry not being found. - summary: Read a Knowledge Base Entry - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - example: - content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' - required: true - responses: - '200': - content: - application/json: - example: - content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. - id: '12345' - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - description: Successful request returning the updated Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Invalid input - message: The 'content' field cannot be empty. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as invalid input or the entry not being found. - summary: Update a Knowledge Base Entry - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json: - example: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 - schema: - type: object - properties: - create: - description: List of prompts to be created. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' - type: array - delete: - description: Criteria for deleting prompts in bulk. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' - type: array - responses: - '200': - content: - application/json: - examples: - success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. - type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Indicates a generic error due to a bad request. - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security_ai_assistant/prompts/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/prompts/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all prompts based on optional filters, sorting, and pagination. - operationId: FindPrompts - parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: - type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: The list of prompts returned based on the search query, sorting, and pagination. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. - type: string - statusCode: - description: HTTP status code for the error. - example: 400 - type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - updateLogExtractionExample: - description: Update the log extraction configuration with a new lookback period and frequency. - summary: Update log extraction settings - value: - logExtraction: - fieldHistoryLength: 15 - frequency: 10m - lookbackPeriod: 6h - schema: - additionalProperties: false - type: object - properties: - logExtraction: - additionalProperties: false - type: object - properties: - additionalIndexPatterns: - items: - type: string - type: array - delay: - pattern: '[smdh]$' - type: string - docsLimit: - maximum: 9007199254740991 - minimum: 1 - type: integer - fieldHistoryLength: - maximum: 9007199254740991 - minimum: -9007199254740991 - type: integer - filter: - type: string - frequency: - pattern: '[smdh]$' - type: string - lookbackPeriod: - pattern: '[smdh]$' - type: string - maxLogsPerPage: - maximum: 9007199254740991 - minimum: 1 - type: integer - required: - - logExtraction - responses: - '200': - content: - application/json: - examples: - updateSuccessExample: - description: The Entity Store configuration was successfully updated. - summary: Entity Store updated - value: - ok: true - description: Indicates a successful response. - '400': - content: - application/json: - examples: - invalidDurationExample: - description: A log extraction parameter has an invalid duration format. - summary: Invalid duration parameter - value: - error: Bad Request - message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: The Entity Store has not been installed yet. - summary: Entity Store not installed - value: - error: Not Found - message: Entity store is not installed - statusCode: 404 - description: Entity Store not found. - summary: Update the Entity Store - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ - "${KIBANA_URL}/api/security/entity_store" - - lang: Console - source: | - PUT kbn://api/security/entity_store - { - "logExtraction": { - "lookbackPeriod": "6h", - "frequency": "10m", - "fieldHistoryLength": 15 - } - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/entities: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security/entity_store/entities
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. - operationId: get-security-entity-store-entities - parameters: - - description: A Kibana Query Language (KQL) filter for the search-after mode. - in: query - name: filter - required: false - schema: - type: string - - description: Number of entities to return in search-after mode. - in: query - name: size - required: false - schema: - maximum: 9007199254740991 - minimum: 1 - type: integer - - description: JSON-encoded search_after value for cursor-based pagination. - in: query - name: searchAfter - required: false - schema: - type: string - - description: Fields to include in the response source. - in: query - name: source - required: false - schema: - items: - type: string - type: array - - description: Fields to include in the response. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Field to sort results by in page mode. - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order in page mode. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed) in page mode. - in: query - name: page - required: false - schema: - maximum: 9007199254740991 - minimum: 1 - type: integer - - description: Number of entities per page in page mode. - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An Elasticsearch query string to filter entities in page mode. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: false - schema: - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - emptyResultExample: - description: No entities matched the query. - summary: Empty result - value: - page: 1 - per_page: 10 - records: [] - total: 0 - pageModeExample: - description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. - summary: Page mode response with host entities - value: - inspect: - dsl: - - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' - response: - - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' - page: 1 - per_page: 10 - records: - - '@timestamp': '2026-04-10T08:30:00.000Z' - asset: - criticality: high_impact - environment: production - entity: - attributes: - asset: true - managed: true - id: host:web-server-prod-01 - lifecycle: - first_seen: '2026-01-15T10:00:00.000Z' - last_activity: '2026-04-10T08:30:00.000Z' - name: web-server-prod-01 - risk: - calculated_level: Moderate - calculated_score: 47.5 - calculated_score_norm: 47.5 - source: - - logs - type: host - host: - hostname: - - web-server-prod-01.example.com - ip: - - 10.0.1.42 - name: web-server-prod-01 - os: - name: Ubuntu - type: linux - total: 1 - searchAfterModeExample: - description: A cursor-based response with entities and a search_after token for the next page. - summary: Search-after mode response - value: - entities: - - '@timestamp': '2026-04-10T08:30:00.000Z' - entity: - id: user:jane.doe@example.com - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - nextSearchAfter: - - 1712736600000 - - 1 - description: Indicates a successful response. - '400': - content: - application/json: - examples: - invalidFilterExample: - description: The provided Kibana Query Language filter could not be parsed. - summary: Invalid filter - value: - error: Bad Request - message: |- - Invalid filter: Expected "(", "{", value, whitespace but ":" found. - invalid :: query - ---------^ - statusCode: 400 - mixedModesExample: - description: Cannot combine page-based pagination with cursor-based pagination in the same request. - summary: Mixed pagination modes - value: - error: Bad Request - message: '[request query]: Cannot combine page/per_page with searchAfter' - statusCode: 400 - description: Bad request. - summary: List entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ - "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" - - lang: Console - source: | - GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/entities/: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security/entity_store/entities/
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. - operationId: delete-security-entity-store-entities - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - deleteEntityExample: - description: Delete a single entity from the Entity Store using its entity identifier. - summary: Delete an entity by identifier - value: - entityId: host:web-server-prod-01 - schema: - additionalProperties: false - type: object - properties: - entityId: - description: The identifier of the entity to delete. - type: string - required: - - entityId - responses: - '200': - content: - application/json: - examples: - deleteSuccessExample: - description: The entity was found and successfully removed from the latest index. - summary: Entity deleted - value: - deleted: true - description: Indicates the entity was successfully deleted. - '404': - content: - application/json: - examples: - notFoundExample: - description: No entity with the specified identifier exists in the Entity Store. - summary: Entity not found - value: - error: Not Found - message: Entity ID 'host:web-server-prod-01' not found - statusCode: 404 - description: Entity not found. - summary: Delete an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityId":"host:web-server-prod-01"}' \ - "${KIBANA_URL}/api/security/entity_store/entities/" - - lang: Console - source: | - DELETE kbn://api/security/entity_store/entities/ - { - "entityId": "host:web-server-prod-01" - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/entities/{entityType}: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. - operationId: post-security-entity-store-entities-entitytype - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The entity type to create. - in: path - name: entityType - required: true - schema: - enum: - - user - - host - - service - - generic - type: string - requestBody: - content: - application/json: - examples: - createHostEntityExample: - description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. - summary: Create a host entity - value: - asset: - business_unit: Engineering - criticality: high_impact - environment: production - entity: - attributes: - asset: true - managed: true - id: host:web-server-prod-01 - name: web-server-prod-01 - source: - - manual - type: host - host: - hostname: - - web-server-prod-01.example.com - ip: - - 10.0.1.42 - name: web-server-prod-01 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - user: - additionalProperties: false - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - roles: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - host: - additionalProperties: false - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - os: - additionalProperties: false - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - anyOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - anyOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - type: - items: - type: string - type: array - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - service: - additionalProperties: false - type: object - properties: - address: - type: string - environment: - type: string - ephemeral_id: - type: string - id: - type: string - name: - type: string - node: - additionalProperties: false - type: object - properties: - name: - type: string - role: - type: string - roles: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - state: - type: string - type: - type: string - version: - type: string - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - cloud: - additionalProperties: false - type: object - properties: - account: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - availability_zone: - type: string - instance: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - machine: - additionalProperties: false - type: object - properties: - type: - type: string - project: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - provider: - type: string - region: - type: string - service: - additionalProperties: false - type: object - properties: - name: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - orchestrator: - additionalProperties: false - type: object - properties: - api_version: - type: string - cluster: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - url: - type: string - version: - type: string - namespace: - type: string - organization: - type: string - resource: - additionalProperties: false - type: object - properties: - annotation: - type: string - id: - type: string - ip: - type: string - label: - type: string - name: - type: string - parent: - additionalProperties: false - type: object - properties: - type: - type: string - type: - type: string - type: - type: string - tags: - items: - type: string - type: array - responses: - '200': - content: - application/json: - examples: - createSuccessExample: - description: The entity record was successfully created in the Entity Store. - summary: Entity created - value: - ok: true - description: Indicates the entity was successfully created. - '400': - content: - application/json: - examples: - euidMismatchExample: - description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. - summary: Entity identifier mismatch - value: - error: Bad Request - message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' - statusCode: 400 - description: Bad request. - '409': - content: - application/json: - examples: - conflictExample: - description: An entity with the specified identifier already exists. - summary: Entity already exists - value: - error: Conflict - message: Entity ID 'host:web-server-prod-01' already exists - statusCode: 409 - description: Conflict. - summary: Create an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ - "${KIBANA_URL}/api/security/entity_store/entities/host" - - lang: Console - source: | - POST kbn://api/security/entity_store/entities/host - { - "entity": { - "id": "host:web-server-prod-01", - "name": "web-server-prod-01", - "type": "host", - "source": ["manual"], - "attributes": { "asset": true } - }, - "host": { - "name": "web-server-prod-01", - "ip": ["10.0.1.42"] - } - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-entities-entitytype - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The entity type to update. - in: path - name: entityType - required: true - schema: - enum: - - user - - host - - service - - generic - type: string - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - anyOf: - - enum: - - 'true' - - 'false' - type: string - - type: boolean - default: false - requestBody: - content: - application/json: - examples: - updateEntityAttributesExample: - description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. - summary: Update entity attributes - value: - entity: - attributes: - managed: true - mfa_enabled: true - id: user:jane.doe@example.com - lifecycle: - last_activity: '2026-04-10T14:30:00.000Z' - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - roles: - - admin - - analyst - schema: - anyOf: - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - user: - additionalProperties: false - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - roles: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - host: - additionalProperties: false - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - os: - additionalProperties: false - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - anyOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - anyOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - type: - items: - type: string - type: array - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - service: - additionalProperties: false - type: object - properties: - address: - type: string - environment: - type: string - ephemeral_id: - type: string - id: - type: string - name: - type: string - node: - additionalProperties: false - type: object - properties: - name: - type: string - role: - type: string - roles: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - state: - type: string - type: - type: string - version: - type: string - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - cloud: - additionalProperties: false - type: object - properties: - account: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - availability_zone: - type: string - instance: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - machine: - additionalProperties: false - type: object - properties: - type: - type: string - project: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - provider: - type: string - region: - type: string - service: - additionalProperties: false - type: object - properties: - name: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - orchestrator: - additionalProperties: false - type: object - properties: - api_version: - type: string - cluster: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - url: - type: string - version: - type: string - namespace: - type: string - organization: - type: string - resource: - additionalProperties: false - type: object - properties: - annotation: - type: string - id: - type: string - ip: - type: string - label: - type: string - name: - type: string - parent: - additionalProperties: false - type: object - properties: - type: - type: string - type: - type: string - type: - type: string - tags: - items: - type: string - type: array - responses: - '200': - content: - application/json: - examples: - updateSuccessExample: - description: The entity record was successfully updated. - summary: Entity updated - value: - ok: true - description: Indicates the entity was successfully updated. - '400': - content: - application/json: - examples: - protectedFieldsExample: - description: The request attempts to update protected fields without the force query parameter. - summary: Protected fields without force - value: - error: Bad Request - message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: No entity with the specified identifier exists. - summary: Entity not found - value: - error: Not Found - message: Entity ID 'user:jane.doe@example.com' not found - statusCode: 404 - description: Entity not found. - summary: Update an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ - "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" - - lang: Console - source: | - PUT kbn://api/security/entity_store/entities/user?force=true - { - "entity": { - "id": "user:jane.doe@example.com", - "name": "jane.doe", - "type": "user", - "attributes": { "managed": true, "mfa_enabled": true } - }, - "user": { "name": "jane.doe" } - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/entities/bulk: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/entities/bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-entities-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - anyOf: - - enum: - - 'true' - - 'false' - type: string - - type: boolean - default: false - requestBody: - content: - application/json: - examples: - bulkUpdateExample: - description: Update a host entity and a user entity in a single request. - summary: Bulk update multiple entities - value: - entities: - - doc: - entity: - attributes: - asset: true - id: host:web-server-prod-01 - name: web-server-prod-01 - type: host - host: - name: web-server-prod-01 - type: host - - doc: - entity: - attributes: - managed: true - id: user:jane.doe@example.com - name: jane.doe - type: user - user: - name: jane.doe - type: user - schema: - additionalProperties: false - type: object - properties: - entities: - description: The entities to update. - items: - type: object - properties: - doc: - anyOf: - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - user: - additionalProperties: false - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - roles: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - host: - additionalProperties: false - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - os: - additionalProperties: false - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - anyOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - anyOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - type: - items: - type: string - type: array - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - service: - additionalProperties: false - type: object - properties: - address: - type: string - environment: - type: string - ephemeral_id: - type: string - id: - type: string - name: - type: string - node: - additionalProperties: false - type: object - properties: - name: - type: string - role: - type: string - roles: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - state: - type: string - type: - type: string - version: - type: string - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - cloud: - additionalProperties: false - type: object - properties: - account: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - availability_zone: - type: string - instance: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - machine: - additionalProperties: false - type: object - properties: - type: - type: string - project: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - provider: - type: string - region: - type: string - service: - additionalProperties: false - type: object - properties: - name: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - orchestrator: - additionalProperties: false - type: object - properties: - api_version: - type: string - cluster: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - url: - type: string - version: - type: string - namespace: - type: string - organization: - type: string - resource: - additionalProperties: false - type: object - properties: - annotation: - type: string - id: - type: string - ip: - type: string - label: - type: string - name: - type: string - parent: - additionalProperties: false - type: object - properties: - type: - type: string - type: - type: string - type: - type: string - tags: - items: - type: string - type: array - type: - description: The entity type of this record. - enum: - - user - - host - - service - - generic - type: string - required: - - type - - doc - type: array - required: - - entities - responses: - '200': - content: - application/json: - examples: - bulkUpdatePartialExample: - description: Some entities were updated but others encountered Elasticsearch-level errors. - summary: Partial success with errors - value: - errors: - - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf - reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' - status: 404 - type: document_missing_exception - ok: true - bulkUpdateSuccessExample: - description: All entities were successfully updated with no errors. - summary: All entities updated - value: - errors: [] - ok: true - description: Indicates a successful response. - '400': - content: - application/json: - examples: - protectedFieldsExample: - description: The request attempts to update protected fields without the force query parameter. - summary: Protected fields without force - value: - error: Bad Request - message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' - statusCode: 400 - description: Bad request. - summary: Bulk update entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ - "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" - - lang: Console - source: | - PUT kbn://api/security/entity_store/entities/bulk?force=true - { - "entities": [ - { - "type": "host", - "doc": { - "entity": { - "id": "host:web-server-prod-01", - "name": "web-server-prod-01", - "type": "host", - "attributes": { "asset": true } - }, - "host": { "name": "web-server-prod-01" } - } - } - ] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/install: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/install
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install the Entity Store, creating engines for the specified entity types and configuring log extraction.

[Required authorization] Route required privileges: securitySolution. - operationId: post-security-entity-store-install - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - installDefaultExample: - description: Install the Entity Store for all entity types with default log extraction settings. - summary: Install with default entity types - value: - entityTypes: - - user - - host - - service - - generic - logExtraction: {} - installWithCustomSettingsExample: - description: Install the Entity Store for host entities only with a custom lookback period and field history length. - summary: Install with custom log extraction - value: - entityTypes: - - host - logExtraction: - delay: 2m - fieldHistoryLength: 20 - filter: 'host.os.type: linux' - frequency: 5m - lookbackPeriod: 12h - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - items: - enum: - - user - - host - - service - - generic - type: string - type: array - historySnapshot: - additionalProperties: false - type: object - properties: - frequency: - default: 24h - pattern: '[smdh]$' - type: string - logExtraction: - additionalProperties: false - type: object - properties: - additionalIndexPatterns: - default: [] - items: - type: string - type: array - delay: - default: 1m - pattern: '[smdh]$' - type: string - docsLimit: - default: 10000 - maximum: 9007199254740991 - minimum: 1 - type: integer - fieldHistoryLength: - default: 10 - maximum: 9007199254740991 - minimum: -9007199254740991 - type: integer - filter: - default: '' - type: string - frequency: - default: 30s - pattern: '[smdh]$' - type: string - lookbackPeriod: - default: 3h - pattern: '[smdh]$' - type: string - maxLogsPerPage: - default: 40000 - maximum: 9007199254740991 - minimum: 1 - type: integer - responses: - '200': - content: - application/json: - examples: - alreadyInstalledExample: - description: All requested entity types were already installed. - summary: Already installed - value: - ok: true - description: Indicates all requested entity types are already installed. - '201': - content: - application/json: - examples: - installSuccessExample: - description: The Entity Store was installed and engines are being created. - summary: Entity Store installed - value: - ok: true - description: Indicates the Entity Store was successfully installed. - '403': - content: - application/json: - examples: - forbiddenExample: - description: The user does not have the required Elasticsearch privileges. - summary: Insufficient privileges - value: - error: Forbidden - message: User 'analyst' has insufficient privileges - statusCode: 403 - description: Insufficient privileges. - summary: Install the Entity Store - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ - "${KIBANA_URL}/api/security/entity_store/install" - - lang: Console - source: | - POST kbn://api/security/entity_store/install - { - "entityTypes": ["user", "host", "service", "generic"], - "logExtraction": {} - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/resolution/group: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security/entity_store/resolution/group
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. - operationId: get-security-entity-store-resolution-group - parameters: - - description: The entity identifier to look up the resolution group for. - in: query - name: entity_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - resolutionGroupExample: - description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. - summary: Resolution group with linked entities - value: - aliases: - - '@timestamp': '2026-04-10T08:25:00.000Z' - entity: - id: user:jdoe@example.com - name: jdoe - relationships: - resolution: - resolved_to: user:jane.doe@example.com - type: user - user: - name: jdoe - group_size: 2 - target: - '@timestamp': '2026-04-10T08:30:00.000Z' - entity: - id: user:jane.doe@example.com - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - description: Indicates a successful response. - '400': - content: - application/json: - examples: - truncatedSearchExample: - description: The resolution search returned too many results and was truncated. - summary: Search results truncated - value: - error: Bad Request - message: Resolution search truncated - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: The specified entity does not exist or has no resolution group. - summary: Entity not found - value: - error: Not Found - message: 'Entities not found: [user:nonexistent@example.com]' - statusCode: 404 - description: Entity not found. - summary: Get resolution group - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ - "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" - - lang: Console - source: | - GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/resolution/link: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/resolution/link
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Link one or more entities to a target entity, creating a resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. - operationId: post-security-entity-store-resolution-link - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - linkEntitiesExample: - description: Link two user entities to a target entity, creating a resolution group. - summary: Link entities to a target - value: - entity_ids: - - user:jdoe@example.com - - user:j.doe@example.com - target_id: user:jane.doe@example.com - schema: - additionalProperties: false - type: object - properties: - entity_ids: - description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - target_id: - description: The entity identifier to resolve the linked entities to. - type: string - required: - - target_id - - entity_ids - responses: - '200': - content: - application/json: - examples: - linkSuccessExample: - description: The entities were successfully linked to the target entity. - summary: Entities linked - value: - linked: - - user:jdoe@example.com - - user:j.doe@example.com - skipped: [] - target_id: user:jane.doe@example.com - description: Indicates a successful response. - '400': - content: - application/json: - examples: - mixedTypesExample: - description: All entities in a resolution group must be of the same type. - summary: Mixed entity types - value: - error: Bad Request - message: Cannot link entities of different types - statusCode: 400 - selfLinkExample: - description: Cannot link an entity to itself. - summary: Self-link error - value: - error: Bad Request - message: Cannot link entity 'user:jane.doe@example.com' to itself. - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more of the specified entity identifiers were not found. - summary: Entities not found - value: - error: Not Found - message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' - statusCode: 404 - description: Entities not found. - summary: Link entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ - "${KIBANA_URL}/api/security/entity_store/resolution/link" - - lang: Console - source: | - POST kbn://api/security/entity_store/resolution/link - { - "target_id": "user:jane.doe@example.com", - "entity_ids": ["user:jdoe@example.com"] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/resolution/unlink: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/resolution/unlink
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Remove one or more entities from their resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. - operationId: post-security-entity-store-resolution-unlink - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - unlinkEntitiesExample: - description: Remove entities from their resolution group, restoring them as standalone entities. - summary: Unlink entities from their resolution group - value: - entity_ids: - - user:jdoe@example.com - - user:j.doe@example.com - schema: - additionalProperties: false - type: object - properties: - entity_ids: - description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - required: - - entity_ids - responses: - '200': - content: - application/json: - examples: - unlinkSuccessExample: - description: The entities were successfully removed from their resolution group. - summary: Entities unlinked - value: - skipped: [] - unlinked: - - user:jdoe@example.com - - user:j.doe@example.com - description: Indicates a successful response. - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more of the specified entity identifiers were not found. - summary: Entities not found - value: - error: Not Found - message: 'Entities not found: [user:nonexistent@example.com]' - statusCode: 404 - description: Entities not found. - summary: Unlink entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity_ids":["user:jdoe@example.com"]}' \ - "${KIBANA_URL}/api/security/entity_store/resolution/unlink" - - lang: Console - source: | - POST kbn://api/security/entity_store/resolution/unlink - { - "entity_ids": ["user:jdoe@example.com"] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/start: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/start
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-start - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - startAllExample: - description: Start all stopped entity engines. - summary: Start all entity engines - value: - entityTypes: - - user - - host - - service - - generic - startSingleExample: - description: Start only the host entity engine. - summary: Start a single entity engine - value: - entityTypes: - - host - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - description: Entity types to start. Defaults to all installed types. - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - startSuccessExample: - description: The specified entity engines were successfully started. - summary: Engines started - value: - ok: true - description: Indicates a successful response. - summary: Start Entity Store engines - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"]}' \ - "${KIBANA_URL}/api/security/entity_store/start" - - lang: Console - source: | - PUT kbn://api/security/entity_store/start - { - "entityTypes": ["user", "host", "service", "generic"] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security/entity_store/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. - operationId: get-security-entity-store-status - parameters: - - description: If true, returns a detailed status of each engine including all its components. - in: query - name: include_components - required: false - schema: - anyOf: - - enum: - - 'true' - - 'false' - type: string - - type: boolean - default: false - responses: - '200': - content: - application/json: - examples: - notInstalledExample: - description: The Entity Store has not been installed. - summary: Entity Store not installed - value: - engines: [] - status: not_installed - runningStatusExample: - description: The Entity Store is running with two started engines using default settings. - summary: Entity Store running - value: - engines: - - delay: 1m - docsPerSecond: -1 - enrichPolicyExecutionInterval: null - fieldHistoryLength: 10 - filter: '' - frequency: 30s - indexPattern: '' - lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' - lookbackPeriod: 3h - maxPageSearchSize: 10000 - status: started - timeout: 25s - timestampField: '@timestamp' - type: host - - delay: 1m - docsPerSecond: -1 - enrichPolicyExecutionInterval: null - fieldHistoryLength: 10 - filter: '' - frequency: 30s - indexPattern: '' - lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' - lookbackPeriod: 3h - maxPageSearchSize: 10000 - status: started - timeout: 25s - timestampField: '@timestamp' - type: user - status: running - description: Indicates a successful response. - summary: Get Entity Store status - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ - "${KIBANA_URL}/api/security/entity_store/status?include_components=false" - - lang: Console - source: | - GET kbn://api/security/entity_store/status?include_components=false - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/stop: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/stop
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-stop - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - stopAllExample: - description: Stop all running entity engines. - summary: Stop all entity engines - value: - entityTypes: - - user - - host - - service - - generic - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - description: Entity types to stop. Defaults to all running types. - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - stopSuccessExample: - description: The specified entity engines were successfully stopped. - summary: Engines stopped - value: - ok: true - description: Indicates a successful response. - summary: Stop Entity Store engines - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"]}' \ - "${KIBANA_URL}/api/security/entity_store/stop" - - lang: Console - source: | - PUT kbn://api/security/entity_store/stop - { - "entityTypes": ["user", "host", "service", "generic"] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/entity_store/uninstall: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/uninstall
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. - operationId: post-security-entity-store-uninstall - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - uninstallAllExample: - description: Uninstall all entity engines from the Entity Store. - summary: Uninstall all entity types - value: - entityTypes: - - user - - host - - service - - generic - uninstallSingleExample: - description: Uninstall only the host engine from the Entity Store. - summary: Uninstall a single entity type - value: - entityTypes: - - host - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - description: Entity types to uninstall. Defaults to all installed types. - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - uninstallSuccessExample: - description: The specified entity engines were successfully uninstalled. - summary: Entity Store uninstalled - value: - ok: true - description: Indicates a successful response. - summary: Uninstall the Entity Store - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"]}' \ - "${KIBANA_URL}/api/security/entity_store/uninstall" - - lang: Console - source: | - POST kbn://api/security/entity_store/uninstall - { - "entityTypes": ["user", "host", "service", "generic"] - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/role: - get: - operationId: get-security-role - parameters: - - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. - in: query - name: replaceDeprecatedPrivileges - required: false - schema: - type: boolean - responses: - '200': - description: Indicates a successful call. - summary: Get all roles - tags: - - roles - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/role/_query: - post: - operationId: post-security-role-query - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - filters: - additionalProperties: false - type: object - properties: - showReservedRoles: - type: boolean - from: - type: number - query: - type: string - size: - type: number - sort: - additionalProperties: false - type: object - properties: - direction: - enum: - - asc - - desc - type: string - field: - type: string - required: - - field - - direction - responses: - '200': - description: Indicates a successful call. - summary: Query roles - tags: [] - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/role/{name}: - delete: - operationId: delete-security-role-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - minLength: 1 - type: string - responses: - '204': - description: Indicates a successful call. - summary: Delete a role - tags: - - roles - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - operationId: get-security-role-name - parameters: - - description: The role name. - in: path - name: name - required: true - schema: - minLength: 1 - type: string - - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. - in: query - name: replaceDeprecatedPrivileges - required: false - schema: - type: boolean - responses: - '200': - description: Indicates a successful call. - summary: Get a role - tags: - - roles - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. - operationId: put-security-role-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The role name. - in: path - name: name - required: true - schema: - maxLength: 1024 - minLength: 1 - type: string - - description: When true, a role is not overwritten if it already exists. - in: query - name: createOnly - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - description: - description: A description for the role. - maxLength: 2048 - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - cluster: - items: - description: Cluster privileges that define the cluster level actions that users can perform. - type: string - maxItems: 100 - type: array - indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. - type: boolean - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that the role members have for the data streams and indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. - type: string - required: - - names - - privileges - maxItems: 1000 - type: array - remote_cluster: - items: - additionalProperties: false - type: object - properties: - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. - type: string - maxItems: 100 - minItems: 1 - type: array - required: - - privileges - - clusters - maxItems: 100 - type: array - remote_indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. - type: boolean - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that role members have for the specified indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' - type: string - required: - - clusters - - names - - privileges - maxItems: 1000 - type: array - run_as: - items: - description: A user name that the role member can impersonate. - type: string - maxItems: 100 - type: array - kibana: - items: - additionalProperties: false - type: object - properties: - base: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - items: - description: A base privilege that grants applies to all spaces. - type: string - maxItems: 50 - type: array - - items: - description: A base privilege that applies to specific spaces. - type: string - maxItems: 50 - type: array - feature: - additionalProperties: - items: - description: The privileges that the role member has for the feature. - type: string - maxItems: 100 - type: array - type: object - spaces: - anyOf: - - items: - enum: - - '*' - type: string - maxItems: 1 - minItems: 1 - type: array - - items: - description: A space that the privilege applies to. - type: string - maxItems: 1000 - type: array - default: - - '*' - required: - - base - type: array - metadata: - additionalProperties: - nullable: true - type: object - required: - - elasticsearch - responses: - '204': - description: Indicates a successful call. - summary: Create or update a role - tags: - - roles - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/security/roles: - post: - operationId: post-security-roles - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - roles: - additionalProperties: - additionalProperties: false - type: object - properties: - description: - description: A description for the role. - maxLength: 2048 - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - cluster: - items: - description: Cluster privileges that define the cluster level actions that users can perform. - type: string - maxItems: 100 - type: array - indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. - type: boolean - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that the role members have for the data streams and indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. - type: string - required: - - names - - privileges - maxItems: 1000 - type: array - remote_cluster: - items: - additionalProperties: false - type: object - properties: - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. - type: string - maxItems: 100 - minItems: 1 - type: array - required: - - privileges - - clusters - maxItems: 100 - type: array - remote_indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. - type: boolean - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that role members have for the specified indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' - type: string - required: - - clusters - - names - - privileges - maxItems: 1000 - type: array - run_as: - items: - description: A user name that the role member can impersonate. - type: string - maxItems: 100 - type: array - kibana: - items: - additionalProperties: false - type: object - properties: - base: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - items: - description: A base privilege that grants applies to all spaces. - type: string - maxItems: 50 - type: array - - items: - description: A base privilege that applies to specific spaces. - type: string - maxItems: 50 - type: array - feature: - additionalProperties: - items: - description: The privileges that the role member has for the feature. - type: string - maxItems: 100 - type: array - type: object - spaces: - anyOf: - - items: - enum: - - '*' - type: string - maxItems: 1 - minItems: 1 - type: array - - items: - description: A space that the privilege applies to. - type: string - maxItems: 1000 - type: array - default: - - '*' - required: - - base - type: array - metadata: - additionalProperties: - nullable: true - type: object - required: - - elasticsearch - type: object - required: - - roles - responses: - '200': - description: Indicates a successful call. - summary: Create or update roles - tags: - - roles - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/spaces/space: - get: - description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. - operationId: get-spaces-space - parameters: - - description: Specifies which authorization checks are applied to the API call. The default value is `any`. - in: query - name: purpose - required: false - schema: - enum: - - any - - copySavedObjectsIntoSpace - - shareSavedObjectsIntoSpace - type: string - - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. - in: query - name: include_authorized_purposes - required: false - schema: - type: boolean - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getSpacesResponseExample1: - $ref: '#/components/examples/get_spaces_response1' - getSpacesResponseExample2: - $ref: '#/components/examples/get_spaces_response2' - summary: Get all spaces - tags: - - spaces - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: Create a new Kibana space. - operationId: post-spaces-space - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - maxItems: 100 - type: array - id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. - type: string - imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - type: string - initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - projectRouting: - description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. - type: string - required: - - id - - name - examples: - createSpaceRequest: - $ref: '#/components/examples/create_space_request' - responses: - '200': - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - maxItems: 100 - type: array - id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. - type: string - imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - type: string - initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - projectRouting: - description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. - type: string - required: - - id - - name - examples: - createSpaceResponseExample: - $ref: '#/components/examples/get_space_response' - description: Indicates a successful call. - summary: Create a space - tags: - - spaces - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/spaces/space/{id}: - delete: - description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. - operationId: delete-spaces-space-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The space identifier. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '404': - description: Indicates that the request failed. - summary: Delete a space - tags: - - spaces - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: Retrieve a single Kibana space by its identifier. - operationId: get-spaces-space-id - parameters: - - description: The space identifier. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getSpaceResponseExample: - $ref: '#/components/examples/get_space_response' - summary: Get a space - tags: - - spaces - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: Update an existing Kibana space. - operationId: put-spaces-space-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The space identifier. You are unable to change the ID with the update operation. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - maxItems: 100 - type: array - id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. - type: string - imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - type: string - initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - projectRouting: - description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. - type: string - required: - - id - - name - examples: - updateSpaceRequest: - $ref: '#/components/examples/update_space_request' - responses: - '200': - description: Indicates a successful call. - summary: Update a space - tags: - - spaces - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/status: - get: - operationId: get-status - parameters: - - description: Set to "true" to get the response in v7 format. - in: query - name: v7format - required: false - schema: - type: boolean - - description: Set to "true" to get the response in v8 format. - in: query - name: v8format - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' - description: Kibana's operational status. A minimal response is sent for unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': - content: - application/json: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' - description: Kibana's operational status. A minimal response is sent for unauthorized users. - description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. - summary: Get Kibana's current status - tags: - - system - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches list of all streams

[Required authorization] Route required privileges: read_stream. - operationId: get-streams - parameters: [] - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - listStreams: - value: - streams: - - description: Root logs stream - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - updated_at: '2025-01-10T08:00:00.000Z' - settings: {} - wired: - fields: - '@timestamp': - type: date - log.level: - type: keyword - message: - type: match_only_text - routing: - - destination: logs.nginx - status: enabled - where: - eq: nginx - field: host.name - name: logs - type: wired - updated_at: '2025-01-10T08:00:00.000Z' - - description: Web server access logs, routed by severity - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - updated_at: '2025-01-15T10:30:00.000Z' - settings: {} - wired: - fields: - host.name: - type: keyword - http.response.status_code: - type: long - message: - type: match_only_text - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - name: logs.nginx - type: wired - updated_at: '2025-01-15T10:30:00.000Z' - - description: Legacy application logs - ingest: - classic: {} - failure_store: - disabled: {} - lifecycle: - dsl: - data_retention: 30d - processing: - steps: - - action: grok - from: message - ignore_missing: true - patterns: - - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' - updated_at: '2024-12-01T09:00:00.000Z' - settings: {} - name: logs-myapp-default - type: classic - updated_at: '2024-12-01T09:00:00.000Z' - - description: All error-level logs across every stream - name: logs.errors - query: - esql: FROM logs* | WHERE log.level == "error" - view: logs.errors-view - type: query - updated_at: '2025-01-20T14:00:00.000Z' - summary: Get stream list - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/_disable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/_disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-disable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Disable streams - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/_enable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/_enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Enables wired streams

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-enable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Enable streams - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/_resync: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/_resync
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-resync - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Resync streams - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/streams/{name}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. - operationId: delete-streams-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Delete a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - getWiredStream: - value: - dashboards: [] - data_stream_exists: true - effective_failure_store: - disabled: {} - from: logs - effective_lifecycle: - dsl: - data_retention: 7d - from: logs - effective_settings: {} - inherited_fields: - '@timestamp': - from: logs - type: date - log.level: - from: logs - type: keyword - privileges: - create_snapshot_repository: false - lifecycle: true - manage: true - manage_failure_store: true - monitor: true - read_failure_store: true - simulate: true - text_structure: true - view_index_metadata: true - queries: [] - rules: [] - stream: - description: Web server access logs, routed by severity - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - updated_at: '2025-01-15T10:30:00.000Z' - settings: {} - wired: - fields: - host.name: - type: keyword - http.response.status_code: - type: long - message: - type: match_only_text - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - name: logs.nginx - type: wired - updated_at: '2025-01-15T10:30:00.000Z' - summary: Get a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createQueryStream: - value: - dashboards: [] - queries: [] - rules: [] - stream: - description: All error-level logs across every stream - query: - esql: FROM logs* | WHERE log.level == "error" - view: logs.errors-view - type: query - createWiredStream: - value: - dashboards: [] - queries: [] - rules: [] - stream: - description: Web server access logs, routed by severity - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - settings: {} - wired: - fields: - host.name: - type: keyword - http.response.status_code: - type: long - message: - type: match_only_text - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - type: wired - updateClassicStream: - value: - dashboards: [] - queries: [] - rules: [] - stream: - description: Legacy application logs managed as a classic data stream - ingest: - classic: {} - failure_store: - disabled: {} - lifecycle: - dsl: - data_retention: 30d - processing: - steps: - - action: grok - from: message - ignore_missing: true - patterns: - - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' - settings: {} - type: classic - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' - responses: {} - summary: Create or update a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/_fork: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/_fork
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-fork - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - forkStream: - value: - status: enabled - stream: - name: logs.nginx.errors - where: - eq: '500' - field: http.response.status_code - schema: - additionalProperties: false - type: object - properties: - draft: - type: boolean - status: - enum: - - enabled - - disabled - type: string - stream: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - required: - - stream - - where - responses: {} - summary: Fork a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/_ingest: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/_ingest
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-ingest - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - getWiredIngest: - value: - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: - - action: grok - from: message - ignore_missing: false - patterns: - - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' - updated_at: '2025-01-15T10:30:00.000Z' - settings: {} - wired: - fields: - client.ip: - type: ip - http.method: - type: keyword - http.response.body.bytes: - type: long - http.response.status_code: - type: long - url.original: - type: wildcard - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - summary: Get ingest stream settings - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}/_ingest
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name-ingest - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - upsertWiredIngest: - value: - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: - - action: grok - from: message - ignore_missing: false - patterns: - - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' - settings: {} - wired: - fields: - client.ip: - type: ip - http.method: - type: keyword - http.response.body.bytes: - type: long - http.response.status_code: - type: long - url.original: - type: wildcard - routing: - - destination: logs.nginx.errors - status: enabled - where: - eq: '500' - field: http.response.status_code - schema: - additionalProperties: false - type: object - properties: - ingest: - anyOf: - - additionalProperties: false - type: object - properties: - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - wired: - additionalProperties: false - type: object - properties: - draft: - type: boolean - fields: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' - routing: - items: - type: object - properties: - destination: - description: A non-empty string. - minLength: 1 - type: string - draft: - type: boolean - status: - enum: - - enabled - - disabled - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - required: - - destination - - where - type: array - required: - - fields - - routing - required: - - lifecycle - - processing - - settings - - failure_store - - wired - - additionalProperties: false - type: object - properties: - classic: - additionalProperties: false - type: object - properties: - field_overrides: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - required: - - lifecycle - - processing - - settings - - failure_store - - classic - required: - - ingest - responses: {} - summary: Update ingest stream settings - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/_query: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/_query
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-query - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Get query stream settings - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}/_query
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name-query - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - upsertQueryStream: - value: - query: - esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level - schema: - additionalProperties: false - type: object - properties: - field_descriptions: - additionalProperties: - type: string - type: object - query: - additionalProperties: false - type: object - properties: - esql: - type: string - required: - - esql - required: - - query - responses: {} - summary: Upsert query stream settings - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/content/export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/content/export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-content-export - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - description: - type: string - include: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' - name: - type: string - version: - type: string - required: - - name - - description - - version - - include - responses: {} - summary: Export stream content - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/content/import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/content/import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-content-import - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - multipart/form-data: - schema: - additionalProperties: false - type: object - properties: - content: {} - include: - type: string - required: - - include - - content - responses: {} - summary: Import content into a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/queries: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-queries - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Get stream queries - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/queries/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/queries/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-queries-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - operations: - items: - anyOf: - - type: object - properties: - index: - type: object - properties: - description: - default: '' - type: string - esql: - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - required: - - title - - esql - - id - required: - - index - - type: object - properties: - delete: - type: object - properties: - id: - type: string - required: - - id - required: - - delete - type: array - required: - - operations - responses: {} - summary: Bulk update queries - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/queries/{queryId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: delete-streams-name-queries-queryid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - in: path - name: queryId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Remove a query from a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}/queries/{queryId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name-queries-queryid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - in: path - name: queryId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - description: - default: '' - type: string - esql: - additionalProperties: false - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - required: - - title - - esql - responses: {} - summary: Upsert a query to a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/significant_events: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/significant_events
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Read the significant events

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-significant-events - parameters: - - in: path - name: name - required: true - schema: - type: string - - in: query - name: from - required: true - schema: - type: string - - in: query - name: to - required: true - schema: - type: string - - in: query - name: bucketSize - required: true - schema: - type: string - - description: Query string to filter significant events on metadata fields - in: query - name: query - required: false - schema: - type: string - - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). Defaults to hybrid when inference is available.' - in: query - name: searchMode - required: false - schema: - enum: - - keyword - - semantic - - hybrid - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Read the significant events - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/significant_events/_generate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/significant_events/_generate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. - operationId: post-streams-name-significant-events-generate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - description: Optional connector ID. If not provided, the default AI connector from settings will be used. - in: query - name: connectorId - required: false - schema: - type: string - - in: query - name: from - required: true - schema: - type: string - - in: query - name: to - required: true - schema: - type: string - - description: Number of sample documents to use for generation from the current data of stream - in: query - name: sampleDocsSize - required: false - schema: - type: number - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Generate significant events - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{name}/significant_events/_preview: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/significant_events/_preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. - operationId: post-streams-name-significant-events-preview - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - in: query - name: from - required: true - schema: - type: string - - in: query - name: to - required: true - schema: - type: string - - in: query - name: bucketSize - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - esql: - additionalProperties: false - type: object - properties: - query: - type: string - required: - - query - required: - - esql - required: - - query - responses: {} - summary: Preview significant events - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{streamName}/attachments: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{streamName}/attachments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-streamname-attachments - parameters: - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - - description: Search query to filter attachments by title - in: query - name: query - required: false - schema: - type: string - - description: Filter by attachment types (single value or array) - in: query - name: attachmentTypes - required: false - schema: - items: - enum: - - dashboard - - rule - - slo - type: string - type: array - - description: Filter by tags (single value or array) - in: query - name: tags - required: false - schema: - items: - type: string - type: array - requestBody: - content: - application/json: - examples: - listAttachmentsExample: - value: {} - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - listAttachmentsResponse: - value: - attachments: - - createdAt: '2023-02-23T16:15:47.275Z' - description: Dashboard for monitoring production services - id: dashboard-123 - streamNames: - - logs.awsfirehose - - logs.nginx - tags: - - monitoring - - production - title: My Dashboard - type: dashboard - updatedAt: '2023-03-24T14:39:17.636Z' - description: Successfully retrieved attachments - summary: Get stream attachments - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{streamName}/attachments/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-streamname-attachments-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - bulkAttachmentsExample: - value: - operations: - - index: - id: dashboard-123 - type: dashboard - - delete: - id: rule-456 - type: rule - schema: - additionalProperties: false - type: object - properties: - operations: - items: - anyOf: - - type: object - properties: - index: - type: object - properties: - id: - type: string - type: - enum: - - dashboard - - rule - - slo - type: string - required: - - id - - type - required: - - index - - type: object - properties: - delete: - type: object - properties: - id: - type: string - type: - enum: - - dashboard - - rule - - slo - type: string - required: - - id - - type - required: - - delete - type: array - required: - - operations - responses: - '200': - content: - application/json: - examples: - bulkAttachmentsResponse: - value: - acknowledged: true - description: Successfully performed bulk operations - summary: Bulk update attachments - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - - description: The type of the attachment - in: path - name: attachmentType - required: true - schema: - enum: - - dashboard - - rule - - slo - type: string - - description: The ID of the attachment - in: path - name: attachmentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - unlinkAttachmentExample: - value: {} - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - unlinkAttachmentResponse: - value: - acknowledged: true - description: Successfully unlinked attachment - summary: Unlink an attachment from a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-streamname-attachments-attachmenttype-attachmentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - - description: The type of the attachment - in: path - name: attachmentType - required: true - schema: - enum: - - dashboard - - rule - - slo - type: string - - description: The ID of the attachment - in: path - name: attachmentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - linkAttachmentExample: - value: {} - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - linkAttachmentResponse: - value: - acknowledged: true - description: Successfully linked attachment - summary: Link an attachment to a stream - tags: - - streams - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health - responses: - '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: '#/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless' - schema: - $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless' - description: Indicates a successful call - summary: Get the task manager health - tags: - - task manager - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: - type: object - properties: - savedObjectIds: - description: The list of IDs of the Timelines or Timeline templates to delete - items: - type: string - maxItems: 100 - type: array - searchIds: - description: Saved search IDs that should be deleted alongside the timelines - items: - type: string - maxItems: 100 - type: array - required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true - responses: - '200': - content: - application/json: - examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline - parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. - in: query - name: template_timeline_id - schema: - type: string - - description: The `savedObjectId` of the Timeline to retrieve. - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - timelineDetail: - summary: Timeline detail - value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. - operationId: PatchTimeline - requestBody: - content: - application/json: - examples: - patchTitle: - summary: Update title - value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: The timeline object of the Timeline or Timeline template that you’re updating. - timelineId: - description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: The version of the Timeline or Timeline template that you’re updating. - example: WzE0LDFd - nullable: true - type: string - required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true - responses: - '200': - content: - application/json: - examples: - patched: - summary: Updated timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that the user does not have the required access to create a Timeline. - summary: Update a Timeline - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Timeline or Timeline template. - operationId: CreateTimelines - requestBody: - content: - application/json: - examples: - createDefault: - summary: Create a default timeline - value: - timeline: - status: active - timelineType: default - title: Malware containment - schema: - type: object - properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string - required: - - timeline - description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/_copy: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json: - examples: - copyWithTitle: - summary: Copy with a new title - value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: The `savedObjectId` of the timeline or template to duplicate. - type: string - required: - - timeline - - timelineIdToCopy - description: Source timeline id to copy plus timeline fields for the new saved object. - required: true - responses: - '200': - content: - application/json: - examples: - copied: - summary: Newly saved timeline - value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/_draft: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timeline/_draft
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. - operationId: GetDraftTimelines - parameters: - - description: Which draft to load (`default` investigation timeline or `template` timeline template). - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json: - examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_draft
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a clean draft Timeline or Timeline template for the current user. - > info - > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: The type of Timeline to create. Valid values are `default` and `template`. - required: true - responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: Indicates that the user does not have the required permissions to create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: Indicates that there is already a draft Timeline with the given `timelineId`. - summary: Create a clean draft Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export Timelines as an NDJSON file. - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - exportIds: - summary: Export by timeline ids - value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - ids: - items: - type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true - responses: - '200': - content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: - examples: - badRequest: - summary: Export error - value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/_favorite: - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/timeline/_favorite
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute - requestBody: - content: - application/json: - examples: - favoriteDefault: - summary: Favorite a default timeline - value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true - responses: - '200': - content: - application/json: - examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden - value: - body: Forbidden - statusCode: 403 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates the user does not have the required permissions to persist the favorite status. - summary: Favorite a Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/_import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import Timelines. - operationId: ImportTimelines - requestBody: - content: - application/json: - examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) - value: - file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' - isImmutable: 'false' - schema: - type: object - properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The Timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json: - examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message - example: Invalid file extension - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing - value: - body: Unable to find saved object client - statusCode: 404 - schema: - type: object - properties: - body: - description: The error message - example: Unable to find saved object client - type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': - content: - application/json: - examples: - conflict: - summary: Import conflict - value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines - type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/_prepackaged: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_prepackaged
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json: - examples: - emptyArrays: - summary: Installer payload shape - value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] - schema: - type: object - properties: - prepackagedTimelines: - items: - $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true - responses: - '200': - content: - application/json: - examples: - installResult: - summary: Install result counts - value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' - description: Indicates a successful call. - '500': - content: - application/json: - examples: - serverError: - summary: Server error - value: - body: Internal error - statusCode: 500 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates the installation of prepackaged Timelines was unsuccessful. - summary: Install prepackaged Timelines - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timeline/resolve: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timeline/resolve
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome - value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/timelines: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timelines
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines - parameters: - - description: If `true`, only Timelines that the current user has marked as favorite are returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true - type: string - - description: Restrict results to `default` investigation timelines or `template` timeline templates. - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` - in: query - name: sort_order - schema: - enum: - - asc - - desc - type: string - - description: How many results should returned at once - in: query - name: page_size - schema: - nullable: true - type: string - - description: How many pages should be skipped - in: query - name: page_index - schema: - nullable: true - type: string - - description: Allows to search for timelines by their title - in: query - name: search - schema: - nullable: true - type: string - - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json: - examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: - type: object - properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body - value: - body: get timeline error - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message. - example: get timeline error - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates - tags: - - Security Timeline API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/workflows
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. - operationId: delete-workflows - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - bulkDeleteWorkflowsRequestExample: - description: Example request for deleting multiple workflows - value: - ids: - - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 - - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 - schema: - additionalProperties: false - type: object - properties: - ids: - description: Array of workflow IDs to delete. - items: - description: Workflow ID to delete. - type: string - maxItems: 1000 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - bulkDeleteWorkflowsResponseExample: - description: Example response after deleting multiple workflows - value: - deleted: 2 - failures: [] - total: 2 - description: Indicates a successful response - summary: Bulk delete workflows - tags: - - workflows - x-codeSamples: - - label: Soft delete (default) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] - }' - - label: Hard delete (permanent) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] - }' - - lang: Console - source: | - DELETE kbn://api/workflows - { - "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. - operationId: get-workflows - parameters: - - description: Free-text search query. - in: query - name: query - required: false - schema: - type: string - - description: Number of results per page. - in: query - name: size - required: false - schema: - minimum: 1 - type: number - - description: Page number. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: Filter by enabled state. - in: query - name: enabled - required: false - schema: - items: - type: boolean - maxItems: 2 - type: array - - description: Filter by creator. - in: query - name: createdBy - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - description: Filter by tags. - in: query - name: tags - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - responses: - '200': - content: - application/json: - examples: - getWorkflowsResponseExample: - description: Example response returning a paginated list of workflows - value: - page: 1 - results: - - createdAt: '2025-11-20T10:30:00.000Z' - definition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: true - history: - - duration: 5000 - finishedAt: '2025-11-20T12:00:05.000Z' - id: exec-001 - startedAt: '2025-11-20T12:00:00.000Z' - status: completed - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowName: Example definition - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - name: Example definition - tags: - - example - valid: true - size: 20 - total: 1 - description: Indicates a successful response - summary: Get workflows - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows?size=20&page=1 - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. - operationId: post-workflows - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Whether to overwrite existing workflows. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - bulkCreateWorkflowsRequestExample: - description: Example request for creating multiple workflows at once - value: - workflows: - - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - yaml: | - name: Second workflow - enabled: false - description: Another workflow - triggers: - - type: manual - steps: - - name: log_step - type: console - with: - message: "Hello from second workflow" - schema: - additionalProperties: false - type: object - properties: - workflows: - items: - type: object - properties: - id: - maxLength: 255 - minLength: 3 - pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ - type: string - yaml: - maxLength: 1048576 - type: string - required: - - yaml - maxItems: 500 - type: array - required: - - workflows - responses: - '200': - content: - application/json: - examples: - bulkCreateWorkflowsResponseExample: - description: Example response after creating multiple workflows - value: - created: - - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - name: Example definition - - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - name: Second workflow - failures: [] - total: 2 - description: Indicates a successful response - summary: Bulk create workflows - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "workflows": [ - { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, - { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } - ] - }' - - lang: Console - source: | - POST kbn://api/workflows?overwrite=false - { - "workflows": [ - { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, - { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } - ] - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/aggs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/aggs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-aggs - parameters: - - description: Field or fields to aggregate on. - in: query - name: fields - required: true - schema: - description: Fields to aggregate on. - items: - description: Field name to aggregate. - type: string - maxItems: 25 - type: array - responses: - '200': - content: - application/json: - examples: - getAggsResponseExample: - description: Example response with tag and createdBy aggregations - value: - createdBy: - - doc_count: 2 - key: elastic - tags: - - doc_count: 1 - key: reporting - - doc_count: 1 - key: security - - doc_count: 1 - key: triage - description: Indicates a successful response - summary: Get workflow aggregations - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/aggs?fields=tags&fields=createdBy - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/connectors: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-connectors - parameters: [] - responses: - '200': - content: - application/json: - examples: - getConnectorsResponseExample: - description: Example response with available connector types and their instances - value: - connectorTypes: - .email: - actionTypeId: .email - displayName: Email - enabled: true - enabledInConfig: true - enabledInLicense: true - instances: [] - minimumLicenseRequired: gold - subActions: - - displayName: Send - name: send - .slack_api: - actionTypeId: .slack_api - displayName: Slack - enabled: true - enabledInConfig: true - enabledInLicense: true - instances: - - id: slack-connector-1 - isDeprecated: false - isPreconfigured: false - name: Team Notifications - minimumLicenseRequired: gold - subActions: - - displayName: Post Message - name: postMessage - totalConnectors: 1 - description: Indicates a successful response - summary: Get available connectors - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/connectors" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/connectors - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/executions/{executionId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid - parameters: - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - - description: Include execution input data. - in: query - name: includeInput - required: false - schema: - default: false - type: boolean - - description: Include execution output data. - in: query - name: includeOutput - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getExecutionResponseExample: - description: Example response returning a workflow execution with step details - value: - duration: 3000 - executedBy: elastic - finishedAt: '2025-11-20T12:00:03.000Z' - id: exec-a1b2c3d4-e5f6-7890 - input: - message: hello world - isTestRun: false - output: hello world - spaceId: default - startedAt: '2025-11-20T12:00:00.000Z' - status: completed - stepExecutions: - - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:02.000Z' - globalExecutionIndex: 0 - id: step-exec-001 - isTestRun: false - scopeStack: [] - spaceId: default - startedAt: '2025-11-20T12:00:01.000Z' - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowRunId: exec-a1b2c3d4-e5f6-7890 - triggeredBy: manual - workflowDefinition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Get a workflow execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/executions/{executionId}/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. - operationId: post-workflows-executions-executionid-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful response - summary: Cancel a workflow execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - POST kbn://api/workflows/executions/{executionId}/cancel - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/executions/{executionId}/children: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}/children
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid-children - parameters: - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getChildrenExecutionsResponseExample: - description: Example response returning child workflow executions spawned by sub-workflow steps - value: - - executionId: child-exec-001 - parentStepExecutionId: step-exec-003 - status: completed - stepExecutions: - - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:07.000Z' - globalExecutionIndex: 0 - id: child-step-001 - isTestRun: false - scopeStack: [] - startedAt: '2025-11-20T12:00:06.000Z' - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 - workflowRunId: child-exec-001 - workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 - workflowName: Child Workflow - description: Indicates a successful response - summary: Get child executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}/children - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/executions/{executionId}/logs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}/logs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid-logs - parameters: - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - - description: Filter logs by a specific step execution ID. - in: query - name: stepExecutionId - required: false - schema: - type: string - - description: Number of log entries per page. - in: query - name: size - required: false - schema: - default: 100 - maximum: 100 - minimum: 1 - type: number - - description: Page number. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: Field to sort by. - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order. - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - examples: - getExecutionLogsResponseExample: - description: Example response returning paginated execution logs - value: - logs: - - additionalData: - executionId: exec-a1b2c3d4-e5f6-7890 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - connectorType: console - duration: 150 - id: log-001 - level: info - message: Workflow execution started - stepId: hello_world_step - stepName: Hello World - timestamp: '2025-11-20T12:00:01.000Z' - - additionalData: - executionId: exec-a1b2c3d4-e5f6-7890 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - connectorType: console - duration: 200 - id: log-002 - level: info - message: Step completed successfully - stepId: hello_world_step - stepName: Hello World - timestamp: '2025-11-20T12:00:02.000Z' - page: 1 - size: 100 - total: 2 - description: Indicates a successful response - summary: Get execution logs - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/executions/{executionId}/resume: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/executions/{executionId}/resume
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. - operationId: post-workflows-executions-executionid-resume - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - resumeExecutionRequestExample: - description: Example request to resume a paused workflow execution - value: - input: - approved: true - comment: Approved by analyst - schema: - additionalProperties: false - type: object - properties: - input: - additionalProperties: - nullable: true - description: Input data to resume the execution with. - type: object - required: - - input - responses: - '200': - content: - application/json: - examples: - resumeExecutionResponseExample: - description: Example response confirming the resume was scheduled - value: - executionId: exec-a1b2c3d4-e5f6-7890 - message: Workflow resume scheduled - success: true - description: Indicates a successful response - summary: Resume a workflow execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "input": { - "approved": true, - "comment": "Approved by analyst" - } - }' - - lang: Console - source: | - POST kbn://api/workflows/executions/{executionId}/resume - { - "input": { - "approved": true, - "comment": "Approved by analyst" - } - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/executions/{executionId}/step/{stepExecutionId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid-step-stepexecutionid - parameters: - - description: Workflow execution ID. - in: path - name: executionId - required: true - schema: - type: string - - description: Step execution ID. - in: path - name: stepExecutionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getStepExecutionResponseExample: - description: Example response returning a single step execution - value: - error: null - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:02.000Z' - globalExecutionIndex: 0 - id: step-exec-001 - input: - message: hello world - isTestRun: false - output: hello world - scopeStack: [] - spaceId: default - startedAt: '2025-11-20T12:00:01.000Z' - state: null - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowRunId: exec-a1b2c3d4-e5f6-7890 - description: Indicates a successful response - summary: Get a step execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: post-workflows-export - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - exportWorkflowsRequestExample: - description: Example request to export workflows - value: - ids: - - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - schema: - additionalProperties: false - type: object - properties: - ids: - description: Array of workflow IDs to export. - items: - description: Workflow ID to export. - maxLength: 255 - type: string - maxItems: 500 - minItems: 1 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - exportWorkflowsResponseExample: - description: Workflow entries with YAML content and export manifest - value: - entries: - - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - yaml: |- - name: My Workflow - steps: - - type: http.request - with: - url: https://example.com - - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - yaml: |- - name: Another Workflow - steps: - - type: http.request - with: - url: https://example.com - manifest: - exportedAt: '2026-03-26T12:00:00.000Z' - exportedCount: 2 - version: '1' - description: JSON containing exported workflow YAML entries and manifest metadata - summary: Export workflows - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/export" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] - }' - - lang: Console - source: | - POST kbn://api/workflows/export - { - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/mget: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/mget
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: post-workflows-mget - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - mgetWorkflowsRequestExample: - description: Example request to retrieve multiple workflows by their IDs - value: - ids: - - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - source: - - name - - enabled - schema: - additionalProperties: false - type: object - properties: - ids: - description: Array of workflow IDs to look up. - items: - description: Workflow ID. - maxLength: 255 - type: string - maxItems: 500 - minItems: 1 - type: array - source: - description: Array of source fields to include. - items: - description: Source field. - maxLength: 255 - type: string - maxItems: 10 - minItems: 1 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - mgetWorkflowsResponseExample: - description: Example response returning the requested workflows with projected fields - value: - - enabled: true - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - name: Example definition - - enabled: false - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - name: Second workflow - description: Indicates a successful response - summary: Get workflows by IDs - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/mget" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], - "source": ["name", "enabled"] - }' - - lang: Console - source: | - POST kbn://api/workflows/mget - { - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], - "source": ["name", "enabled"] - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/schema: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/schema
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-schema - parameters: - - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. - in: query - name: loose - required: true - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getSchemaResponseExample: - description: Example response returning the workflow JSON schema (truncated) - value: - $schema: http://json-schema.org/draft-07/schema# - type: object - properties: - description: - type: string - enabled: - default: true - type: boolean - name: - minLength: 1 - type: string - tags: - items: - type: string - type: array - version: - const: '1' - default: '1' - description: The version of the workflow schema - type: string - required: - - name - - triggers - - steps - description: Indicates a successful response - summary: Get workflow JSON schema - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/schema?loose=false - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/stats: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/stats
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. - operationId: get-workflows-stats - parameters: [] - responses: - '200': - content: - application/json: - examples: - getStatsResponseExample: - description: Example response with workflow counts and 30-day execution history - value: - executions: - - cancelled: 1 - completed: 45 - date: '2025-11-20' - failed: 2 - timestamp: '2025-11-20T00:00:00.000Z' - - cancelled: 0 - completed: 50 - date: '2025-11-21' - failed: 0 - timestamp: '2025-11-21T00:00:00.000Z' - workflows: - disabled: 3 - enabled: 12 - description: Indicates a successful response - summary: Get workflow statistics - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/stats" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/stats - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/step/test: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/step/test
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. - operationId: post-workflows-step-test - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - testStepRequestExample: - description: Example request to test a single workflow step - value: - contextOverride: - inputs: - message: override message - stepId: hello_world_step - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowYaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - contextOverride: - additionalProperties: - nullable: true - description: Context overrides for the step execution. - type: object - executionContext: - additionalProperties: - nullable: true - description: Execution context for the step execution. - type: object - stepId: - description: ID of the step to test. - type: string - workflowId: - description: ID of the workflow containing the step. - type: string - workflowYaml: - description: YAML definition of the workflow containing the step. - type: string - required: - - stepId - - contextOverride - - workflowYaml - responses: - '200': - content: - application/json: - examples: - testStepResponseExample: - description: Example response returning the step test execution ID - value: - workflowExecutionId: step-test-exec-a1b2c3d4 - description: Indicates a successful response - summary: Test a workflow step - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/step/test" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "stepId": "hello_world_step", - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", - "contextOverride": { "inputs": { "message": "override message" } } - }' - - lang: Console - source: | - POST kbn://api/workflows/step/test - { - "stepId": "hello_world_step", - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", - "contextOverride": { "inputs": { "message": "override message" } } - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/test: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/test
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. - operationId: post-workflows-test - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - testWorkflowByIdRequestExample: - description: Example request to test a saved workflow by its ID - value: - inputs: - message: test message - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - testWorkflowByYamlRequestExample: - description: Example request to test an unsaved workflow YAML draft - value: - inputs: - message: test message - workflowYaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - inputs: - additionalProperties: - nullable: true - description: Key-value inputs for the test execution. - type: object - workflowId: - description: ID of an existing workflow to test. - type: string - workflowYaml: - description: YAML definition to test. - type: string - required: - - inputs - responses: - '200': - content: - application/json: - examples: - testWorkflowResponseExample: - description: Example response returning the test execution ID - value: - workflowExecutionId: test-exec-a1b2c3d4-e5f6 - description: Indicates a successful response - summary: Test a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/test" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "inputs": { "message": "test message" } - }' - - lang: Console - source: | - POST kbn://api/workflows/test - { - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "inputs": { "message": "test message" } - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. - operationId: post-workflows-workflow - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - createWorkflowRequestExample: - description: Example request for creating a workflow from a YAML definition - value: - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - createWorkflowWithIdRequestExample: - description: Example request for creating a workflow with a custom ID - value: - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - minLength: 3 - pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ - type: string - yaml: - maxLength: 1048576 - type: string - required: - - yaml - responses: - '200': - content: - application/json: - examples: - createWorkflowResponseExample: - description: Example response returning the created workflow - value: - createdAt: '2025-11-20T10:30:00.000Z' - createdBy: elastic - definition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: true - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - lastUpdatedAt: '2025-11-20T10:30:00.000Z' - lastUpdatedBy: elastic - name: Example definition - valid: true - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Create a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" - }' - - lang: Console - source: | - POST kbn://api/workflows/workflow - { - "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/workflows/workflow/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. - operationId: delete-workflows-workflow-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. - in: query - name: force - required: false - schema: - default: false - type: boolean - responses: - '200': - description: Indicates a successful response - summary: Delete a workflow - tags: - - workflows - x-codeSamples: - - label: Soft delete (default) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - label: Hard delete (permanent) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/workflows/workflow/{id} - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/workflow/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-workflow-id - parameters: - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getWorkflowResponseExample: - description: Example response returning a single workflow - value: - createdAt: '2025-11-20T10:30:00.000Z' - createdBy: elastic - definition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: true - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - lastUpdatedAt: '2025-11-21T14:00:00.000Z' - lastUpdatedBy: elastic - name: Example definition - valid: true - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Get a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/workflow/{id} - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/workflows/workflow/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. - operationId: put-workflows-workflow-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateWorkflowEnableExample: - description: Example request to enable a workflow and update its tags - value: - enabled: true - tags: - - production - updateWorkflowFullExample: - description: Example request to update multiple workflow fields - value: - description: Updated workflow description - enabled: true - name: Updated example - tags: - - example - - updated - yaml: | - name: Updated example - enabled: true - description: Updated workflow description - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - description: - type: string - enabled: - type: boolean - name: - type: string - tags: - items: - type: string - type: array - yaml: - type: string - responses: - '200': - content: - application/json: - examples: - updateWorkflowResponseExample: - description: Example response returning the updated workflow - value: - enabled: false - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - lastUpdatedAt: '2026-03-23T13:38:59.568Z' - lastUpdatedBy: elastic - valid: true - validationErrors: [] - description: Indicates a successful response - summary: Update a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "enabled": true, - "tags": ["production"] - }' - - lang: Console - source: | - PUT kbn://api/workflows/workflow/{id} - { - "enabled": true, - "tags": ["production"] - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow/{id}/clone: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow/{id}/clone
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. - operationId: post-workflows-workflow-id-clone - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - cloneWorkflowResponseExample: - description: Example response returning the cloned workflow with a new ID - value: - createdAt: '2025-11-22T11:00:00.000Z' - createdBy: elastic - definition: - description: This is a workflow example - enabled: false - inputs: - - default: hello world - name: message - type: string - name: Example definition (copy) - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: false - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - lastUpdatedAt: '2025-11-22T11:00:00.000Z' - lastUpdatedBy: elastic - name: Example definition (copy) - valid: true - yaml: | - name: Example definition (copy) - enabled: false - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Clone a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - POST kbn://api/workflows/workflow/{id}/clone - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow/{id}/run: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow/{id}/run
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. - operationId: post-workflows-workflow-id-run - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - runWorkflowRequestExample: - description: Example request to execute a workflow with inputs - value: - inputs: - message: hello from the API - schema: - additionalProperties: false - type: object - properties: - inputs: - additionalProperties: - nullable: true - description: Key-value inputs for the workflow execution. - type: object - metadata: - additionalProperties: - nullable: true - description: Optional metadata for the execution. - type: object - required: - - inputs - responses: - '200': - content: - application/json: - examples: - runWorkflowResponseExample: - description: Example response returning the execution ID - value: - workflowExecutionId: exec-a1b2c3d4-e5f6-7890 - description: Indicates a successful response - summary: Run a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "inputs": { - "message": "hello from the API" - } - }' - - lang: Console - source: | - POST kbn://api/workflows/workflow/{id}/run - { - "inputs": { - "message": "hello from the API" - } - } - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow/{workflowId}/executions: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-workflow-workflowid-executions - parameters: - - description: Workflow ID - in: path - name: workflowId - required: true - schema: - type: string - - description: Filter by execution status. - in: query - name: statuses - required: false - schema: - items: - enum: - - pending - - waiting - - waiting_for_input - - running - - completed - - failed - - cancelled - - timed_out - - skipped - type: string - maxItems: 9 - type: array - - description: Filter by execution type. - in: query - name: executionTypes - required: false - schema: - items: - enum: - - test - - production - type: string - maxItems: 2 - type: array - - description: Filter by the user who triggered the execution. - in: query - name: executedBy - required: false - schema: - items: - type: string - maxItems: 100 - type: array - - description: Whether to exclude step-level execution data. - in: query - name: omitStepRuns - required: false - schema: - type: boolean - - description: Page number. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: Number of results per page. - in: query - name: size - required: false - schema: - maximum: 100 - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getWorkflowExecutionsResponseExample: - description: Example response returning a paginated list of executions for a workflow - value: - page: 1 - results: - - duration: 3000 - error: null - executedBy: elastic - finishedAt: '2025-11-20T12:00:03.000Z' - id: exec-001 - isTestRun: false - spaceId: default - startedAt: '2025-11-20T12:00:00.000Z' - status: completed - triggeredBy: manual - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - - duration: 2000 - error: - message: Step 'hello_world_step' failed - executedBy: elastic - finishedAt: '2025-11-20T13:00:02.000Z' - id: exec-002 - isTestRun: false - spaceId: default - startedAt: '2025-11-20T13:00:00.000Z' - status: failed - triggeredBy: manual - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - size: 20 - total: 2 - description: Indicates a successful response - summary: Get workflow executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20 - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow/{workflowId}/executions/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. - operationId: post-workflows-workflow-workflowid-executions-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: workflowId - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful response - summary: Cancel all active workflow executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - POST kbn://api/workflows/workflow/{workflowId}/executions/cancel - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/workflows/workflow/{workflowId}/executions/steps: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-workflow-workflowid-executions-steps - parameters: - - description: Workflow ID - in: path - name: workflowId - required: true - schema: - type: string - - description: Filter by step ID. - in: query - name: stepId - required: false - schema: - type: string - - description: Include step input data. - in: query - name: includeInput - required: false - schema: - type: boolean - - description: Include step output data. - in: query - name: includeOutput - required: false - schema: - type: boolean - - description: Page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: Number of results per page. - in: query - name: size - required: false - schema: - maximum: 100 - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getWorkflowStepExecutionsResponseExample: - description: Example response returning step execution records for a workflow - value: - results: - - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:02.000Z' - globalExecutionIndex: 0 - id: step-exec-001 - input: - message: hello world - isTestRun: false - scopeStack: [] - spaceId: default - startedAt: '2025-11-20T12:00:01.000Z' - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowRunId: exec-001 - total: 1 - description: Indicates a successful response - summary: Get workflow step executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos: - get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: The page size to use for cursor-based pagination, must be greater or equal than 1 - example: 1 - in: query - name: size - schema: - default: 1 - type: integer - - description: The cursor to use for fetching the results from, when using a cursor-base pagination. - in: query - name: searchAfter - schema: - items: - type: string - type: array - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - findSloResponse: - summary: A paginated list of SLOs - value: - page: 1 - perPage: 25 - results: - - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - total: 42 - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''invalid'' supplied to: sortBy' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_read] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: | - You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - createSloKqlExample: - summary: Create an SLO with a KQL indicator - value: - budgetingMethod: occurrences - description: Availability of my web service measured by successful HTTP responses - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - createSloResponse: - summary: Create SLO response - value: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '409': - content: - application/json: - examples: - conflictExample: - summary: Conflict - value: - error: Conflict - message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - statusCode: 409 - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - summary: Create an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/_bulk_delete: - post: - description: | - Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. - operationId: bulkDeleteOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - bulkDeleteRequest: - summary: Bulk delete two SLOs - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkDeleteResponse: - summary: Bulk delete response with task ID - value: - taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Bulk delete SLO definitions and their associated summary and rollup data. - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: - get: - description: | - Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. - operationId: bulkDeleteStatusOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: The task id of the bulk delete operation - in: path - name: taskId - required: true - schema: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - responses: - '200': - content: - application/json: - examples: - bulkDeleteStatusComplete: - summary: Completed bulk deletion - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - id: d077e940-1515-11ee-9c50-9d096392f520 - success: true - bulkDeleteStatusPartialFailure: - summary: Completed with partial failure - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found - id: d077e940-1515-11ee-9c50-9d096392f520 - success: false - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_status_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: taskId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Retrieve the status of the bulk deletion - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: - post: - description: | - The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: deleteRollupDataOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - purgeByAgeExample: - summary: Purge rollup data older than 7 days - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - purgePolicy: - age: 7d - purgeType: fixed-age - purgeByTimestampExample: - summary: Purge rollup data before a specific date - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - purgePolicy: - purgeType: fixed-time - timestamp: '2024-12-31T00:00:00.000Z' - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkPurgeResponse: - summary: Bulk purge response with task ID - value: - taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/_delete_instances: - post: - description: | - The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - deleteInstancesExample: - summary: Delete specific SLO instances - value: - list: - - instanceId: host-abc123 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - - instanceId: host-def456 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list/0/sloId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getSloResponse: - summary: Get SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_read] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json: - examples: - updateSloNameExample: - summary: Update the SLO name and tags - value: - name: Updated Service Availability - tags: - - production - - updated - updateSloObjectiveExample: - summary: Update the SLO objective - value: - objective: - target: 0.995 - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - updateSloResponse: - summary: Update SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: Updated Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - updated - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}/_reset: - post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - content: - application/json: - examples: - resetSloResponse: - summary: Reset SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}/disable: - post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}/enable: - post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /s/{spaceId}/internal/observability/slos/_definitions: - get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: getDefinitionsOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: Indicates if the API returns only outdated SLO or all SLO definitions - in: query - name: includeOutdatedOnly - schema: - type: boolean - - description: Indicates if the API returns SLO health data with definitions - example: true - in: query - name: includeHealth - schema: - type: boolean - - description: Filters the SLOs by tag - in: query - name: tags - schema: - type: string - - description: Filters the SLOs by name - example: my service availability - in: query - name: search - schema: - type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - type: number - - description: Number of SLOs returned by page - example: 100 - in: query - name: perPage - schema: - default: 100 - maximum: 1000 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_find_slo_definitions_response' - description: Successful request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Get the SLO definitions - tags: - - slo - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name -components: - examples: - APM_UI_agent_configuration_environments_200_response1: - description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. - value: - environments: - - alreadyConfigured: true - name: production - - alreadyConfigured: false - name: development - - alreadyConfigured: false - name: ALL_OPTION_VALUE - APM_UI_agent_configuration_intake_object_delete_200_response1: - description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. - value: - result: deleted - APM_UI_agent_configuration_intake_object_delete_request1: - description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. - value: - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_get_200_response1: - description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. - value: - - '@timestamp': 1581934104843 - agent_name: go - applied_by_agent: false - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '200' - transaction_sample_rate: '1' - - '@timestamp': 1581934111727 - agent_name: go - applied_by_agent: false - etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 - service: - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '300' - transaction_sample_rate: '1' - - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_put_200_response1: - description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. - value: {} - APM_UI_agent_configuration_intake_object_put_request1: - description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. - value: - agent_name: nodejs - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_configuration_intake_object_search_200_response1: - description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. - value: - _id: CIaqXXABmQCdPphWj8EJ - _index: .apm-agent-configuration - _score: 2 - _source: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_search_request1: - description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. - value: - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_view_200_response1: - description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. - value: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: true - etag: 5080ed25785b7b19f32713681e79f46996801a5b - id: CIaqXXABmQCdPphWj8EJ - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_keys_object_post_200_response1: - description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. - value: - agentKey: - api_key: PjGloCGOTzaZr8ilUPvkjA - encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== - id: 3DCLmn0B3ZMhLUa7WBG9 - name: apm-key - APM_UI_agent_keys_object_post_request1: - description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. - value: - name: apm-key - privileges: - - event:write - - config_agent:read - APM_UI_annotation_object_post_200_response1: - description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. - value: - _id: Lc9I93EBh6DbmkeV7nFX - _index: observability-annotations - _primary_term: 1 - _seq_no: 12 - _source: - '@timestamp': '2020-05-08T10:31:30.452Z' - annotation: - type: deployment - event: - created: '2020-05-09T02:34:43.937Z' - message: Deployment 1.2 - service: - name: opbeans-java - version: '1.2' - tags: - - apm - - elastic.co - - customer - _version: 1 - found: true - APM_UI_annotation_object_post_request1: - description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. - value: - '@timestamp': '2024-01-15T12:00:00.000Z' - message: Deployment 1.2.0 - service: - environment: production - version: 1.2.0 - tags: - - apm - - deployment - APM_UI_fleet_apm_server_schema_200_response1: - description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_delete_200_response1: - description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_get_200_response1: - description: A successful response from `GET /api/apm/sourcemaps`. - value: - artifacts: - - body: - bundleFilepath: /test/e2e/general-usecase/bundle.js - serviceName: foo - serviceVersion: 1.0.0 - sourceMap: - file: static/js/main.chunk.js - mappings: mapping - sourceRoot: '' - sources: - - fleet-source-map-client/src/index.css - - fleet-source-map-client/src/App.js - - webpack:///./src/index.css?bb0a - - fleet-source-map-client/src/index.js - - fleet-source-map-client/src/reportWebVitals.js - sourcesContent: - - content - version: 3 - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_200_response1: - description: A successful response from `POST /api/apm/sourcemaps`. - value: - body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_get_data_view_response: - summary: The get data view API returns a JSON object that contains information about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - taxless_total_price: - id: number - params: - pattern: $0,0.00 - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category - type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name - type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name - type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name - type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer - type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id - type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category - type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer - type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name - type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSync401Example: - summary: Two anomaly detection jobs required synchronization in this example. - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" - statusCode: 401 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Observability_AI_Assistant_API_ChatCompleteRequestExample: - summary: Example of completing a chat interaction - value: | - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - } - Observability_AI_Assistant_API_ChatCompleteResponseExample: - summary: Get a chat completion from the Observability AI Assistant - value: | - data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - - data: [DONE] - Security_Detections_API_SetAlertAssigneesBodyAdd: - value: - assignees: - add: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - remove: [] - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertAssigneesBodyRemove: - value: - assignees: - add: [] - remove: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertTagsBodyAdd: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e - tags: - tags_to_add: - - Duplicate - tags_to_remove: [] - Security_Detections_API_SetAlertTagsBodyRemove: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e - tags: - tags_to_add: [] - tags_to_remove: - - Duplicate - Task_manager_health_Serverless_APIs_health_200response_serverless: - description: A successful response from `GET api/task_manager/_health`. - value: |- - { - "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", - "timestamp": "2025-03-21T21:49:50.409Z", - "status": "OK", - "last_update": "2025-03-21T21:48:53.996Z", - "stats": { - "configuration": { - "timestamp": "2025-03-21T21:47:51.663Z", - "value": { - "request_capacity": 1000, - "monitored_aggregated_stats_refresh_rate": 60000, - "monitored_stats_running_average_window": 50, - "monitored_task_execution_thresholds": { - "custom": {}, - "default": { - "error_threshold": 90, - "warn_threshold": 80 - } - }, - "claim_strategy": "mget", - "poll_interval": 500, - "capacity": { - "config": 10, - "as_workers": 10, - "as_cost": 20 - } - }, - "status": "OK" - }, - "workload": { - "timestamp": "2025-03-21T21:48:53.996Z", - "value": { - "count": 21, - "cost": 42, - "task_types": { - "Fleet-Metrics-Task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" }, - "Fleet-Usage-Logger": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" }, - "Fleet-Usage-Sender": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" }, - "ML:saved-objects-sync": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" }, - "actions:connector_usage_reporting": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" }, - "actions_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "h6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "i6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.severity", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "j6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.workflow_status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "message", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "network.protocol", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.bytes_compressed_present", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.all_names", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "naiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.matches", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.signature.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "n6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.token.integrity_level_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "k6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.signing_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "laiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "l6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "maiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.exit_code", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "m6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.md5", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha1", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "o6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "paiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args_count", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "p6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "q6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "raiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pe.original_file_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pid", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "r6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.working_directory", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "u6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "source.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vaiJW5gB4U27o8XO8oLg" }, - "alerting_health_check": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vqiJW5gB4U27o8XO8oLg" }, - "alerting_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "v6iJW5gB4U27o8XO8oLg" }, - "alerts_invalidate_api_keys": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wKiJW5gB4U27o8XO8oLg" }, - "cases-telemetry-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "waiJW5gB4U27o8XO8oLg" }, - "dashboard_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wqiJW5gB4U27o8XO8oLg" }, - "fleet:automatic-agent-upgrade-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "w6iJW5gB4U27o8XO8oLg" }, - "fleet:check-deleted-files-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xKiJW5gB4U27o8XO8oLg" }, - "fleet:delete-unenrolled-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xaiJW5gB4U27o8XO8oLg" }, - "fleet:sync-integrations-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xqiJW5gB4U27o8XO8oLg" }, - "fleet:unenroll-inactive-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "x6iJW5gB4U27o8XO8oLg" }, - "fleet:upgrade-agentless-deployments-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.domain", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yKiJW5gB4U27o8XO8oLg" }, - "session_cleanup": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "yaiJW5gB4U27o8XO8oLg" }, - "task_manager:delete_inactive_background_task_nodes": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yqiJW5gB4U27o8XO8oLg" }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "y6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" } - }, - "non_recurring": 1, - "non_recurring_cost": 2, - "schedule": [ - [ - "1m", - 2 - ], - [ - "5m", - 2 - ], - [ - "10m", - 1 - ], - [ - "15m", - 1 - ], - [ - "30m", - 1 - ], - [ - "1h", - 5 - ], - [ - "3600s", - 1 - ], - [ - "60m", - 1 - ], - [ - "720m", - 1 - ], - [ - "1d", - 4 - ], - [ - "1440m", - 1 - ] - ], - "overdue": 0, - "overdue_cost": 0, - "overdue_non_recurring": 0, - "estimated_schedule_density": [ - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0 ], - "capacity_requirements": { - "per_minute": 2, - "per_hour": 43, - "per_day": 7 - } - }, - "status": "OK" - } - } - } - get_connector_types_generativeai_response: - summary: A list of connector types for the `generativeAI` feature. - value: - - id: .gen-ai - name: OpenAI - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .bedrock - name: AWS Bedrock - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .gemini - name: Google Gemini - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - is_system_action_type: false - get_connector_response: - summary: Get connector details. - value: - id: df770e30-8b8b-11ed-a780-3b746c987a81 - name: my_server_log_connector - config: {} - connector_type_id: .server-log - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - update_index_connector_request: - summary: Update an index connector. - value: - name: updated-connector - config: - index: updated-index - create_email_connector_request: - summary: Create an email connector. - value: - name: email-connector-1 - connector_type_id: .email - config: - from: tester@example.com - hasAuth: true - host: https://example.com - port: 1025 - secure: false - service: other - secrets: - user: username - password: password - create_index_connector_request: - summary: Create an index connector. - value: - name: my-connector - connector_type_id: .index - config: - index: test-index - create_webhook_connector_request: - summary: Create a webhook connector with SSL authentication. - value: - name: my-webhook-connector - connector_type_id: .webhook - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - secrets: - crt: QmFnIEF0dH... - key: LS0tLS1CRUdJ... - password: my-passphrase - create_xmatters_connector_request: - summary: Create an xMatters connector with URL authentication. - value: - name: my-xmatters-connector - connector_type_id: .xmatters - config: - usesBasic: false - secrets: - secretsUrl: https://example.com?apiKey=xxxxx - create_email_connector_response: - summary: A new email connector. - value: - id: 90a82c60-478f-11ee-a343-f98a117c727f - connector_type_id: .email - name: email-connector-1 - config: - from: tester@example.com - service: other - host: https://example.com - port: 1025 - secure: false - hasAuth: true - tenantId: null - clientId: null - oauthTokenUrl: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - create_index_connector_response: - summary: A new index connector. - value: - id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad - connector_type_id: .index - name: my-connector - config: - index: test-index - refresh: false - executionTimeField: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - create_webhook_connector_response: - summary: A new webhook connector. - value: - id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd - name: my-webhook-connector - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - verificationMode: full - headers: null - hasAuth: true - connector_type_id: .webhook - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - run_index_connector_request: - summary: Run an index connector. - value: - params: - documents: - - id: my_doc_id - name: my_doc_name - message: hello, world - run_jira_connector_request: - summary: Run a Jira connector to retrieve the list of issue types. - value: - params: - subAction: issueTypes - run_servicenow_itom_connector_request: - summary: Run a ServiceNow ITOM connector to retrieve the list of choices. - value: - params: - subAction: getChoices - subActionParams: - fields: - - severity - - urgency - run_slack_api_connector_request: - summary: Run a Slack connector that uses the web API method to post a message on a channel. - value: - params: - subAction: postMessage - subActionParams: - channelIds: - - C123ABC456 - text: A test message. - run_swimlane_connector_request: - summary: Run a Swimlane connector to create an incident. - value: - params: - subAction: pushToService - subActionParams: - comments: - - commentId: 1 - comment: A comment about the incident. - incident: - caseId: '1000' - caseName: Case name - description: Description of the incident. - run_index_connector_response: - summary: Response from running an index connector. - value: - connector_id: fd38c600-96a5-11ed-bb79-353b74189cba - data: - errors: false - items: - - create: - _id: 4JtvwYUBrcyxt2NnfW3y - _index: my-index - _primary_term: 1 - _seq_no: 0 - _shards: - failed: 0 - successful: 1 - total: 2 - _version: 1 - result: created - status: 201 - took: 135 - status: ok - run_jira_connector_response: - summary: Response from retrieving the list of issue types for a Jira connector. - value: - connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 - data: - - id: 10024 - name: Improvement - - id: 10006 - name: Task - - id: 10007 - name: Sub-task - - id: 10025 - name: New Feature - - id: 10023 - name: Bug - - id: 10000 - name: Epic - status: ok - run_server_log_connector_response: - summary: Response from running a server log connector. - value: - connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 - status: ok - run_servicenow_itom_connector_response: - summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. - value: - connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 - data: - - dependent_value: '' - element: severity - label: Critical - value: 1 - - dependent_value: '' - element: severity - label: Major - value: 2 - - dependent_value: '' - element: severity - label: Minor - value: 3 - - dependent_value: '' - element: severity - label: Warning - value: 4 - - dependent_value: '' - element: severity - label: OK - value: 5 - - dependent_value: '' - element: severity - label: Clear - value: 0 - - dependent_value: '' - element: urgency - label: 1 - High - value: 1 - - dependent_value: '' - element: urgency - label: 2 - Medium - value: 2 - - dependent_value: '' - element: urgency - label: 3 - Low - value: 3 - status: ok - run_slack_api_connector_response: - summary: Response from posting a message with a Slack connector. - value: - status: ok - data: - ok: true - channel: C123ABC456 - ts: '1234567890.123456' - message: - bot_id: B12BCDEFGHI - type: message - text: A test message - user: U12A345BC6D - ts: '1234567890.123456' - app_id: A01BC2D34EF - blocks: - - type: rich_text - block_id: /NXe - elements: - - type: rich_text_section - elements: - - type: text - text: A test message. - team: T01ABCDE2F - bot_profile: - id: B12BCDEFGHI - app_id: A01BC2D34EF - name: test - icons: - image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png - deleted: false - updated: 1672169705 - team_id: T01ABCDE2F - connector_id: .slack_api - run_swimlane_connector_response: - summary: Response from creating a Swimlane incident. - value: - connector_id: a4746470-2f94-11ed-b0e0-87533c532698 - data: - id: aKPmBHWzmdRQtx6Mx - title: TEST-457 - url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx - pushedDate: '2022-09-08T16:52:27.866Z' - comments: - - commentId: 1 - pushedDate: '2022-09-08T16:52:27.865Z' - status: ok - get_connectors_response: - summary: A list of connectors - value: - - id: preconfigured-email-connector - name: my-preconfigured-email-notification - connector_type_id: .email - is_preconfigured: true - is_deprecated: false - referenced_by_count: 0 - is_system_action: false - - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 - name: my-index-connector - config: - index: test-index - refresh: false - executionTimeField: null - connector_type_id: .index - is_preconfigured: false - is_deprecated: false - referenced_by_count: 2 - is_missing_secrets: false - is_system_action: false - get_spaces_response1: - summary: Get all spaces - description: Get all spaces without specifying any options. - value: - - id: default - name: Default - description: This is the Default Space - disabledFeatures: [] - imageUrl: '' - _reserved: true - - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - disabledFeatures: - - apm - initials: MK - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - - id: sales - name: Sales - initials: MK - disabledFeatures: - - discover - imageUr": '' - solution: oblt - get_spaces_response2: - summary: Get all spaces with custom options + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "12345678-1234-1234-1234-123456789012", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + /api/attack_discovery/generations: + get: + description: >- + Get the latest Attack Discovery generations metadata (that are not + dismissed) for the current user. This endpoint retrieves generation + metadata including execution status and statistics for Attack Discovery + generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: >- + End of the time range for filtering generations. Accepts absolute + timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: >- + Start of the time range for filtering generations. Accepts absolute + timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + example: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: >- + AI is analyzing up to 100 alerts in the last 24 hours to + generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: >- + Get the latest Attack Discovery generations metadata for the current + user + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/generations/{execution_uuid}: + get: + description: >- + Returns a specific Attack Discovery generation, including all generated + Attack discoveries and associated metadata, including execution status + and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: >- + The unique identifier for the Attack Discovery generation execution. + This UUID is returned at the start of an Attack Discovery + generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: >- + Enables a markdown syntax used to render pivot fields, for example + `{{ user.name james }}`. When disabled, the same example would be + rendered as `james`. This is primarily used for Attack Discovery + views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: >- + When true, return the created Attack discoveries with text + replacements applied to the detailsMarkdown, entitySummaryMarkdown, + summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + example: + data: + - id: >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: >- + Array of Attack discoveries generated during this + execution. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + type: array + generation: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration + description: >- + Optional metadata about the attack discovery generation + process, metadata including execution status and + statistics. This metadata may not be available for all + generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: >- + Human-readable error message describing what went wrong + with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: >- + Get a single Attack Discovery generation, including its discoveries and + (optional) generation metadata + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: >- + Dismisses an Attack Discovery generation for the current user, + indicating that its status should not be reported in the UI. This sets + the generation's status to "dismissed" and affects how the generation + appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: >- + The unique identifier for the Attack Discovery generation execution. + This UUID is returned when an Attack Discovery generation is created + and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: >- + AI is analyzing up to 100 alerts in the last 24 hours to + generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: >- + The number of alerts that were sent as context to the LLM + for this generation. + example: 75 + type: number + connector_id: + description: >- + The unique identifier of the connector used to generate + the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: >- + Statistical information about the connector's performance + for this user, providing insights into usage patterns and + success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: >- + The average duration in nanoseconds for successful + generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: >- + The total number of Attack discoveries successfully + created for this generation + example: 2 + type: number + discoveries: + description: >- + The number of attack discoveries that were generated + during this execution. + example: 3 + type: number + end: + description: >- + The timestamp when the generation process completed, in + ISO 8601 format. This field may be absent for generations + that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: >- + The unique identifier for this attack discovery generation + execution. This UUID can be used to reference this + specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: >- + A human-readable message describing the current state or + progress of the generation process. Provides context about + what the AI is analyzing. + example: >- + AI is analyzing up to 100 alerts in the last 24 hours to + generate discoveries. + type: string + reason: + description: >- + Additional context or reasoning provided when a generation + fails or encounters issues. This field helps diagnose + problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: >- + The timestamp when the generation process began, in ISO + 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: >- + The current status of the attack discovery generation. + After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: >- + Human-readable error message describing what went wrong + with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/schedules: + post: + description: >- + Creates a new Attack Discovery schedule that analyzes security alerts at + specified intervals. The schedule defines when and how Attack Discovery + analysis should run, including which alerts to analyze, which AI + connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + example: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps + description: >- + Attack Discovery schedule configuration including name, parameters, + schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + /api/attack_discovery/schedules/_find: + get: + description: >- + Find Attack Discovery schedules that match the search criteria. Supports + pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: >- + Number of Attack Discovery schedules to return per page (used for + pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: >- + Field used to sort results. Common fields include 'name', + 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: >- + Sort order direction. Use 'asc' for ascending or 'desc' for + descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + example: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: >- + Total number of Attack Discovery schedules matching the + query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/schedules/{id}: + delete: + description: >- + Permanently deletes an Attack Discovery schedule and all associated + configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + delete. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier of the deleted Attack Discovery + schedule + required: + - id + description: >- + Successfully deleted Attack Discovery schedule, returning the ID of + the deleted schedule for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + get: + description: >- + Retrieves a specific Attack Discovery schedule by its unique identifier. + Returns complete schedule configuration including parameters, interval + settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + retrieve. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + description: >- + Successfully retrieved Attack Discovery schedule with complete + configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-code-samples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + put: + description: >- + Updates an existing Attack Discovery schedule with new configuration. + All schedule properties can be modified including name, parameters, + interval, and actions. The update operation replaces the entire schedule + configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + update. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + example: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps + description: >- + Updated Attack Discovery schedule configuration. All fields are + required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + description: >- + Successfully updated Attack Discovery schedule with the new + configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + /api/attack_discovery/schedules/{id}/_disable: + post: + description: >- + Disables an Attack Discovery schedule, preventing it from running + according to its configured interval. The schedule configuration is + preserved and can be re-enabled later. Any currently running executions + will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + disable. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier of the disabled Attack Discovery + schedule + required: + - id + description: >- + Successfully disabled Attack Discovery schedule, returning the + schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/schedules/{id}/_enable: + post: + description: >- + Enables a previously disabled Attack Discovery schedule, allowing it to + run according to its configured interval. Once enabled, the schedule + will begin executing at the next scheduled time based on its interval + configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + enable. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier of the enabled Attack Discovery + schedule + required: + - id + description: >- + Successfully enabled Attack Discovery schedule, returning the + schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + /api/data_views/data_view/{viewId}: + delete: description: | - The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" - value: - - id: default - name: Default - description: This is the Default Space - disabledFeatures: [] - imageUrl: '' - _reserved: true - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: true - findSavedObjects: true - shareSavedObjectsIntoSpace: true - - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - disabledFeatures: - - apm - initials: MK - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: true - findSavedObjects: true - shareSavedObjectsIntoSpace: true - - id: sales - name: Sales - initials: MK - disabledFeatures: - - discover - imageUrl: '' - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: false - findSavedObjects: true - shareSavedObjectsIntoSpace: false - create_space_request: - summary: Create a marketing space - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== - get_space_response: - summary: Get details about a marketing space - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: '' - solution: es - update_space_request: - summary: Update a marketing space - description: Update the marketing space to remove the imageUrl. - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: '' - parameters: - APM_UI_elastic_api_version: - description: The version of the API to use - in: header - name: elastic-api-version - required: true - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - APM_UI_kbn_xsrf: - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: When true, simulates the synchronization by returning only the list of actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - APM_UI_400_response: - type: object - properties: - error: - description: Error type - example: Not Found - type: string - message: - description: Error message - example: Not Found - type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: - type: object - properties: - error: - description: Error type - example: Unauthorized - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 401 - type: number - APM_UI_403_response: - type: object - properties: - error: - description: Error type - example: Forbidden - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: - type: object - properties: - error: - description: Error type - example: Not Found - type: string - message: - description: Error message - example: Not Found - type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: - type: object - properties: - error: - description: Error type - example: Internal Server Error - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: - type: object - properties: - error: - description: Error type - example: Not Implemented - type: string - message: - description: Error message - example: Not Implemented - type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: - type: object - properties: - agent_name: - description: The agent name is used by the UI to determine which settings to display. - type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' - required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration - type: object - properties: - '@timestamp': - description: Timestamp - example: 1730194190636 - type: number - agent_name: - description: Agent name - type: string - applied_by_agent: - description: Applied by agent - example: true - type: boolean - etag: - description: | - `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' - required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: - type: object - properties: - configurations: - description: Agent configuration - items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - type: array - APM_UI_agent_keys_object: - type: object - properties: - name: - description: The name of the APM agent key. - type: string - privileges: - description: | - The APM agent key privileges. It can take one or more of the following values: - * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. - items: - enum: - - event:write - - config_agent:read + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + get: + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + /api/data_views/data_view/{viewId}/fields: + post: + description: > + Update fields presentation metadata such as count, customLabel, + customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field: + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + put: + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: >- + #/components/examples/Data_views_get_default_data_view_response + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + post: + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + /api/data_views/swap_references: + post: + description: > + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + /api/data_views/swap_references/_preview: + post: + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + /api/detection_engine/privileges: + get: + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: > + Delete a detection rule using the `rule_id` or `id` field. + + + The URL query must include one of the following: + + + * `id` - `DELETE /api/detection_engine/rules?id=` + + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + - Rules API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + get: + description: > + Retrieve a detection rule using the `rule_id` or `id` field. + + + The URL query must include one of the following: + + + * `id` - `GET /api/detection_engine/rules?id=` + + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from Elasticsearch + indices listed in the "Index pattern" section of the + rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: > + Indicates a successful call. + + > info + + > These fields are under development and their usage or schema may + change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + - Rules API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + patch: + description: > + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: >- + agent.version : * and agent.id : + "243d9b4f-ca01-4311-8e5c-9abbee91afd8" + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: > + FROM logs-abc* + + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + + | EVAL event_rate = count / DATE_DIFF("seconds", + min_timestamp, NOW()) + + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: >- + @timestamp >= "now-30d/d" and event.module:(threatintel or + ti_*) and threat.indicator.ip:* and not + labels.is_ioc_transform_source:"false" + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + - Rules API + post: + description: > + Create a new detection rule. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + + + You can create the following types of rules: + + + * **Custom query**: Searches the defined indices and creates an alert + when a document matches the rule's KQL query. + + * **Event correlation**: Searches the defined indices and creates an + alert when results match an [Event Query Language + (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) + query. + + * **Threshold**: Searches the defined indices and creates an alert when + the number of times the specified field's value meets the threshold + during a single execution. When there are multiple values that meet the + threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined + in the specified [Elasticsearch + index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). + For example, you can create an index for IP addresses and use this index + to create an alert whenever an event's `destination.ip` equals a value + in the index. The index's field mappings should be + [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + + * **New terms**: Generates an alert for each new term detected in source + documents within a specified time range. + + * **ES|QL**: Uses [Elasticsearch Query Language + (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) + to find events and aggregate search results. + + * **Machine learning rules**: Creates an alert when a machine learning + job discovers an anomaly above the defined threshold. + + > info + + > To create machine learning rules, you must have the [appropriate + license](https://www.elastic.co/subscriptions) or use a [cloud + deployment](https://cloud.elastic.co/registration). Additionally, for + the machine learning rule to function correctly, the associated machine + learning job must be running. + + + To retrieve machine learning job IDs, which are required to create + machine learning jobs, call the [Elasticsearch Get jobs + API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). + Machine learning jobs that contain `siem` in the `groups` field can be + used to create rules: + + + ```json + + ... + + "job_id": "linux_anomalous_network_activity_ecs", + + "job_type": "anomaly_detector", + + "job_version": "7.7.0", + + "groups": [ + "auditbeat", + "process", + "siem" + ], + + ... + + ``` + + + Additionally, you can set up notifications for when rules create alerts. + The notifications use the [Alerting and Actions + framework](https://www.elastic.co/docs/explore-analyze/alerting). Each + action type requires a connector. Connectors store the information + required to send notifications via external systems. The following + connector types are supported for rule notifications: + + + * Slack + + * Email + + * PagerDuty + + * Webhook + + * Microsoft Teams + + * IBM Resilient + + * Jira + + * ServiceNow ITSM + + > info + + > For more information on PagerDuty fields, see [Send a v2 + Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + + To retrieve connector IDs, which are required to configure rule + notifications, call the [Find objects + API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) + with `"type": "action"` in the request payload. + + + For detailed information on Kibana actions and alerting, and additional + API calls, see: + + + * [Alerting + API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + + * [Alerting and Actions + framework](https://www.elastic.co/docs/explore-analyze/alerting) + + * [Connectors + API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: >- + Threshold rule that detects multiple failed login attempts to + a Windows host from the same external source IP address + summary: Threshold rule + value: + description: >- + Detects when there are 20 or more failed login attempts from + the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: >- + host.name:prml-19 and event.category:authentication and + event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: >- + Machine learning rule that creates alerts, and sends Slack + notifications, when the linux_anomalous_network_activity_ecs + machine learning job discovers anomalies with a threshold of + 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: >- + Event correlation rule that creates alerts when the Windows + rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: >- + sequence by process.entity_id with maxspan=2h [process where + event.type in ("start", "process_started") and (process.name + == "rundll32.exe" or process.pe.original_file_name == + "rundll32.exe") and ((process.args == "rundll32.exe" and + process.args_count == 1) or (process.args != "rundll32.exe" + and process.args_count == 0))] [network where event.type == + "connection" and (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: > + Indicator match rule that creates an alert when one of the + following is true: The event's destination IP address and port + number matches destination IP and port values in the + threat_index index; The event's source IP address matches a + host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: >- + Checks for bad IP addresses listed in the ip-threat-list + index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: >- + New terms rule that creates alerts a new IP address is + detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: >- + esql rule that creates alerts from events that match an Excel + parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: >- + from auditbeat-8.10.2 METADATA _id, _version, _index | where + process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: >- + Query rule that searches for processes started by MS Office + and suppresses alerts by the process.parent.name field within + a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: >- + Detects when there are 20 or more failed login attempts + from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: >- + host.name:prml-19 and event.category:authentication and + event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: >- + sequence by process.entity_id with maxspan=2h [process + where event.type in ("start", "process_started") and + (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe") and + ((process.args == "rundll32.exe" and process.args_count == + 1) or (process.args != "rundll32.exe" and + process.args_count == 0))] [network where event.type == + "connection" and (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: >- + Checks for bad IP addresses listed in the ip-threat-list + index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: >- + from auditbeat-8.10.2 METADATA _id | where + process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: >- + agent.version : * and agent.id : + "243d9b4f-ca01-4311-8e5c-9abbee91afd8" + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: > + FROM logs* + + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* + MIN(dateField) finds the earliest timestamp in the dataset. + */ + + | EVAL event_rate = count / DATE_DIFF("seconds", + min_timestamp, NOW()) /* Calculates the event rate by + dividing the total count of events by the time difference + (in seconds) between the earliest event and the current + time. */ + + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: >- + @timestamp >= "now-30d/d" and event.module:(threatintel or + ti_*) and threat.indicator.ip:* and not + labels.is_ioc_transform_source:"true" + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: > + > info + + > All unspecified fields are deleted. You cannot modify the `id` or + `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: > + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + + + The edit action allows you to add, delete, or set tags, index patterns, + investigation fields, rule actions and schedules for multiple rules at + once. + + The edit action is idempotent, meaning that if you add a tag to a rule + that already has that tag, no changes are made. The same is true for + other edit actions, for example removing an index pattern that is not + specified in a rule will not result in any changes. The only exception + is the `add_rule_actions` and `set_rule_actions` action, which is + non-idempotent. This means that if you add or set a rule action to a + rule that already has that action, a new action is created with a new + unique ID. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: > + Enables dry run mode for the request call. + + + Enable dry run mode to verify that bulk actions can be applied to + specified rules. Certain rules, such as prebuilt Elastic rules on a + Basic subscription, can’t be edited and will return errors in the + request response. Error details will contain an explanation, the + rule name and/or ID, and additional troubleshooting information. + + + To enable dry run mode on a request, add the query parameter + `dry_run=true` to the end of the request URL. Rules specified in the + request will be temporarily updated. These updates won’t be written + to Elasticsearch. + + > info + + > Dry run mode is not supported for the `export` bulk action. A 400 + error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: >- + The following request duplicates rules with the specified IDs, + including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: >- + The following request runs the rule with the specified ID + within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: >- + The following request exports the rules with the specified + IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: >- + The following request adds two tags at the same time, tag-1 + and tag-2, to the rules that have the IDs sent in the payload. + If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: >- + The following request removes the tag "tag-1" from the rules + with the specified IDs. If the tag does not exist for a rule, + no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: >- + The following request sets the tags "tag-1" and "tag-2" for + the rules with the specified IDs, overwriting any existing + tags. If the set of tags is the same as the existing tags, no + changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: >- + The following request adds the index pattern "test-*" to the + rules with the specified IDs. If the index pattern already + exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: >- + The following request removes the index pattern "test-*" from + the rules with the specified IDs. If the index pattern does + not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: >- + The following request sets the index patterns "test-*" and + "prod-*" for the rules with the specified IDs, overwriting any + existing index patterns. If the set of index patterns is the + same as the existing index patterns, no changes are made. + summary: >- + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: >- + The following request adds investigation field to the rules + with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: >- + The following request deletes investigation fields from the + rules with the specified IDs. If the field does not exist for + a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: >- + The following request sets investigation fields for the rules + with the specified IDs, overwriting any existing investigation + fields. If the set of investigation fields is the same as the + existing investigation fields, no changes are made. + summary: >- + Edit - Set (overwrite existing) investigation fields for rules + (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: >- + The following request sets a timeline template for the rules + with the specified IDs. If the same timeline template is + already set for a rule, no changes are made. + summary: >- + Edit - Set (overwrite existing) timeline template for rules + (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: >- + The following request sets a schedule for the rules with the + specified IDs. If the same schedule is already set for a rule, + no changes are made. + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: >- + The following request sets rule actions for the rules with the + specified IDs. Each action receives its own unique ID. + summary: >- + Edit - Set (overwrite existing) rule actions for rules + (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: 2023-10-31T00:00:00.000Z + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: >- + The following request set alert suppression to the rules with + the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: >- + The following request set alert suppression to threshold rules + with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: >- + The following request removes alert suppression from the rules + with the specified IDs. If the rules do not have alert + suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: >- + The following request triggers the filling of gaps for the + specified rule ids and time range + summary: >- + Fill Gaps - Manually trigger the filling of gaps for specified + rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDisableRules + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleRun + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: >- + In this response one rule was updated and one was skipped. + Objects returned in attributes.results.skipped will only + include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: >- + A machine learning job detected unusually large + numbers of DNS queries for a single top-level DNS + domain, which is often used for DNS tunneling. DNS + tunneling can be used for command-and-control, + persistence, or data exfiltration activity. For + example, dnscat tends to generate many DNS + questions for a top-level domain as it uses the + DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but + no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - >- + DNS domains that use large numbers of child + domains, such as software or content + distribution networks, can trigger this alert + and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - >- + https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: >- + If processing of any rule fails, a partial error outputs the + ID and/or name of the affected rule and the corresponding + error, as well as successfully processed rules (in the same + format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: >- + Index patterns can't be added. Machine learning + rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: >- + Generates a detection alert for each external + alert written to the configured indices. + Enabling this rule allows you to immediately + begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but + no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: > + event.kind:alert and not event.module:(endgame + or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: >- + The attributes.errors section of the response shows that two + rules failed to update and one succeeded. The same results + would be returned if you ran the request without dry run + mode enabled. Notice that there are no arrays in + attributes.results. In dry run mode, rule updates are not + applied and saved to Elasticsearch, so the endpoint wouldn’t + return results for rules that have been updated, created, or + deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: >- + This example presents the successful setting of tags for 2 + rules. There was a difference between the set of tags that + were being added and the tags that were already set in the + rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: >- + This example presents the idempotent behavior of the edit + action with set_tags request. Both rules already had exactly + the same tags that were being added, so no changes were made + in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: >- + This example presents the idempotent behavior of the edit + action with add_tags request. One rule was updated and one + was skipped. The rule that was skipped already had all the + tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: >- + This example shows a non-idempotent nature of the + set_rule_actions requests. Regardless if the actions are the + same as the existing actions for a rule, the actions are + always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: >- + This example shows a non-idempotent nature of the + add_rule_actions requests. Regardless if the added action is + the same as another existing action for a rule, the new + action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Detections_API_BulkExportActionResponse + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + - Bulk API + /api/detection_engine/rules/_export: + post: + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > Rule actions and connectors are included in the exported file, but + sensitive information about the connector (such as authentication + credentials) is not included. You must re-add missing connector details + after importing detection rules. + + + > You can use Kibana’s [Saved + Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) + UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs + (experimental) to + [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) + and + [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) + any necessary connectors before importing detection rules. + + + > Similarly, any value lists used for rule exceptions are not included + in rule exports or imports. Use the [Manage value + lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) + UI (Rules → Detection rules (SIEM) → Manage value lists) to export and + import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: > + File name for saving the exported rules. + + > info + + > When using cURL to export rules to a file, use the -O and -J + options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson type: string - type: array - required: - - name - - privileges - APM_UI_agent_keys_response: - type: object - properties: - agentKey: - description: Agent key - type: object - properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: - type: object - properties: - annotations: - description: Annotations - items: - type: object - properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version + requestBody: + content: + application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + schema: + nullable: true + type: object + properties: + objects: + description: >- + Array of objects with a rule's `rule_id` field. Do not use + rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + examples: + sampleNdjson: + value: > + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example + rule","type":"query","enabled":true} + + {"exception_list":true} + + {"export_summary":{"total_rules":1,"exceptions_count":0}} + schema: + description: > + An `.ndjson` file containing the returned rules. + + + Each line in the file represents an object (a rule, exception + list parent container, or exception list item), and the last + line includes a summary of what was exported. + format: binary type: string - type: array - APM_UI_base_source_map_object: - type: object - properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier - type: string - packageName: - description: Package name - type: string - relative_url: - description: Relative URL - type: string - type: - description: Type - type: string - APM_UI_create_annotation_object: - type: object - properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. - type: string - message: - description: The message displayed in the annotation. It defaults to `service.version`. - type: string - service: - description: The service that identifies the configuration to create or update. - type: object - properties: - environment: - description: The environment of the service. - type: string - version: - description: The version of the service. + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + - Import/Export API + x-codeSamples: + - lang: cURL + source: > + curl -X POST + "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" + -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules + parameters: + - description: > + List of `alert.attributes` field names to return for each rule (for + example `name`, `enabled`). + + If omitted, the default field set is returned. Repeat the parameter + to pass multiple field names, or + + use comma-separated values when supported by your client. + in: query + name: fields + required: false + schema: + items: type: string - required: - - version - tags: - description: | - Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. - items: + type: array + - description: > + Search query + + + Filters the returned results according to the value of the specified + field, using the alert.attributes.: syntax, + where can be: + + - name + + - enabled + + - tags + + - createdBy + + - interval + + - updatedBy + + > info + + > Even though the JSON rule object uses created_by and updated_by + fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: type: string - type: array - required: - - '@timestamp' - - service - APM_UI_create_annotation_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _source: - description: Response - type: object - properties: - '@timestamp': - type: string - annotation: + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: >- + Identifies a PowerShell process launched by either + cscript.exe or wscript.exe. Observing Windows + scripting processes executing a PowerShell script, may + be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but no + matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: >- + event.action:"Process Create (rule: ProcessCreate)" + and process.parent.name:("wscript.exe" or + "cscript.exe") and process.name:"powershell.exe" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema + type: array + required: + - page + - perPage + - total + - data + description: > + Successful response + + > info + + > These fields are under development and their usage or schema may + change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + - Rules API + x-codeSamples: + - lang: cURL + source: > + curl -X GET + "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" + -H 'kbn-xsrf: true' + /api/detection_engine/rules/_import: + post: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + + > info + + > To import rules with actions, you need at least Read privileges for + the Action and Connectors feature. To overwrite or add new connectors, + you need All privileges for the Actions and Connectors feature. To + import rules without actions, you don’t need Actions and Connectors + privileges. Refer to [Enable and access + detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) + for more information. + + + > info + + > Rule actions and connectors are included in the exported file, but + sensitive information about the connector (such as authentication + credentials) is not included. You must re-add missing connector details + after importing detection rules. + + + > You can use Kibana’s [Saved + Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) + UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs + (experimental) to + [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) + and + [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) + any necessary connectors before importing detection rules. + + + > Similarly, any value lists used for rule exceptions are not included + in rule exports or imports. Use the [Manage value + lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) + UI (Rules → Detection rules (SIEM) → Manage value lists) to export and + import value lists separately. + operationId: ImportRules + parameters: + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. Both the exception list container and its items are + overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + - Import/Export API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + /api/detection_engine/rules/{id}/exceptions: + post: + description: Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + requestBody: + content: + application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + /api/detection_engine/rules/preview: + post: + description: > + Simulates a detection rule using the same rule type and query logic as a + persisted rule, over a short + + time window, without persisting a rule or writing alerts. Use the + response to validate queries, see sample + + matching documents, and inspect execution logs. Pair `invocationCount` + and `timeframeEnd` to cap run time. + operationId: RulePreview + parameters: + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query + schema: + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: > + Rule create payload (same shape as `POST /api/detection_engine/rules` + for a given `type`) plus + + `invocationCount` and `timeframeEnd` to control how the preview is + executed. Optional + + `enable_logged_requests` surfaces Elasticsearch request logging for + debugging. + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: 2025-01-20T10:00:00.000Z + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString + required: + - logs + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].timeframeEnd: expected string, received + null + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + - Rule preview API + /api/detection_engine/signals/assignees: + post: + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd + remove: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove + schema: + $ref: >- + #/components/schemas/Security_Detections_API_SetAlertAssigneesBody + description: User profile IDs to add or remove on each listed alert document ID. + required: true + responses: + '200': + content: + application/json: + examples: + add: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query or update by IDs response + type: object + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].ids: at least one alert id is required to + update assignees + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/detection_engine/signals/assignees] is + unauthorized for the current user, this action is granted + by the Kibana Security Solution privileges for cases and + detections + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + - Alerts API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: 2025-01-17T08:00:00.000Z + lte: 2025-01-18T07:59:59.999Z + runtime_mappings: {} + size: 0 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_QueryAlertsBodyParams + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Failed to parse search request: unknown query clause in + bool filter + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + - Alerts API + /api/detection_engine/signals/status: + post: + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - >- + 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: 2024-10-23T07:00:00.000Z + lte: 2025-01-21T20:12:11.704Z + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: 2024-10-23T07:00:00.000Z + lte: 2025-01-21T20:12:11.704Z + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].signal_ids: at least one alert id is + required to update status + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + - Alerts API + /api/detection_engine/signals/tags: + post: + description: > + Add tags to detection alerts, and remove them from alerts, by alert IDs + or a query, in a single request. + + > info + + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd + remove: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].tags: cannot add and remove the same tag in + a single request + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + - Tags API + /api/endpoint_list: + post: + description: >- + Create the exception list for Elastic Endpoint rule exceptions. When you + create the exception list, it will have a `list_id` of `endpoint_list`. + If the Elastic Endpoint exception list already exists, your request will + return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + /api/endpoint_list/items: + delete: + description: >- + Delete an Elastic Endpoint exception list item, specified by the `id` or + `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + get: + description: >- + Get the details of an Elastic Endpoint exception list item, specified by + the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + post: + description: >- + Create an Elastic Endpoint exception list item, and associate it with + the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: type: object properties: - title: - type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] type: - type: string - event: - type: object - properties: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: created: - type: string - message: - type: string - service: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + put: + description: >- + Update an Elastic Endpoint exception list item, specified by the `id` or + `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: type: object properties: - environment: + _version: + description: >- + The version id, normally returned by the API when the item + is retrieved. Use it ensure updates are made against the + latest version. type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: - type: string - version: - type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result - type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: | - If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. - This is useful for cases where the agent configuration was not applied successfully. - type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - mark_as_applied_by_agent: - description: | - `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". - This is needed for Jaeger agent that doesn't have etags - type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs - type: string - APM_UI_service_environment_object: - type: object - properties: - alreadyConfigured: - description: Already configured - type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE - type: string - APM_UI_service_environments_response: - type: object - properties: - environments: - description: Service environment list - items: - $ref: '#/components/schemas/APM_UI_service_environment_object' - type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod - type: string - name: - description: The name of the service. - example: node - type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object - properties: - id: - type: string - required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: - artifacts: - description: Artifacts - items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - type: array - APM_UI_upload_source_map_object: - type: object - properties: - bundle_filepath: - description: The absolute path of the final bundle as used in the web application. - type: string - service_name: - description: The name of the service that the service map should apply to. - type: string - service_version: - description: The version of the service that the service map should apply to. - type: string - sourcemap: - description: | - The source map. It can be a string or file upload. It must follow the - [source map format specification](https://tc39.es/ecma426/). - format: binary - type: string - required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object - properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: - enum: - - Not Found - example: Not Found - type: string - message: - example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found - type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: Allows the data view saved object to exist before the data is available. Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request - type: object - properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: - default: false - description: Override an existing data view if a data view with the provided title already exists. - type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. - type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: An array of space identifiers for sharing the data view between multiple spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: - type: object - properties: - source: - description: Script for the runtime field. - type: string - type: - description: Mapping type of the runtime field. - type: string - required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request - type: object - properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. - type: string - fromType: - description: | - Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. - type: string - toId: - description: New saved object reference value to replace the old value. - type: string - required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: When you use rollup indices, contains the field list for the rollup data view API endpoints. - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - required: - - aggs - - params - Data_views_typemeta_response: - description: When you use rollup indices, contains the field list for the rollup data view API endpoints. - nullable: true - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request - type: object - properties: - data_view: - description: | - The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + /api/endpoint_list/items/_find: + get: + description: Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: type: object properties: - query: - additionalProperties: false + data: + description: The list of endpoint exception list items. + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + /api/endpoint/action: + get: + description: Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + /api/endpoint/action_status: + get: + description: Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + /api/endpoint/action/{action_id}: + get: + description: Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: > + The file identifier is constructed in one of two ways: + + - For Elastic Defend agents (`agentType` of `endpoint`): combine the + `action_id` and `agent_id` values using a dot (`.`) separator: + + `{file_id}` = `{action_id}.{agent_id}` + + - For all other agent types: the `file_id` is the `agent_id` for + which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + properties: + data: type: object properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + actionId: + description: The response action ID. type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + agentId: + description: The agent ID that generated the file. type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + agentType: + description: The type of agent that generated the file. type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: > + Download a file associated with a response action. Files are downloaded + in a password-protected `.zip` archive to prevent the file from running. + Use password `elastic` to open the `.zip` in a safe environment. + + > info + + > Files retrieved from third-party-protected hosts require a different + password. Refer to [Third-party response + actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) + for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: > + The file identifier is constructed in one of two ways: + + - For Elastic Defend agents (`agentType` of `endpoint`): combine the + `action_id` and `agent_id` values using a dot (`.`) separator: + + `{file_id}` = `{action_id}.{agent_id}` + + - For all other agent types: the `file_id` is the `agent_id` for + which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + /api/endpoint/action/cancel: + post: + description: >- + Cancel a running or pending response action (Applies only to some agent + types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: >- + Cancel a response action on a Microsoft Defender for Endpoint + host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + /api/endpoint/action/execute: + post: + description: Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + /api/endpoint/action/isolate: + post: + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max + of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + /api/endpoint/action/memory_dump: + post: + description: Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + /api/endpoint/action/runscript: + post: + description: Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: >- + --delete --paths-to-delete + /tmp/temp_file.txt,/tmp/random_file.txt + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + /api/endpoint/action/state: + get: + description: >- + Get a response actions state, which reports whether encryption is + enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + /api/endpoint/action/unisolate: + post: + description: Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: type: object properties: - blob: - maxLength: 10000 - type: string + agent_type: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max + of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. - properties: - anomalyDetectorTypes: - description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. - items: - enum: - - txLatency - - txThroughput - - txFailureRate - type: string - minItems: 1 - type: array - anomalySeverityType: - description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' - enum: - - critical - - major - - minor - - warning - type: string - environment: - description: The environment from APM. - type: string - serviceName: - description: The service name from APM. - type: string - transactionType: - description: The transaction type from APM. - type: string - windowSize: - description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - windowUnit: - description: 'The type of units for the time window: minutes, hours, or days.' - type: string - required: - - windowSize - - windowUnit - - environment - - anomalySeverityType - title: APM Anomaly Rule Params - type: object - rule_type_id: - enum: - - apm.anomaly - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: >- + a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + /api/endpoint/metadata: + get: + description: Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - in: query + name: sortDirection + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SortDirection + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + /api/endpoint/metadata/{id}: + get: + description: Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: APM anomaly - type: object - Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + /api/endpoint/policy_response: + get: + description: Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + post: + description: Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: >- + The package policy ID to create or update the protection updates + note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + /api/entity_analytics/monitoring/engine/delete: + delete: + description: >- + Deletes the Privilege Monitoring Engine and optionally removes all + associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + deleted: type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. - properties: - environment: - description: Filter the errors coming from your application to apply the rule to a specific environment. - type: string - errorGroupingKey: - description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. - type: string - groupBy: - items: - description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - language: - type: string - query: - anyOf: - - type: string - - additionalProperties: - nullable: true - type: object - required: - - query - - language - required: - - query - serviceName: - description: Filter the errors coming from your application to apply the rule to a specific service. - type: string - threshold: - description: The number of errors, which is the threshold for alerts. - type: number - useKqlFilter: - description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. - type: boolean - windowSize: - description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - windowUnit: - description: 'The type of units for the time window: minutes, hours, or days.' - type: string - required: - - windowSize - - windowUnit - - threshold - - environment - title: Error Count Rule Params - type: object - rule_type_id: - enum: - - apm.error_rate - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Error rate - type: object - Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/engine/disable: + post: + description: >- + Disables the Privilege Monitoring Engine, stopping all monitoring + activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/engine/init: + post: + description: >- + Initializes the Privilege Monitoring Engine, setting up the required + resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + description: Successful response + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: >- + Schedules the Privilege Monitoring Engine to run as soon as possible, + triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: type: object properties: - query: - additionalProperties: false + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/privileges/health: + get: + description: >- + Returns the current health status of the Privilege Monitoring Engine, + including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: type: object properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + message: type: string required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. + - status + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + users: + description: User statistics for privilege monitoring type: object properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: >- + Maximum number of privileged users allowed to be + monitored + type: integer required: - - days - - hours - - timezone - frequency: - additionalProperties: false + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: >- + Check if the current user has all required permissions for Privilege + Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + example: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users: + post: + description: >- + Creates a new privileged user to be monitored by the Privilege + Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users/_csv: + post: + description: >- + Bulk upserts privileged users by uploading a CSV file. Returns per-row + errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 1 type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + errors: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users/{id}: + delete: + description: Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: + description: >- + A message providing additional information about the + deletion status type: string required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + put: + description: >- + Updates the details of an existing monitored privileged user by their + document ID. + operationId: UpdatePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users/list: + get: + description: >- + Returns a list of all privileged users currently being monitored. + Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: >- + Installs the privileged access detection integration package and sets up + the associated ML modules required for the Entity Analytics privileged + user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + properties: + message: + type: string + required: + - message + description: Successful response + summary: >- + Installs the privileged access detection package for the Entity + Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: >- + Returns the installation and ML module setup status of the privileged + access detection package, along with the state of each associated ML + job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: type: object properties: - id: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete type: string required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. - properties: - aggregationType: - description: The type of aggregation to perform. - enum: - - avg - - 95th - - 99th - type: string - environment: - description: Filter the rule to apply to a specific environment. - type: string - groupBy: - items: - description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. - type: string - type: array - searchConfiguration: - additionalProperties: false + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: >- + Gets the status of the privileged access detection package for the + Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + /api/entity_analytics/watchlists: + post: + description: >- + Creates a new entity analytics watchlist with an optional set of entity + sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - language: - type: string - query: - anyOf: - - type: string - - additionalProperties: - nullable: true - type: object - required: - - query - - language - required: - - query - serviceName: - description: Filter the rule to apply to a specific service. - type: string - threshold: - description: The latency threshold value. - type: number - transactionName: - description: Filter the rule to apply to a specific transaction name. - type: string - transactionType: - description: Filter the rule to apply to a specific transaction type. - type: string - useKqlFilter: - description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. - type: boolean - windowSize: - description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - windowUnit: - description: 'The type of units for the time window. For example: minutes, hours, or days.' - type: string - required: - - windowSize - - windowUnit - - threshold - - aggregationType - - environment - title: Transaction Duration Rule Params - type: object - rule_type_id: - enum: - - apm.transaction_duration - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Transaction duration - type: object - Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: additionalProperties: false type: object properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + enabled: + type: boolean + filter: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Filter + identifierField: + description: >- + Field used to query the entity store for index-type + sources type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + indexPattern: type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + integrationName: + description: >- + Required when type is entity_analytics_integration. + One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Matcher type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + name: + type: string + queryRule: + description: >- + KQL query used to filter data from the provided index + patterns type: string + range: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_DateRange + type: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntitySourceType required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. - properties: - environment: - type: string - groupBy: - items: - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - language: - type: string - query: - anyOf: - - type: string - - additionalProperties: - nullable: true - type: object - required: - - query - - language - required: - - query - serviceName: - type: string - threshold: - type: number - transactionName: - type: string - transactionType: - type: string - useKqlFilter: - type: boolean - windowSize: - type: number - windowUnit: - type: string - required: - - windowSize - - windowUnit - - threshold - - environment - title: Transaction Error Rate Rule Params - type: object - rule_type_id: - enum: - - apm.transaction_error_rate - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + - type: object + properties: + entitySources: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_analytics/watchlists/{id}: + get: + description: >- + Retrieves the details of an entity analytics watchlist by its unique + identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Transaction error rate - type: object - Kibana_HTTP_APIs_ClassicFieldDefinition: - additionalProperties: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' - type: object - Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - - anyOf: - - additionalProperties: false + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + put: + description: >- + Updates the name, description, risk modifier, or managed status of an + existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: type: object properties: description: + description: Description of the watchlist type: string - format: - description: A non-empty string. - minLength: 1 - type: string - type: - enum: - - keyword - - match_only_text - - long - - double - - date - - boolean - - ip - - geo_point - - integer - - short - - byte - - float - - half_float - - text - - wildcard - - version - - unsigned_long - - date_nanos + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number required: - - type - - additionalProperties: false + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: > + Uploads a CSV file to add entities to a watchlist. The CSV must contain + a header row + + with a "type" column (user, host, service, or generic) and one or more + ECS identity + + fields (e.g. "user.name", "host.hostname") used to match entities in the + entity store. + + + Matched entities are added to the watchlist and their + `entity.attributes.watchlists` + + field is updated in the entity store. + + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: type: object properties: - description: - type: string - type: - enum: - - system + file: + description: The CSV file to upload. + format: binary type: string required: - - type - Kibana_HTTP_APIs_ClassicStreamUpsertRequest: - additionalProperties: false - type: object - properties: - dashboards: - items: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: > + Assigns the provided entities to the specified watchlist using a + "manual" source label. + + The entities must already exist in the entity store. + + + If an entity is already on the watchlist, no new document is created — + the "manual" label + + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: type: string - type: array - queries: - items: - type: object - properties: - description: - type: string - esql: + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: type: object properties: - query: - type: string + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - type: - default: match - enum: - - match - - stats - type: string - required: - - id - - title - - description - - esql - type: array - rules: - items: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: type: string - type: array - stream: - additionalProperties: false - type: object - properties: - description: - type: string - ingest: - additionalProperties: false + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: type: object properties: - classic: - additionalProperties: false - type: object - properties: - field_overrides: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array required: - - lifecycle - - processing - - settings - - failure_store - - classic - query_streams: - items: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: type: object properties: - name: - type: string + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem + type: array + not_found: + description: >- + Number of entities not found in the manual watchlist + assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer required: - - name - type: array - type: - enum: - - classic - type: string - required: - - description - - ingest - - type - required: - - dashboards - - rules - - queries - - stream - Kibana_HTTP_APIs_Condition: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' - - additionalProperties: false - description: A logical AND that groups multiple conditions. - type: object - properties: - and: - description: An array of conditions. All sub-conditions must be true for this condition to be true. - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - type: array - required: - - and - - additionalProperties: false - description: A logical OR that groups multiple conditions. - type: object - properties: - or: - description: An array of conditions. At least one sub-condition must be true for this condition to be true. - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - type: array - required: - - or - - additionalProperties: false - description: A logical NOT that negates a condition. - type: object - properties: - not: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: A condition that negates another condition. - required: - - not - - additionalProperties: false - description: A condition that always evaluates to false. - type: object - properties: - never: - additionalProperties: false - description: An empty object. This condition never matches. - type: object - properties: {} - required: - - never - - additionalProperties: false - description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. - type: object - properties: - always: - additionalProperties: false - description: An empty object. This condition always matches. - type: object - properties: {} - required: - - always - description: The root condition object. It can be a simple filter or a combination of other conditions. - Kibana_HTTP_APIs_ConditionWithSteps: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - - additionalProperties: false - type: object - properties: - else: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - required: - - steps - Kibana_HTTP_APIs_ContentPackIncludedObjects: - anyOf: - - additionalProperties: false - type: object - properties: - objects: - additionalProperties: false - type: object - properties: - all: - additionalProperties: false - type: object - properties: {} - required: - - all - required: - - objects - - additionalProperties: false - type: object - properties: - objects: - additionalProperties: false + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + /api/entity_analytics/watchlists/list: + get: + description: Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_store/enable: + post: + description: >- + Initialize the entire Entity Store, creating engines for all or + specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: type: object properties: - mappings: - type: boolean - queries: - items: - type: object - properties: - id: - type: string - required: - - id - type: array - routing: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: items: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' - - type: object - properties: - destination: - type: string - required: - - destination + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType type: array - required: - - mappings - - queries - - routing - required: - - objects - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. - properties: - status: - additionalProperties: false - type: object - properties: - overall: - additionalProperties: false + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + lookbackPeriod: + default: 3h + description: >- + The amount of time the transform looks back to calculate the + aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: >- + The initial page size to use for the composite aggregation + of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: >- + The Entity Store was successfully initialized, creating host + and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: >- + The entity type of the engine ('user', 'host', 'service', + 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: >- + Array of engine types to delete. Empty by default, which results + in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + get: + description: Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: >- + Returns a list with one running host engine and one stopped + user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + get: + description: >- + Get the engine descriptor for a specific entity type, including its + configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: >- + Returns the engine descriptor for a host engine that is + currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/init: + post: + description: Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: type: object properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' type: string - required: - - level - required: - - overall - required: - - status - title: core_status_redactedResponse - type: object - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. - properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - type: object - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. - type: object - properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number - required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - name: - description: Kibana instance name. - type: string - status: - additionalProperties: false - type: object - properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. - type: object - properties: - elasticsearch: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - http: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - savedObjects: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - required: - - elasticsearch - - savedObjects - overall: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: type: string - documentationUrl: - description: A URL to further documentation regarding this service. + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + lookbackPeriod: + default: 3h + description: >- + The amount of time the transform looks back to calculate the + aggregations. + pattern: '[smdh]$' type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. + maxPageSearchSize: + default: 500 + description: >- + The initial page size to use for the composite aggregation + of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' type: string - required: - - level - - summary - - meta - plugins: - additionalProperties: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - description: A dynamic mapping of plugin ID to plugin status. - type: object - required: - - overall - - core - - plugins - uuid: - description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. - type: string - version: - additionalProperties: false - type: object - properties: - build_date: - description: The date and time of this build. - type: string - build_flavor: - description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. - enum: - - serverless - - traditional - type: string - build_hash: - description: A unique hash value representing the git commit of this Kibana build. - type: string - build_number: - description: A monotonically increasing number, each subsequent build will have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. - type: string - required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date - required: - - name - - uuid - - version - - status - - metrics - title: core_status_response - type: object - Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: >- + A host engine was successfully initialized and is now in the + installing state. + summary: Host engine initialized + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/start: + post: + description: >- + Start a previously stopped entity engine, resuming transform processing + for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: >- + The engine was successfully started and is now processing + data. + summary: Engine started successfully + value: + started: true + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + started: + description: Whether the engine was successfully started. type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/stop: + post: + description: >- + Stop a running entity engine, pausing transform processing for the given + entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: >- + The engine was successfully stopped and is no longer + processing data. + summary: Engine stopped successfully + value: + stopped: true + schema: type: object properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. - properties: - comparator: - type: string - groupBy: - items: - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: - index: - type: string - required: - - index - threshold: - items: - type: number - type: array - timeSize: - type: number - timeUnit: - type: string - required: - - timeUnit - - timeSize - - threshold - - comparator - - searchConfiguration - title: Degraded Docs Rule Params - type: object - rule_type_id: - enum: - - datasetQuality.degradedDocs - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Degraded docs - type: object - Kibana_HTTP_APIs_es-query-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/apply_dataview_indices: + post: + description: >- + Synchronize data view index patterns to all running entity engines so + that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: >- + All running engines were successfully updated with the + current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + result: + description: Per-engine update results. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult + type: array + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': + content: + application/json: + examples: + partialSuccessExample: + description: >- + The host engine was updated but the user engine failed due + to insufficient privileges. + summary: One engine failed + value: + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult + type: array + success: + description: Always `false` for a partial success. type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: >- + An unexpected error occurred while applying data view + indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: type: object properties: - id: + body: + description: Error message. type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + statusCode: + description: HTTP status code. + type: number + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + /api/entity_store/entities/{entityType}: + delete: + description: > + Delete a single entity in Entity Store. + + The entity will be immediately deleted from the latest index. It will + remain available in historical snapshots if it has been snapshotted. + The delete operation does not prevent the entity from being recreated if + it is observed again in the future. + operationId: DeleteSingleEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: type: object properties: - blob: - maxLength: 10000 + id: + description: >- + Identifier of the entity to be deleted, commonly entity.id + value. + example: arn:aws:iam::123456789012:user/jane.doe type: string required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. - properties: - aggField: - description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. - minLength: 1 - type: string - aggType: - default: count - description: The type of aggregation to perform. - type: string - esqlQuery: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - description: The query definition in Elasticsearch Query Language. - nullable: true - oneOf: - - additionalProperties: false - type: object - properties: - esql: - minLength: 1 - type: string - required: - - esql - - not: {} - esQuery: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - minLength: 1 - type: string - - not: {} - excludeHitsFromPreviousRun: - default: true - description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. - type: boolean - groupBy: - default: all - description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. - type: string - index: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - description: The indices to query. - nullable: true - oneOf: - - items: - minLength: 1 - type: string - minItems: 1 - type: array - - not: {} - searchConfiguration: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. - nullable: true - oneOf: - - additionalProperties: true - type: object - properties: {} - - not: {} - searchType: - default: esQuery - description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' - enum: - - searchSource - - esQuery - - esqlQuery - type: string - size: - description: The number of documents to pass to the configured actions when the threshold condition is met. - maximum: 10000 - minimum: 0 - type: number - sourceFields: - description: The sourceFields param is ignored. - items: - additionalProperties: false + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: >- + The entity was found and successfully removed from the + latest index. + summary: Entity deleted + value: + deleted: true + schema: type: object properties: - label: - type: string - searchPath: - type: string - required: - - label - - searchPath - maxItems: 5 - type: array - termField: - anyOf: - - minLength: 1 - type: string - - items: - type: string - maxItems: 4 - minItems: 2 - type: array - description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. - termSize: - description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. - minimum: 1 - type: number - threshold: - items: - description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. - type: number - maxItems: 2 - minItems: 1 - type: array - thresholdComparator: - description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' - enum: - - '>' - - < - - '>=' - - <= - - between - - notBetween - type: string - timeField: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - description: The field that is used to calculate the time window. - nullable: true - oneOf: - - minLength: 1 - type: string - - minLength: 1 - type: string - x-oas-optional: true - timeWindowSize: - description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - minimum: 1 - type: number - timeWindowUnit: - description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' - type: string - required: - - size - - timeWindowSize - - timeWindowUnit - - threshold - - thresholdComparator - - timeField - - searchConfiguration - - esQuery - - index - - esqlQuery - title: ES Query Rule Params - type: object - rule_type_id: - enum: - - .es-query - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: >- + Operation on an uninitialized Engine or in a cluster without CRUD + API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + put: + description: > + Update or create an entity in Entity Store. + + If the specified entity already exists, it is updated with the provided + values. If the entity does not exist, a new one is created. By default, + only the following fields can be updated: * `entity.attributes.*` * + `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set + the `force` query parameter to `true`. > info > Some fields always + retain the first observed value. Updates to these fields will not appear + in the final index. + + > Due to technical limitations, not all updates are guaranteed to appear + in the final list of observed values. + + > Due to technical limitations, create is an async operation. The time + for a document to be present in the > final index depends on the entity + store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: >- + Conflict. The entity was updated while another update was happening + in ElasticSearch + '503': + description: >- + Operation on an uninitialized Engine or in a cluster without CRUD + API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + /api/entity_store/entities/bulk: + put: + description: > + Update or create many entities in Entity Store. + + If the specified entity already exists, it is updated with the provided + values. If the entity does not exist, a new one is created. + + The creation is asynchronous. The time for a document to be present in + the final index depends on the entity store transform and usually takes + more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: >- + Operation on an uninitialized Engine or in a cluster without CRUD + API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + /api/entity_store/entities/list: + get: + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: ES query - type: object - Kibana_HTTP_APIs_FailureStore: - anyOf: - - additionalProperties: false - type: object - properties: - inherit: - additionalProperties: false - type: object - properties: {} - required: - - inherit - - additionalProperties: false - type: object - properties: - disabled: - additionalProperties: false - type: object - properties: {} - required: - - disabled - - additionalProperties: false - type: object - properties: - lifecycle: - additionalProperties: false - type: object - properties: - enabled: - additionalProperties: false - type: object - properties: - data_retention: - description: A non-empty string. - minLength: 1 - type: string - required: - - enabled - required: - - lifecycle - - additionalProperties: false - type: object - properties: - lifecycle: - additionalProperties: false - type: object - properties: - disabled: - additionalProperties: false - type: object - properties: {} - required: - - disabled - required: - - lifecycle - Kibana_HTTP_APIs_FieldDefinition: - additionalProperties: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' - type: object - Kibana_HTTP_APIs_FieldDefinitionConfig: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - - anyOf: - - additionalProperties: false - type: object - properties: - description: - type: string - format: - description: A non-empty string. - minLength: 1 - type: string - type: - enum: - - keyword - - match_only_text - - long - - double - - date - - boolean - - ip - - geo_point - - integer - - short - - byte - - float - - half_float - - text - - wildcard - - version - - unsigned_long - - date_nanos - type: string - required: - - type - - additionalProperties: false + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_InspectQuery + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Entity + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + /api/entity_store/status: + get: + description: >- + Get the overall Entity Store status and per-engine statuses, optionally + including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: >- + If true, returns a detailed status of each engine including all its + components. + example: true + in: query + name: include_components + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + entityStoreRunning: + description: >- + The Entity Store is running with both host and user engines + started and using default settings. + summary: Entity Store running with two engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running + schema: + type: object + properties: + engines: + description: Per-engine status information. + items: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + - type: object + properties: + components: + description: >- + Detailed component-level status. Only included + when include_components is true. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus + type: array + type: array + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_StoreStatus + description: The overall status of the Entity Store. + required: + - status + - engines + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + /api/exception_lists: + delete: + description: Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: >- + Exception list's identifier. Either `id` or `list_id` must be + specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: >- + Human readable exception list string identifier, e.g. + `trusted-linux-processes`. Either `id` or `list_id` must be + specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + `single` deletes the list in the current Kibana space; `agnostic` + deletes a global list. Must match the + + list you are removing when using `list_id` or `id`. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE + /api/exception_lists?list_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + get: + description: Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: >- + Exception list's identifier. Either `id` or `list_id` must be + specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: >- + Human readable exception list string identifier, e.g. + `trusted-linux-processes`. Either `id` or `list_id` must be + specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + When `single`, the list is resolved in the current Kibana space. + When `agnostic`, the list is a global + + (space-agnostic) container. Required for looking up the correct list + when `list_id` is not unique. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + detectionType: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists?list_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + post: + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign exception lists to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection type: object properties: description: - type: string - format: - not: {} + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + default: [] type: - not: {} + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion + default: 1 required: + - name - description - - additionalProperties: false - type: object - properties: - description: - type: string - type: - enum: - - system - type: string - required: - type - Kibana_HTTP_APIs_FilterCondition: - anyOf: - - additionalProperties: false - description: A condition that compares a field to a value or range using an operator as the key. - type: object - properties: - contains: - anyOf: - - type: string - - type: number - - type: boolean - description: Contains comparison value. - endsWith: - anyOf: - - type: string - - type: number - - type: boolean - description: Ends-with comparison value. - eq: - anyOf: - - type: string - - type: number - - type: boolean - description: Equality comparison value. - field: - description: The document field to filter on. - minLength: 1 - type: string - gt: - anyOf: - - type: string - - type: number - - type: boolean - description: Greater-than comparison value. - gte: - anyOf: - - type: string - - type: number - - type: boolean - description: Greater-than-or-equal comparison value. - includes: - anyOf: - - type: string - - type: number - - type: boolean - description: Checks if multivalue field includes the value. - lt: - anyOf: - - type: string - - type: number - - type: boolean - description: Less-than comparison value. - lte: - anyOf: - - type: string - - type: number - - type: boolean - description: Less-than-or-equal comparison value. - neq: - anyOf: - - type: string - - type: number - - type: boolean - description: Inequality comparison value. - range: - additionalProperties: false - description: Range comparison values. - type: object - properties: - gt: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - gte: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - lt: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - lte: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - startsWith: - anyOf: - - type: string - - type: number - - type: boolean - description: Starts-with comparison value. - required: - - field - - additionalProperties: false - description: A condition that checks for the existence or non-existence of a field. - type: object - properties: - exists: - description: Indicates whether the field exists or not. - type: boolean - field: - description: The document field to check. - minLength: 1 - type: string - required: - - field - description: A basic filter condition, either unary or binary. - Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedListId: + value: + _version: WzMsMV0= + created_at: 2025-01-09T01:05:23.019Z + created_by: elastic + description: >- + This is a sample detection type exception with an + autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: 2025-01-09T01:05:23.020Z + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: 2025-01-09T01:10:36.369Z + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: 2025-01-09T01:10:36.369Z + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: 2025-01-09T01:07:49.658Z + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: 2025-01-09T01:07:49.658Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list + tags: + - Security Exceptions API + put: + description: Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection + schema: + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection type: object properties: - blob: - maxLength: 10000 + _version: + description: >- + The version id, normally returned by the API when the item + was retrieved. Use it ensure updates are done against the + latest version. type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. - properties: - boundaryGeoField: - minLength: 1 - type: string - boundaryIndexId: - minLength: 1 - type: string - boundaryIndexQuery: - nullable: true - boundaryIndexTitle: - minLength: 1 - type: string - boundaryNameField: - minLength: 1 - type: string - boundaryType: - minLength: 1 - type: string - dateField: - minLength: 1 - type: string - entity: - minLength: 1 - type: string - geoField: - minLength: 1 - type: string - index: - minLength: 1 - type: string - indexId: - minLength: 1 - type: string - indexQuery: - nullable: true - required: - - index - - indexId - - geoField - - entity - - dateField - - boundaryType - - boundaryIndexTitle - - boundaryIndexId - - boundaryGeoField - - indexQuery - - boundaryIndexQuery - title: Geo Containment Rule Params - type: object - rule_type_id: - enum: - - .geo-containment - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleList: + value: + _version: WzExLDFd + created_at: 2025-01-07T20:43:55.264Z + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: 2025-01-07T21:32:03.726Z + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PUT /api/exception_lists] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list + tags: + - Security Exceptions API + /api/exception_lists/_duplicate: + post: + description: Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - description: The `list_id` of the existing exception list to copy (source list). + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: >- + Scope in which the source list is defined (`single` = current space, + `agnostic` = all spaces). + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the duplicated + list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Geo containment - type: object - Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzExNDY1LDFd + created_at: 2025-01-09T16:19:50.280Z + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: 2025-01-09T16:19:50.280Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type: Invalid enum value. + Expected 'agnostic' | 'single', received 'foo' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/_duplicate] is unauthorized + for user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list id: "foo" does not exist' + status_code: 404 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Exception list not found + '405': + content: + application/json: + examples: + notAllowed: + value: + message: >- + Cannot duplicate: list is immutable or the operation is + not allowed in this state + status_code: 405 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Exceptions API + /api/exception_lists/_export: + post: + description: Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - description: >- + Exception list's internal `id` (UUID) returned on create; use with + `list_id` and `namespace_type` for an unambiguous target. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: >- + Human-readable `list_id` of the exception list to export, as shown + in the UI and API responses. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + `single` exports a list in the current Kibana space; `agnostic` + exports a global (space-agnostic) list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson: + examples: + exportSavedObjectsResponse: + value: > + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This + is a sample detection type + exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample + Detection Exception + List","namespace_type":"single","os_types":[],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This + is a sample endpoint type + exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some + host","another + host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample + Endpoint Exception + List","namespace_type":"single","os_types":["linux"],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + schema: + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: list_id: Required, namespace_type: + Required + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/_export] is unauthorized + for user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list + tags: + - Security Exceptions API + /api/exception_lists/_find: + get: + description: Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleLists: + value: + data: + - _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: type: object properties: - id: - type: string + data: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionList + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/exception_lists/_find?namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists + tags: + - Security Exceptions API + /api/exception_lists/_import: + post: + description: Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson + schema: type: object properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. - properties: - aggField: - description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. - minLength: 1 - type: string - aggType: - default: count - description: The type of aggregation to perform. - type: string - filterKuery: - description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. - type: string - groupBy: - default: all - description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. - type: string - index: - anyOf: - - minLength: 1 + file: + description: A `.ndjson` file containing the exception list + example: > + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This + is a sample detection type + exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample + Detection Exception + List","namespace_type":"single","os_types":[],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This + is a sample endpoint type + exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some + host","another + host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample + Endpoint Exception + List","namespace_type":"single","os_types":["linux"],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary type: string - - items: - minLength: 1 - type: string - minItems: 1 - type: array - description: The indices to query. - termField: - description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. - minLength: 1 - type: string - termSize: - description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. - minimum: 1 - type: number - threshold: - items: - type: number - maxItems: 2 - minItems: 1 - type: array - thresholdComparator: - description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' - enum: - - '>' - - < - - '>=' - - <= - - between - - notBetween - type: string - timeField: - description: The field that is used to calculate the time window. - minLength: 1 - type: string - timeWindowSize: - description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - minimum: 1 - type: number - timeWindowUnit: - description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' - type: string - required: - - index - - timeField - - timeWindowSize - - timeWindowUnit - - thresholdComparator - - threshold - title: Index Threshold Rule Params - type: object - rule_type_id: - enum: - - .index-threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + required: true + responses: + '200': + content: + application/json: + examples: + withErrors: + value: + errors: + - error: + message: >- + Error found importing exception list: Invalid value + \"4\" supplied to \"list_id\" + status_code: 400 + list_id: (unknown list_id) + - error: + message: >- + Found that item_id: + \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already + exists. Import of item_id: + \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, + schema: + type: object + properties: + errors: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Multipart part `file` is required and must contain a valid + .ndjson exception list export + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/_import] is unauthorized + for user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list + tags: + - Security Exceptions API + /api/exception_lists/items: + delete: + description: Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: >- + Exception item's identifier. Either `id` or `item_id` must be + specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: >- + Human readable exception item string identifier, e.g. + `trusted-linux-processes`. Either `id` or `item_id` must be + specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - description: > + `single` deletes the item in the current Kibana space; `agnostic` + deletes an item in a space-agnostic list. Must match the list that + owns the item. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + simpleExceptionItem: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE + /api/exception_lists/items?item_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Exceptions API + get: + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. + operationId: ReadExceptionListItem + parameters: + - description: >- + Exception list item's identifier. Either `id` or `item_id` must be + specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: >- + Human readable exception item string identifier, e.g. + `trusted-linux-processes`. Either `id` or `item_id` must be + specified. + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - description: > + `single` fetches the item in the current space; `agnostic` fetches a + global (space-agnostic) item. Must + + match how the list was created. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists/items?item_id=&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item + tags: + - Security Exceptions API + post: + description: > + Create an exception item and associate it with the specified exception + list. + + > info + + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json: + examples: + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedItemId: + value: + _version: WzYsMV0= + comments: [] + created_at: 2025-01-09T01:16:23.322Z + created_by: elastic + description: >- + This is a sample exception that has no item_id so it is + autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: 2025-01-09T01:16:23.322Z + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: 2025-01-09T01:31:12.614Z + created_by: elastic + description: >- + Don't signal when agent.name is rock01 and source.ip is in + the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: 2025-01-09T01:31:12.614Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/items] is unauthorized for + user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: >- + exception list item id: \"simple_list_item\" already + exists + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + put: + description: Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzEyLDFd + comments: [] + created_at: 2025-01-07T21:12:25.512Z + created_by: elastic + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: 2025-01-07T21:34:50.233Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: item_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PUT /api/exception_lists/items] is unauthorized for + user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + /api/exception_lists/items/_find: + get: + description: Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - description: > + Free-text search term applied to exception list item fields (for + example a hostname or file path fragment). + in: query + name: search + required: false + schema: + example: host.name type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Index threshold - type: object - Kibana_HTTP_APIs_IngestStreamLifecycle: - anyOf: - - additionalProperties: false - type: object - properties: - dsl: - additionalProperties: false - type: object - properties: - data_retention: - description: A non-empty string. - minLength: 1 - type: string - downsample: - items: - type: object - properties: - after: - description: A non-empty string. - minLength: 1 - type: string - fixed_interval: - description: A non-empty string. - minLength: 1 - type: string - required: - - after - - fixed_interval - type: array - required: - - dsl - - additionalProperties: false - type: object - properties: - ilm: - additionalProperties: false - type: object - properties: - policy: - description: A non-empty string. - minLength: 1 - type: string - required: - - policy - required: - - ilm - - additionalProperties: false - type: object - properties: - inherit: - additionalProperties: false - type: object - properties: {} - required: - - inherit - Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: 2025-01-07T21:12:25.512Z + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: 2025-01-07T21:12:25.512Z + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + data: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: type: string + total: + minimum: 0 + type: integer required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + /api/exception_lists/summary: + get: + description: Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + `single` returns summary for a list in the current space; `agnostic` + for a space-agnostic list. Must + + line up with `id` / `list_id` used to look up the list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + example: >- + exception-list-agnostic.attributes.tags:"policy:policy-1" OR + exception-list-agnostic.attributes.tags:"policy:all" + type: string + responses: + '200': + content: + application/json: + examples: + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 + schema: type: object properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-summary] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + /api/exceptions/shared: + post: + description: > + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json: + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware type: object properties: - blob: - maxLength: 10000 - type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - anyOf: - - additionalProperties: false + - name + - description + required: true + responses: + '200': + content: + application/json: + examples: + sharedList: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Exceptions API + /api/lists: + delete: + description: | + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: Value list identifier to delete, including all of its list items. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + Determines whether exception items referencing this value list + should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + example: false + type: boolean + - description: >- + Determines whether to delete value list without performing any + additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean + responses: + '200': + content: + application/json: + examples: + ipList: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:39:39.292Z + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists?id=ip_list] is unauthorized for + user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list + tags: + - Security Lists API + get: + description: Get the details of a value list using the list ID. + operationId: ReadList + parameters: + - description: Value list identifier (`id`) returned when the list was created. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:21:53.843Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists?id=ip_list] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details + tags: + - Security Lists API + patch: + description: Update specific fields of an existing list using the list `id`. + operationId: PatchList + requestBody: + content: + application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED + schema: + example: + id: ip_list + name: Bad ips list - UPDATED type: object properties: - count: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - value: - type: number - required: - - comparator - - value - criteria: - items: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - field: - type: string - value: - anyOf: - - type: string - - type: number - required: - - field - - comparator - - value - type: array - groupBy: - items: - type: string - type: array - logView: - additionalProperties: false - type: object - properties: - logViewId: - type: string - type: - enum: - - log-view-reference - type: string - required: - - logViewId - - type - timeSize: - type: number - timeUnit: - enum: - - s - - m - - h - - d - type: string + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - criteria - - count - - timeUnit - - timeSize - - logView - - additionalProperties: false + - id + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:21:53.843Z + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PATCH /api/lists] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list + tags: + - Security Lists API + post: + description: Create a new value list. + operationId: CreateList + requestBody: + content: + application/json: + examples: + ip: + value: + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: + value: + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword + schema: type: object properties: - count: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - value: - type: number - required: - - comparator - - value - criteria: - items: - items: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - field: - type: string - value: - anyOf: - - type: string - - type: number - required: - - field - - comparator - - value - type: array - type: array - groupBy: - items: - type: string - type: array - logView: - additionalProperties: false - type: object - properties: - logViewId: - type: string - type: - enum: - - log-view-reference - type: string - required: - - logViewId - - type - timeSize: - type: number - timeUnit: - enum: - - s - - m - - h - - d - type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer required: - - criteria - - count - - timeUnit - - timeSize - - logView - description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. - title: Log Threshold Rule Params - rule_type_id: - enum: - - logs.alert.document.count - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Log threshold - type: object - Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + - name + - description + - type + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-09T18:23:52.241Z + created_at: 2025-01-09T18:23:52.241Z + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: 2025-01-09T18:23:52.241Z + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-09T18:24:55.786Z + created_at: 2025-01-09T18:24:55.786Z + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: 2025-01-09T18:24:55.786Z + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-09T18:25:39.604Z + created_at: 2025-01-09T18:25:39.604Z + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: 2025-01-09T18:25:39.604Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + notFound: + value: + message: >- + To create a list, the data stream must exist first. Data + stream \".lists-default\" does not exist + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list + tags: + - Security Lists API + put: + description: > + Update a value list using the list `id`. The original list is replaced, + and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json: + examples: + replaceList: + value: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated + schema: + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated type: object properties: - blob: - maxLength: 10000 - type: string + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. - properties: - alertOnNoData: - type: boolean - criteria: - items: - additionalProperties: false + - id + - name + - description + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:39:39.292Z + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PUT /api/lists] is unauthorized for user, this action + is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list + tags: + - Security Lists API + /api/lists/_find: + get: + description: >- + Get a paginated subset of value lists. By default, the first page is + returned, with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: >- + Returns the lists that come after the last lists returned in the + previous call (use the `cursor` value returned in the previous + call). This parameter uses the `tie_breaker_id` field to ensure all + lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json: + examples: + ipList: + value: + cursor: >- + WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: type: object properties: - comparator: - type: string - customMetric: - additionalProperties: false - type: object - properties: - aggregation: - type: string - field: - type: string - id: - type: string - label: - type: string - type: - enum: - - custom - type: string - required: - - type - - id - - field - - aggregation - metric: - type: string - threshold: - items: - type: number - type: array - timeSize: - type: number - timeUnit: - type: string - warningComparator: - type: string - warningThreshold: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: items: - type: number + $ref: '#/components/schemas/Security_Lists_API_List' type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - threshold - - comparator - - timeUnit - - timeSize - - metric - type: array - filterQuery: - type: string - nodeType: - type: string - schema: - type: string - sourceId: - type: string - required: - - criteria - - nodeType - - sourceId - title: Metric Inventory Threshold Rule Params - type: object - rule_type_id: - enum: - - metrics.alert.inventory.threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Metric inventory threshold - type: object - Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. - properties: - alertOnGroupDisappear: - description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. - type: boolean - alertOnNoData: - description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. - type: boolean - criteria: - items: - anyOf: - - additionalProperties: false - type: object - properties: - aggType: - enum: - - count - type: string - comparator: - type: string - threshold: - description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. - items: - type: number - type: array - timeSize: - description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - timeUnit: - description: 'The type of units for the time window: seconds, minutes, hours, or days.' - type: string - warningComparator: - type: string - warningThreshold: - items: - description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - aggType - - additionalProperties: false - type: object - properties: - aggType: - type: string - comparator: - type: string - metric: - type: string - threshold: - description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. - items: - type: number - type: array - timeSize: - description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - timeUnit: - description: 'The type of units for the time window: seconds, minutes, hours, or days.' - type: string - warningComparator: - type: string - warningThreshold: - items: - description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - metric - - aggType - - additionalProperties: false - type: object - properties: - aggType: - enum: - - custom - type: string - comparator: - type: string - customMetrics: - items: - anyOf: - - additionalProperties: false - type: object - properties: - aggType: - type: string - field: - type: string - name: - type: string - required: - - name - - aggType - - field - - additionalProperties: false - type: object - properties: - aggType: - enum: - - count - type: string - filter: - type: string - name: - type: string - required: - - name - - aggType - type: array - equation: - type: string - label: - type: string - threshold: - description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. - items: - type: number - type: array - timeSize: - description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - timeUnit: - description: 'The type of units for the time window: seconds, minutes, hours, or days.' - type: string - warningComparator: - type: string - warningThreshold: - items: - description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - aggType - - customMetrics - type: array - filterQuery: - description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. - type: string - groupBy: - anyOf: - - type: string - - items: - type: string - type: array - description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' - sourceId: - type: string - required: - - criteria - - sourceId - title: Metric Threshold Rule Params - type: object - rule_type_id: - enum: - - metrics.alert.threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Metric threshold - type: object - Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received nan' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/_find?page=1&per_page=20] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists + tags: + - Security Lists API + /api/lists/index: + delete: + description: Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Unable to delete value list data streams: invalid or + missing index metadata + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists/index] is not authorized; lists-all + (or equivalent) is required to delete data streams + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams + tags: + - Security Lists API + get: + description: Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + '200': + content: + application/json: + examples: + bothExist: + value: + list_index: true + list_item_index: true + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + list_index: + type: boolean + list_item_index: type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Unable to read value list data stream status for this + space + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/index] is not authorized; list read + permissions are required + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams + tags: + - Security Lists API + post: + deprecated: true + description: > + **DEPRECATED.** `deprecated: true` is set on this operation. Value list + backing data streams for the space + + are now created as part of supported workflows; calling this explicitly + is rarely required. + + **WARNING:** Do not use for new integrations. Prefer the UI or the list + and list-item APIs after confirming + + indices exist with `GET /api/lists/index`. + + + Creates the `.lists` and `.items` data streams in the current Kibana + space. + operationId: CreateListIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: type: object properties: - id: - type: string + acknowledged: + type: boolean required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + - acknowledged + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Indices exist but the request could not be completed for + the current space. Check that Elasticsearch and Kibana + privileges allow index creation for lists. + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: > + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/index] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: >- + data stream: \".lists-default\" and \".items-default\" + already exists + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams + tags: + - Security Lists API + /api/lists/items: + delete: + description: >- + Delete a value list item using its `id`, or its `list_id` and `value` + fields. + operationId: DeleteListItem + parameters: + - description: >- + Value list item's identifier. Required if `list_id` and `value` are + not specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + The value used to evaluate exceptions. Required if `id` is not + specified. + in: query + name: value + required: false + schema: + example: 255.255.255.255 + type: string + - description: >- + Determines when changes made by the request are made visible to + search. + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false + type: string + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIwLDFd + '@timestamp': 2025-01-08T05:15:05.159Z + created_at: 2025-01-08T05:15:05.159Z + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: 2025-01-08T05:44:14.009Z + updated_by: elastic + value: 255.255.255.255 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Either \"list_id\" or \"id\" needs to be defined in the + request + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item + tags: + - Security Lists API + get: + description: Get the details of a value list item. + operationId: ReadListItem + parameters: + - description: >- + Value list item identifier. Required if `list_id` and `value` are + not specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + Value list item list's `id` identfier. Required if `id` is not + specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + The value used to evaluate exceptions. Required if `id` is not + specified. + in: query + name: value + required: false + schema: + example: 127.0.0.2 + type: string + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzExLDFd + '@timestamp': 2025-01-08T05:16:25.882Z + created_at: 2025-01-08T05:16:25.882Z + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: 2025-01-08T05:16:25.882Z + updated_by: elastic + value: 127.0.0.2 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Either \"list_id\" or \"id\" needs to be defined in the + request + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item + tags: + - Security Lists API + patch: + description: >- + Update specific fields of an existing value list item using the item + `id`. + operationId: PatchListItem + requestBody: + content: + application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 + schema: + example: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 type: object properties: - blob: - maxLength: 10000 + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search. + enum: + - 'true' + - 'false' + - wait_for type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Cluster Health Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_cluster_health - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Cluster health - type: object - Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + - id + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ipItem: + value: + _version: WzE5LDFd + '@timestamp': 2025-01-08T05:15:05.159Z + created_at: 2025-01-08T05:15:05.159Z + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: 2025-01-08T05:23:37.602Z + updated_by: elastic + value: 255.255.255.255 + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] + failed to parse field [ip] of type [ip] in document with + id ip_item. Preview of fields value: + 2","caused_by":{"type":"illegal_argument_exception","reason":"2 + is not an IP string literal."}},"status":400}]} + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PATCH /api/lists/items] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item + tags: + - Security Lists API + post: + description: > + Create a value list item and associate it with the specified value list. + + + All value list items in the same list must be the same type. For + example, each list item in an `ip` list must define a specific IP + address. + + > info + + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json: + examples: + ip: + value: + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-08T04:59:06.154Z + created_at: 2025-01-08T04:59:06.154Z + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: 2025-01-08T04:59:06.154Z + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-09T18:33:08.202Z + created_at: 2025-01-09T18:33:08.202Z + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: 2025-01-09T18:33:08.202Z + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-09T18:34:29.422Z + created_at: 2025-01-09T18:34:29.422Z + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: 2025-01-09T18:34:29.422Z + updated_by: elastic + value: zeek + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + uri [/api/lists/items] with method [post] exists but is + not available with the current configuration + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/items] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item + tags: + - Security Lists API + put: + description: > + Update a value list item using the list item ID. The original list item + is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json: + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 + schema: + example: + id: ip_item + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIwLDFd + '@timestamp': 2025-01-08T05:15:05.159Z + created_at: 2025-01-08T05:15:05.159Z + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: 2025-01-08T05:44:14.009Z + updated_by: elastic + value: 255.255.255.255 + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PATCH /api/lists/items] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item + tags: + - Security Lists API + /api/lists/items/_export: + post: + description: Export list item values from the specified value list. + operationId: ExportListItems + parameters: + - description: Value list's `id` to export. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/ndjson: + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + schema: + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: 'Bad Request","message":"[request query]: list_id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/items/_export?list_id=ips.txt] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items + tags: + - Security Lists API + /api/lists/items/_find: + get: + description: Get all value list items in the specified list. + operationId: FindListItems + parameters: + - description: Parent value list's `id` to page through items for. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of list items to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: > + Opaque cursor returned in a previous response; pass it to continue + listing from the next page. Omit on the first request. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + responses: + '200': + content: + application/json: + examples: + ip: + value: + cursor: >- + WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': 2025-01-08T04:59:06.154Z + created_at: 2025-01-08T04:59:06.154Z + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: 2025-01-08T04:59:06.154Z + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 + schema: type: object properties: - id: - type: string + cursor: + $ref: >- + #/components/schemas/Security_Lists_API_FindListItemsCursor + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items + tags: + - Security Lists API + /api/lists/items/_import: + post: + description: > + Import value list items from a TXT or CSV file. The maximum file size is + 9 million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: >- + Determines when changes made by the request are made visible to + search. + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + example: true + type: string + requestBody: + content: + multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt + schema: type: object properties: - blob: - maxLength: 10000 + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: CPU Usage Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_cpu_usage - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: CPU usage - type: object - Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: Either type or list_id need to be defined in the query + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/items/_import?list_id=ip_list] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + notFound: + value: + message: >- + List with the specified list_id does not exist, create the + list or fix list_id to import to an existing one + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items + tags: + - Security Lists API + /api/lists/privileges: + get: + description: > + Returns the caller's authentication state and the Elasticsearch + `cluster`, `index`, and `application` + + privileges for `.lists` and `.items` data streams in the current Kibana + space. Use this to decide which list + + APIs (`read` vs `all` operations) are available before you create or + import lists. + operationId: ReadListPrivileges + responses: + '200': + content: + application/json: + examples: + privileges: + value: + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + is_authenticated: type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Disk Usage Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_disk_usage - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Disk usage - type: object - Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Unable to resolve list privileges: invalid or missing + space context for this request + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/privileges] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges + tags: + - Security Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models in the default space. You must have `all` privileges for the + **Machine Learning** feature in the **Analytics** section of the Kibana + feature privileges. This API runs automatically when you start Kibana + and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + /api/ml/saved_objects/update_jobs_spaces: + post: + description: Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces + requestBody: + content: + application/json: + examples: + updateADJobSpacesRequest: + value: + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': + content: + application/json: + examples: + successADResponse: + value: + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: >- + Update a list of trained models to add and/or remove them from given + spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': + content: + application/json: + examples: + successTMResponse: + value: + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces + tags: + - ml + /api/note: + delete: + description: > + Deletes notes by saved object ID. Send either `noteId` (single ID) or + `noteIds` (array of IDs) in the JSON body. + + + The response has HTTP 200 with an empty body on success. + + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + nullable: true + type: array + required: + - noteIds + description: > + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ + "noteIds": ["", ...] }` for bulk delete. + + `noteIds` may be null in some clients; prefer an empty array or omit + unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + - access:securitySolution + get: + description: > + Returns Security Timeline notes as saved objects. + + + **Query modes (mutually exclusive branches on the server):** + + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the + given Elasticsearch document `_id` (single string or array). Pagination + query parameters (`page`, `perPage`, etc.) are **not** applied; the + server uses a fixed page size (up to 10000 notes). + + + 2. **`savedObjectIds` is set** — Returns notes linked to the given + Timeline saved object id(s). Same fixed cap as above; list-mode query + parameters are **not** applied. + + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using + saved-objects find semantics: `page` (default 1), `perPage` (default + 10), optional `search`, `sortField`, `sortOrder`, `filter`, + `createdByFilter`, and `associatedFilter`. + + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes + parameters: + - description: > + Event document `_id` values to match against each note's `eventId`. + When this parameter is present, the response is all matching notes + (up to the server's hard limit), not a paged list using + `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: > + Timeline `savedObjectId` value(s). Returns notes that reference + those timelines. When present, list-mode pagination parameters are + not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: > + Page number for list mode (when `documentIds` and `savedObjectIds` + are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true + type: string + - description: > + Page size for list mode (when `documentIds` and `savedObjectIds` are + omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: >- + Sort order (`asc` or `desc`) for saved-objects find (list mode + only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: > + Kuery filter string combined with other list-mode filters (for + example `createdByFilter` or `associatedFilter`). Typed as a string + for API compatibility; interpreted by the saved-objects layer (list + mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: > + Kibana user profile **UID** (UUID). The server resolves the user's + display identifiers and returns notes whose `createdBy` matches any + of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter + schema: + nullable: true + type: string + - description: > + Restricts notes by how they relate to a Timeline and/or an event + document (list mode only). Some values apply extra filtering after + the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + responses: + '200': + content: + application/json: + examples: + notesPage: + summary: Paged notes for a timeline + value: + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 + schema: + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes + tags: + - Security Timeline API + - access:securitySolution + patch: + description: > + Creates a new note or updates an existing one. + + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + + **Update:** Send `note` with the changed fields and set `noteId` to the + note's saved object ID. Optionally include `version` for optimistic + concurrency when the client has it from a prior read. + + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: >- + https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute + requestBody: + content: + application/json: + examples: + addNote: + summary: Add a note on an event + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: type: object properties: - blob: - maxLength: 10000 + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: >- + Note payload (timeline, text, optional event linkage, + metadata). + noteId: + description: >- + The `savedObjectId` of the note to update. Omit when + creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: ES Version Mismatch Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_elasticsearch_version_mismatch - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Elasticsearch version mismatch - type: object - Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: + version: + description: >- + Saved object version string from a previous read; optional + on update. + example: WzQ2LDFd nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + type: string + required: + - note + description: > + Body must include the `note` object. For updates, include `noteId` + (and optionally `version`). + + To attach a note to a specific event, set `note.eventId` to that + event's document `_id`; for a timeline-wide note, omit or clear + `eventId` per product rules. + required: true + responses: + '200': + content: + application/json: + examples: + persisted: + summary: Persisted note wrapper + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note + tags: + - Security Timeline API + - access:securitySolution + /api/observability_ai_assistant/chat/complete: + post: + description: > + Create a new chat completion by using the Observability AI Assistant. + + + The API returns the model's response based on the current conversation + context. + + + It also handles any tool requests within the conversation, which may + trigger multiple calls to the underlying large language model (LLM). + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: observability-ai-assistant-chat-complete + requestBody: + content: + application/json: + examples: + chatCompleteRequestExample: + $ref: >- + #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample + schema: type: object properties: - blob: - maxLength: 10000 + actions: + items: + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_Function + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: >- + A unique identifier for the conversation if you are + continuing an existing conversation. + type: string + disableFunctions: + description: >- + Flag indicating whether all function calls should be + disabled for the conversation. If true, no calls to + functions will be made. + type: boolean + instructions: + description: >- + An array of instruction objects, which can be either simple + strings or detailed objects. + items: + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_Instruction + type: array + messages: + description: >- + An array of message objects containing the conversation + history. + items: + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_Message + type: array + persist: + description: >- + Indicates whether the conversation should be saved to + storage. If true, the conversation will be saved and will be + available in Kibana. + type: boolean + title: + description: A title for the conversation. type: string required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Memory Usage Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_jvm_memory_usage - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + - messages + - connectorId + - persist + responses: + '200': + content: + application/json: + examples: + chatCompleteResponseExample: + $ref: >- + #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample + schema: + type: object + description: Successful response + summary: Generate a chat completion + tags: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: > + curl --request POST + 'localhost:5601/api/observability_ai_assistant/chat/complete' -u + : -H 'kbn-xsrf: true' -H "Content-Type: + application/json" --data ' + + { + + "connectorId": "", + + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + + "instructions": ["When the user asks about Elasticsearch cluster + health, use the get_cluster_health tool to retrieve cluster health, + then summarize the response in plain English."] + + }' + x-state: Technical Preview + /api/osquery/history: + get: + description: > + Get a unified, time-sorted history of live, rule-triggered, and + scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: >- + A base64-encoded cursor for pagination. Use the value from the + previous response to fetch the next page. + in: query + name: nextPage + required: false + schema: + description: >- + A base64-encoded cursor for pagination. Use the value from the + previous response to fetch the next page. + type: string + - description: >- + A search string to filter history entries by pack name, query text, + or query ID. + in: query + name: kuery + required: false + schema: + description: >- + A search string to filter history entries by pack name, query + text, or query ID. + type: string + - description: Comma-separated list of user IDs to filter live query history. + in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: >- + Comma-separated list of source types to include. Valid values are + `live`, `rule`, and `scheduled`. + in: query + name: sourceFilters + required: false + schema: + description: >- + Comma-separated list of source types to include. Valid values are + `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). + in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). + in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + examples: + unifiedHistoryExample: + summary: Example unified history response + value: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse + description: Indicates a successful call. + summary: Get unified query history + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/live_queries: + get: + description: Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryResponse + description: Indicates a successful call. + summary: Get live queries + tags: + - Security Osquery API + post: + description: Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse + description: Indicates a successful call. + summary: Create a live query + tags: + - Security Osquery API + /api/osquery/live_queries/{id}: + get: + description: Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: JVM memory usage - type: object - Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Kibana Version Mismatch Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_kibana_version_mismatch - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse + description: Indicates a successful call. + summary: Get live query details + tags: + - Security Osquery API + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Kibana version mismatch - type: object - Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + type: string + - description: A KQL search string to filter results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse + description: Indicates a successful call. + summary: Get live query results + tags: + - Security Osquery API + /api/osquery/packs: + get: + description: Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs + tags: + - Security Osquery API + post: + description: Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack + tags: + - Security Osquery API + /api/osquery/packs/{id}: + delete: + description: Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + schema: + example: {} type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: License Expiration Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_license_expiration - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + properties: {} + description: Indicates a successful call. + summary: Delete a pack + tags: + - Security Osquery API + get: + description: Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details + tags: + - Security Osquery API + put: + description: | + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + /api/osquery/packs/{id}/copy: + post: + description: >- + Create a copy of a query pack with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). The copied pack is always created with `enabled` set to + `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + examples: + copyPackExample: + summary: Example response for copying a pack + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/saved_queries: + get: + description: Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryResponse + description: Indicates a successful call. + summary: Get saved queries + tags: + - Security Osquery API + post: + description: Create and save a query for later use. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse + description: Indicates a successful call. + summary: Create a saved query + tags: + - Security Osquery API + /api/osquery/saved_queries/{id}: + delete: + description: Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: Indicates a successful call. + summary: Delete a saved query + tags: + - Security Osquery API + get: + description: Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse + description: Indicates a successful call. + summary: Get saved query details + tags: + - Security Osquery API + put: + description: | + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse + description: Indicates a successful call. + summary: Update a saved query + tags: + - Security Osquery API + /api/osquery/saved_queries/{id}/copy: + post: + description: >- + Create a copy of a saved query with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + examples: + copySavedQueryExample: + summary: Example response for copying a saved query + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CopySavedQueryResponse + description: Indicates a successful call. + summary: Copy a saved query + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: > + Get paginated per-agent action results for a specific scheduled query + execution, with success/failure aggregation and execution metadata (pack + name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: License expiration - type: object - Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Logstash Version Mismatch Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_logstash_version_mismatch - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + examples: + scheduledActionResultsExample: + summary: Example scheduled action results response + value: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse + description: Indicates a successful call. + summary: Get scheduled action results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: > + Get paginated query result rows (the actual osquery output data) for a + specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Logstash version mismatch - type: object - Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string + responses: + '200': + content: + application/json: + examples: + scheduledQueryResultsExample: + summary: Example scheduled query results response + value: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse + description: Indicates a successful call. + summary: Get scheduled query results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/pinned_event: + patch: + description: Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json: + examples: + pinEvent: + summary: Pin an event + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: type: object properties: - blob: - maxLength: 10000 + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: >- + The `savedObjectId` of the timeline that you want this + pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Missing Monitoring Data Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_missing_monitoring_data - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Missing monitoring data - type: object - Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true + responses: + '200': + content: + application/json: + examples: + pinnedSaved: + summary: Pinned event saved object + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse + description: Indicates a successful call. + summary: Pin/unpin an event + tags: + - Security Timeline API + - access:securitySolution + /api/risk_score/engine/dangerously_delete_data: + delete: + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json: + examples: + CleanUpRiskEngineResponse: + summary: Successful cleanup response + value: + cleanup_successful: true + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + /api/risk_score/engine/saved_object/configure: + patch: + description: Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject + requestBody: + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object + value: + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d + schema: + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: type: object properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + entity_types: items: enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer + - host + - user + - service + type: string type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + filter: + description: KQL filter string type: string required: - - days - - hours - - timezone - frequency: - additionalProperties: false + - entity_types + - filter + type: array + range: + type: object + properties: + end: + type: string + start: + type: string + required: true + responses: + '200': + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response + value: + risk_engine_saved_object_configured: true + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. + risk_engine_saved_object_configured: type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + description: Successful response + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse + description: Unexpected error + summary: Configure the Risk Engine Saved Object + tags: + - Security Entity Analytics API + /api/risk_score/engine/schedule_now: + post: + description: >- + Schedule the risk scoring engine to run as soon as possible. You can use + this to recalculate entity risk scores after updating their asset + criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json: {} + responses: + '200': + content: + application/json: + examples: + ScheduleRiskEngineNowResponse: + summary: Successful schedule response + value: + success: true + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse + description: Successful response + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse + description: Unexpected error + summary: Run the risk scoring engine + tags: + - Security Entity Analytics API + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json: + schema: + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 type: object properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Nodes Changed Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_nodes_changed - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Nodes changed - type: object - Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + create: + description: Array of anonymization fields to create. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + description: >- + Object containing the query to filter anonymization fields + and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json: + example: + anonymization_fields_count: 5 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + failed: 1 + skipped: 1 + succeeded: 2 + total: 5 + message: Bulk action completed successfully + status_code: 200 + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request body + statusCode: 400 + schema: type: object properties: - id: + error: + description: Error type or name. type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - threshold: - type: number - required: - - duration - title: Thread Pool Search Rejections Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_thread_pool_search_rejections - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + message: + description: Detailed error message. + type: string + statusCode: + description: Status code of the response. + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields + required: false + schema: + items: type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter + required: false + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Thread pool search rejections - type: object - Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - description: Field to sort by + example: created_at + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + example: asc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: >- + If true, additionally fetch all anonymization fields, otherwise + fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + example: + aggregations: + anonymized: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. + aggregations: type: object properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + field_status: type: object properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters + statusCode: 400 + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + error: type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Create a model response for the given chat conversation. + operationId: ChatComplete + parameters: + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + example: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: sk-abc123 + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream: + schema: + format: binary type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: Indicates a successful model response call. + '400': + content: + application/json: + schema: type: object properties: - id: + error: + description: Error type. + example: Bad Request type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + message: + description: Human-readable error message. + example: Invalid request payload. + type: string + statusCode: + description: HTTP status code. + example: 400 + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + delete: + description: This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + schema: type: object properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - threshold: - type: number - required: - - duration - title: Thread Pool Write Rejections Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_thread_pool_write_rejections - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Thread pool write rejections - type: object - Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false + responses: + '200': + content: + application/json: + example: + success: true + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + failures: + items: + type: string + type: array + success: + example: true + type: boolean + totalDeleted: + example: 10 + type: number + description: >- + Indicates a successful call. The conversations were deleted + successfully. + '400': + content: + application/json: + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + error: + example: Bad Request type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: + example: Invalid conversation ID type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete conversations + tags: + - Security AI Assistant API + - Conversation API + post: + description: >- + Create a new Security AI Assistant conversation. This endpoint allows + the user to initiate a conversation with the Security AI Assistant by + providing the required parameters. + operationId: CreateConversation + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was created + successfully. + '400': + content: + application/json: + schema: type: object properties: - id: + error: + example: Bad Request type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: CCR Read Exceptions Rule Params - type: object - rule_type_id: - enum: - - monitoring_ccr_read_exceptions - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + message: + example: 'Missing required parameter: title' + type: string + statusCode: + example: 400 + type: number + description: >- + Generic Error. This response indicates an issue with the request, + such as missing required parameters or incorrect data. + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: >- + Get a list of all conversations for the current user. This endpoint + allows users to search, filter, sort, and paginate through their + conversations. + operationId: FindConversations + parameters: + - description: >- + A list of fields to include in the response. If omitted, all fields + are returned. + in: query + name: fields + required: false + schema: + example: + - id + - title + - createdAt + items: type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + type: array + - description: >- + A search query to filter the conversations. Can match against + titles, messages, or other conversation attributes. + in: query + name: filter + required: false + schema: + example: Security Issue type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: CCR read exceptions - type: object - Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - description: >- + The field by which to sort the results. Valid fields are + `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + example: created_at + - description: >- + The order in which to sort the results. Can be either `asc` for + ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: >- + Whether to return conversations that the current user owns. If true, + only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean + responses: + '200': + content: + application/json: + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + data: + description: A list of conversations. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: >- + The total number of conversations matching the filter + criteria. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: >- + Successful response, returns a paginated list of conversations + matching the specified criteria. + '400': + content: + application/json: + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + error: + example: Bad Request type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: + example: Invalid filter query parameter type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + statusCode: + example: 400 + type: number + description: >- + Generic Error. The request could not be processed due to an invalid + query parameter or other issue. + summary: Get conversations + tags: + - Security AI Assistant API + - Conversations API + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: >- + Delete an existing conversation using the conversation ID. This endpoint + allows users to permanently delete a conversation. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was deleted + successfully. + '400': + content: + application/json: + schema: type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete a conversation + tags: + - Security AI Assistant API + - Conversation API + get: + description: >- + Get the details of an existing conversation using the conversation ID. + This allows users to fetch the specific conversation data by its unique + ID. + operationId: ReadConversation + parameters: + - description: >- + The conversation's `id` value, a unique identifier for the + conversation. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. The conversation details are returned. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. The request could not be processed due to an error. + summary: Get a conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: >- + Update an existing conversation using the conversation ID. This endpoint + allows users to modify the details of an existing conversation. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was updated + successfully. + '400': + content: + application/json: + schema: type: object properties: - id: + error: + example: Bad Request type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - indexPattern: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - - indexPattern - title: Large Shard Size Rule Params - type: object - rule_type_id: - enum: - - monitoring_shard_size - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Large shard size - type: object - Kibana_HTTP_APIs_new_output_elasticsearch: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_elasticsearch - type: object - Kibana_HTTP_APIs_new_output_kafka: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - client_id: - type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - type: number - config_yaml: - nullable: true - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - hash: - additionalProperties: false - type: object - properties: - hash: - type: string - random: - type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - partition: - enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true - type: string - random: - additionalProperties: false - type: object - properties: - group_events: - type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: false - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: false - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: false - type: object - properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string - required: - - name - - type - - hosts - - auth_type - title: new_output_kafka - type: object - Kibana_HTTP_APIs_new_output_logstash: - additionalProperties: false - properties: - allow_edit: - items: + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: >- + Generic Error. This response indicates an issue with the request, + such as missing required parameters or incorrect data. + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/knowledge_base: + get: + description: Read a single KB + operationId: GetKnowledgeBase + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseReadResponse200Example2: + summary: >- + A response that returns information about the knowledge + base. + value: + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Read a KnowledgeBase + tags: + - Security AI Assistant API + - KnowledgeBase API + post: + operationId: PostKnowledgeBase + parameters: + - description: >- + ELSER modelId to use when setting up the Knowledge Base. If not + provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: + - description: >- + Indicates whether we should or should not install Security Labs docs + when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. + value: + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse + description: Indicates a successful call. + '400': + content: + application/json: + examples: + KnowledgeBaseResponse400Example2: + summary: >- + A response for a request that failed due to an invalid query + parameter value. + value: > + statusCode: 400 error: Bad Request message: "[request + query]: ignoreSecurityLabs: Invalid enum value. Expected + 'true' | 'false', received 'yes', ignoreSecurityLabs: + Expected boolean, received string" + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Create a KnowledgeBase + tags: + - Security AI Assistant API + - KnowledgeBase API + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - logstash - type: string - required: - - name - - type - - hosts - title: new_output_logstash - type: object - Kibana_HTTP_APIs_new_output_remote_elasticsearch: - additionalProperties: false - properties: - allow_edit: - items: + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseReadResponse200Example1: + summary: >- + A response that returns information about the knowledge + base. + value: + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Read a KnowledgeBase for a resource + tags: + - Security AI Assistant API + - KnowledgeBase API + post: + description: Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri + - description: >- + ELSER modelId to use when setting up the Knowledge Base. If not + provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - service_token: - anyOf: - - additionalProperties: false + - description: >- + Indicates whether we should or should not install Security Labs docs + when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. + value: + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse + description: Indicates a successful call. + '400': + content: + application/json: + examples: + KnowledgeBaseResponse400Example1: + summary: >- + A response for a request that failed due to an invalid query + parameter value. + value: > + statusCode: 400 error: Bad Request message: "[request + query]: ignoreSecurityLabs: Invalid enum value. Expected + 'true' | 'false', received 'yes', ignoreSecurityLabs: + Expected boolean, received string" + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Create a KnowledgeBase for a resource + tags: + - Security AI Assistant API + - KnowledgeBase API + /api/security_ai_assistant/knowledge_base/entries: + post: + description: Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry + requestBody: + content: + application/json: + example: + content: >- + To reset your password, go to the settings page and click 'Reset + Password'. + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + required: true + responses: + '200': + content: + application/json: + example: + content: >- + To reset your password, go to the settings page and click + 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + description: Successful request returning Knowledge Base Entries + '400': + content: + application/json: + example: + error: Invalid input + message: The 'title' field is required. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as invalid input or missing required + fields. + summary: Create a Knowledge Base Entry + tags: + - Security AI Assistant API + - Knowledge Base Entries API + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: >- + The bulk action is applied to all Knowledge Base Entries that match the + filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + schema: + type: object + properties: + create: + description: List of Knowledge Base Entries to create. + example: + - content: This is the content of the new entry. + title: New Entry + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + type: array + delete: type: object properties: - hash: - type: string - id: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + update: + description: List of Knowledge Base Entries to update. + example: + - content: Updated content. + id: '123' + title: Updated Entry + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps + type: array + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse + description: Successful bulk operation request + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: Generic Error + summary: Applies a bulk action to multiple Knowledge Base Entries + tags: + - Security AI Assistant API + - Knowledge Base Entries Bulk API + /api/security_ai_assistant/knowledge_base/entries/_find: + get: + description: Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries + parameters: + - description: >- + A list of fields to include in the response. If not provided, all + fields will be included. + in: query + name: fields + required: false + schema: + example: + - title + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField + example: created_at + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: asc + - description: Page number for paginated results. Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 10 + minimum: 0 + type: integer + responses: + '200': + content: + application/json: + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + data: + description: The list of Knowledge Base Entries for the current page. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + type: array + page: + description: The current page number. + example: 1 + type: integer + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 + type: integer + total: + description: The total number of Knowledge Base Entries available. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing the paginated Knowledge Base Entries. + '400': + content: + application/json: + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + error: + description: A short description of the error. + example: Bad Request type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + description: Generic Error indicating an issue with the request. + summary: Finds Knowledge Base Entries that match the given query. + tags: + - Security AI Assistant API + - Knowledge Base Entries API + /api/security_ai_assistant/knowledge_base/entries/{id}: + delete: + description: Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: '12345' + message: Knowledge Base Entry successfully deleted. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields + description: >- + Successful request returning the `id` of the deleted Knowledge Base + Entry. + '400': + content: + application/json: + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as an invalid `id` or the entry not + being found. + summary: Deletes a single Knowledge Base Entry using the `id` field + tags: + - Security AI Assistant API + - Knowledge Base Entries API + get: + description: Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: >- + The unique identifier (`id`) of the Knowledge Base Entry to + retrieve. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + content: >- + To reset your password, go to the settings page and click + 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + description: Successful request returning the requested Knowledge Base Entry. + '400': + content: + application/json: + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as an invalid `id` or the entry not + being found. + summary: Read a Knowledge Base Entry + tags: + - Security AI Assistant API + - Knowledge Base Entries API + put: + description: Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + example: + content: >- + To reset your password, go to the settings page, click 'Reset + Password', and follow the instructions. + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps + required: true + responses: + '200': + content: + application/json: + example: + content: >- + To reset your password, go to the settings page, click 'Reset + Password', and follow the instructions. + id: '12345' + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + description: Successful request returning the updated Knowledge Base Entry. + '400': + content: + application/json: + example: + error: Invalid input + message: The 'content' field cannot be empty. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as invalid input or the entry not + being found. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + - Knowledge Base Entries API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + example: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json: + examples: + success: + value: + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call with the results of the bulk action. + '400': + content: + application/json: + schema: type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: + properties: + error: + description: A short error message. + example: Bad Request + type: string + message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. + type: string + statusCode: + description: The HTTP status code for the error. + example: 400 + type: number + description: Indicates a generic error due to a bad request. + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: >- + Get a list of all prompts based on optional filters, sorting, and + pagination. + operationId: FindPrompts + parameters: + - description: List of specific fields to include in each returned prompt. + in: query + name: fields + required: false + schema: + example: - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + - name + - content + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort prompts by. + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json: + schema: + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 type: object properties: - id: - type: string + data: + description: >- + The list of prompts returned based on the search query, + sorting, and pagination. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. - properties: - alertOnGroupDisappear: - type: boolean - alertOnNoData: - type: boolean - criteria: - items: - additionalProperties: false + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. + '400': + content: + application/json: + schema: type: object properties: - aggType: - enum: - - custom - type: string - comparator: - type: string - equation: + error: + description: Short error message. + example: Bad Request type: string - label: + message: + description: Detailed description of the error. + example: Invalid sort order value provided. type: string - metrics: - items: - anyOf: - - additionalProperties: false - type: object - properties: - aggType: - type: string - field: - type: string - filter: - type: string - name: - type: string - required: - - name - - aggType - - field - - additionalProperties: false - type: object - properties: - aggType: - enum: - - count - type: string - filter: - type: string - name: - type: string - required: - - name - - aggType - type: array - threshold: - items: - type: number - type: array - timeSize: + statusCode: + description: HTTP status code for the error. + example: 400 type: number - timeUnit: - type: string - required: - - threshold - - comparator - - timeUnit - - timeSize - - metrics - type: array - groupBy: - anyOf: - - type: string - - items: - type: string - type: array - noDataBehavior: - enum: - - recover - - remainActive - - alertOnNoData - type: string - searchConfiguration: - additionalProperties: false + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts + tags: + - Security AI Assistant API + - Prompts API + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + '200': + content: + application/json: + examples: + taskManagerHealthResponse1: + $ref: >- + #/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless + schema: + $ref: >- + #/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless + description: Indicates a successful call + summary: Get the task manager health + tags: + - task manager + /api/timeline: + delete: + description: Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json: + examples: + deleteByIds: + summary: Delete timelines by saved object id + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 + schema: type: object properties: - filter: + savedObjectIds: + description: >- + The list of IDs of the Timelines or Timeline templates to + delete items: - additionalProperties: false - type: object - properties: - meta: - additionalProperties: - nullable: true - type: object - query: - additionalProperties: - nullable: true - type: object - required: - - meta + type: string + maxItems: 100 + type: array + searchIds: + description: >- + Saved search IDs that should be deleted alongside the + timelines + items: + type: string + maxItems: 100 type: array - index: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - allowHidden: - type: boolean - allowNoIndex: - type: boolean - fieldAttrs: - additionalProperties: - additionalProperties: false - type: object - properties: - count: - type: number - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - type: object - fieldFormats: - additionalProperties: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - type: object - fields: - additionalProperties: - additionalProperties: false - type: object - properties: - aggregatable: - type: boolean - count: - minimum: 0 - type: number - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - esTypes: - items: - type: string - type: array - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - name: - maxLength: 1000 - type: string - readFromDocValues: - type: boolean - runtimeField: - anyOf: - - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - - additionalProperties: false - type: object - properties: - fields: - additionalProperties: - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - type: object - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - composite - type: string - required: - - type - script: - maxLength: 1000000 - type: string - scripted: - type: boolean - searchable: - type: boolean - shortDotsEnable: - type: boolean - subType: - additionalProperties: false - type: object - properties: - multi: - additionalProperties: false - type: object - properties: - parent: - type: string - required: - - parent - nested: - additionalProperties: false - type: object - properties: - path: - type: string - required: - - path - type: - default: string - maxLength: 1000 - type: string - required: - - name - type: object - id: - type: string - managed: - type: boolean - name: - type: string - namespaces: - items: - type: string - type: array - runtimeFieldMap: - additionalProperties: - anyOf: - - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - - additionalProperties: false - type: object - properties: - fields: - additionalProperties: - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - type: object - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - composite - type: string - required: - - type - type: object - sourceFilters: - items: - additionalProperties: false - type: object - properties: - clientId: - anyOf: - - type: string - - type: number - value: - type: string - required: - - value - type: array - timeFieldName: - type: string - title: - type: string - type: - type: string - typeMeta: - additionalProperties: true - type: object - properties: {} - version: - type: string - required: - - title - query: - additionalProperties: false - type: object - properties: - language: - type: string - query: - type: string - required: - - language - - query required: - - index - - query - required: - - criteria - - searchConfiguration - title: Custom Threshold Rule Params - type: object - rule_type_id: - enum: - - observability.rules.custom_threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Custom threshold - type: object - Kibana_HTTP_APIs_output_elasticsearch: - additionalProperties: true - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: output_elasticsearch - type: object - Kibana_HTTP_APIs_output_kafka: - additionalProperties: true - properties: - allow_edit: - items: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': + content: + application/json: + examples: + success: + summary: Success + value: {} + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + get: + description: Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the Timeline template to retrieve. + in: query + name: template_timeline_id + schema: type: string - maxItems: 1000 - type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - client_id: - type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - type: number - config_yaml: - nullable: true - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - hash: - additionalProperties: true - type: object - properties: - hash: - type: string - random: - type: boolean - headers: - items: - additionalProperties: true - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id + schema: type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - partition: - enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true - type: string - random: - additionalProperties: true - type: object - properties: - group_events: - type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: true - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: true - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: true - type: object - properties: - password: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true + responses: + '200': + content: + application/json: + examples: + timelineDetail: + summary: Timeline detail + value: + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + patch: + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: type: object properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: >- + The timeline object of the Timeline or Timeline template + that you’re updating. + timelineId: + description: >- + The `savedObjectId` of the Timeline or Timeline template + that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: >- + The version of the Timeline or Timeline template that you’re + updating. + example: WzE0LDFd + nullable: true + type: string required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string - required: - - name - - type - - hosts - - auth_type - title: output_kafka - type: object - Kibana_HTTP_APIs_output_logstash: - additionalProperties: true - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': + content: + application/json: + examples: + patched: + summary: Updated timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 + schema: + type: object + properties: + body: + description: The error message. + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: >- + Indicates that the user does not have the required access to create + a Timeline. + summary: Update a Timeline + tags: + - Security Timeline API + - access:securitySolution + post: + description: Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: type: object properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - logstash - type: string - required: - - name - - type - - hosts - title: output_logstash - type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: true - type: object - properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Created timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 + schema: + type: object + properties: + body: + description: The error message + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_copy: + post: + description: | + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json: + examples: + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: type: object properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true - properties: - compression_level: - nullable: true - type: number - disk_queue_compression_enabled: - nullable: true - type: boolean - disk_queue_enabled: - default: false - nullable: true - type: boolean - disk_queue_encryption_enabled: - nullable: true - type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true - type: string - loadbalance: - nullable: true - type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: - nullable: true - type: number - queue_flush_timeout: - nullable: true - type: number - required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper - type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - verification_mode: - enum: - - full - - none - - certificate - - strict - type: string - title: output_ssl - type: object - Kibana_HTTP_APIs_QueryStreamUpsertRequest: - additionalProperties: false - type: object - properties: - dashboards: - items: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: >- + The `savedObjectId` of the timeline or template to + duplicate. + type: string + required: + - timeline + - timelineIdToCopy + description: >- + Source timeline id to copy plus timeline fields for the new saved + object. + required: true + responses: + '200': + content: + application/json: + examples: + copied: + summary: Newly saved timeline + value: + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_draft: + get: + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. + operationId: GetDraftTimelines + parameters: + - description: >- + Which draft to load (`default` investigation timeline or `template` + timeline template). + in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + responses: + '200': + content: + application/json: + examples: + draftPayload: + summary: Draft timeline payload + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + post: + description: > + Create a clean draft Timeline or Timeline template for the current user. + + > info + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + examples: + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json: + examples: + draftResponse: + summary: Draft after reset or creation + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_export: + post: + description: Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: type: string - type: array - queries: - items: - type: object - properties: - description: + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson: + examples: + ndjsonLine: + summary: Single NDJSON line + value: >- + {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} + schema: + description: NDJSON of the exported Timelines type: string - esql: + description: Indicates a successful call. + '400': + content: + application/ndjson: + examples: + badRequest: + summary: Export error + value: + body: Export limit exceeded + statusCode: 400 + schema: type: object properties: - query: + body: type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - type: - default: match - enum: - - match - - stats - type: string - required: - - id - - title - - description - - esql - type: array - rules: - items: - type: string - type: array - stream: - additionalProperties: false - type: object - properties: - description: - type: string - field_descriptions: - additionalProperties: - type: string - type: object - query: - additionalProperties: false + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_favorite: + patch: + description: Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: type: object properties: - esql: + templateTimelineId: + nullable: true type: string - view: + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true required: - - view - - esql - query_streams: - items: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': + content: + application/json: + examples: + favoriteResponse: + summary: Favorite metadata updated + value: + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Forbidden + value: + body: Forbidden + statusCode: 403 + schema: type: object properties: - name: + body: type: string - required: - - name - type: array - type: - enum: - - query - type: string - required: - - description - - type - - query - required: - - dashboards - - rules - - queries - - stream - Kibana_HTTP_APIs_RecursiveRecord: - additionalProperties: - anyOf: - - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - - {} - - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - - {} - type: array - - items: {} - type: array - - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - type: object - Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_import: + post: + description: Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json: + examples: + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) + value: + file: >- + {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n + isImmutable: 'false' + schema: + type: object + properties: + file: {} + isImmutable: + description: Whether the Timeline should be immutable + enum: + - 'true' + - 'false' + type: string + required: + - file + description: The Timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json: + examples: + importSummary: + summary: Import summary + value: + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Invalid import + value: + body: Invalid file extension + statusCode: 400 + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + '404': + content: + application/json: + examples: + notFound: + summary: Saved objects client missing + value: + body: Unable to find saved object client + statusCode: 404 + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + body: + description: The error message + example: Unable to find saved object client type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + statusCode: + example: 404 + type: number + description: Not found response. + '409': + content: + application/json: + examples: + conflict: + summary: Import conflict + value: + body: Could not import timelines + statusCode: 409 + schema: type: object properties: - id: + body: + description: The error message + example: Could not import timelines type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + statusCode: + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_prepackaged: + post: + description: Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json: + examples: + emptyArrays: + summary: Installer payload shape + value: + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] + schema: type: object properties: - blob: - maxLength: 10000 - type: string + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. - properties: - dependencies: - items: - additionalProperties: false + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. + required: true + responses: + '200': + content: + application/json: + examples: + installResult: + summary: Install result counts + value: + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates a successful call. + '500': + content: + application/json: + examples: + serverError: + summary: Server error + value: + body: Internal error + statusCode: 500 + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/resolve: + get: + description: >- + Resolve a Timeline or Timeline template, surfacing outcomes such as + `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been + remapped during upgrades or imports. Provide **either** `id` for default + Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json: + examples: + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome + value: + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Bad request + value: {} + schema: + additionalProperties: true + type: object + description: Bad Request response. + '404': + content: + application/json: + examples: + notFound: + summary: Not found + value: {} + schema: + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timelines: + get: + description: Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: >- + If `true`, only Timelines that the current user has marked as + favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: >- + Restrict results to `default` investigation timelines or `template` + timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: >- + Field used to sort the list (`title`, `description`, `updated`, or + `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: >- + Filter by timeline lifecycle state (`active`, `draft`, or + `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json: + examples: + timelineList: + summary: Example list response + value: + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 + schema: type: object properties: - actionGroupsToSuppressOn: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: items: - type: string + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse type: array - ruleId: - type: string + totalCount: + description: The total amount of results + example: 100 + type: number required: - - ruleId - - actionGroupsToSuppressOn - type: array - sloId: - type: string - windows: - items: - additionalProperties: false + - timeline + - totalCount + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Error response body + value: + body: get timeline error + statusCode: 400 + schema: type: object properties: - actionGroup: - type: string - burnRateThreshold: - type: number - id: + body: + description: The error message. + example: get timeline error type: string - longWindow: - additionalProperties: false - type: object - properties: - unit: - type: string - value: - type: number - required: - - value - - unit - maxBurnRateThreshold: - nullable: true + statusCode: + example: 400 type: number - shortWindow: - additionalProperties: false - type: object - properties: - unit: - type: string - value: - type: number - required: - - value - - unit - required: - - id - - burnRateThreshold - - maxBurnRateThreshold - - longWindow - - shortWindow - - actionGroup - type: array - required: - - sloId - - windows - title: SLO Burn Rate Rule Params - type: object - rule_type_id: - enum: - - slo.rules.burnRate - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: Bad Request response. + summary: Get Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + /s/{spaceId}/api/observability/slos: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: >- + The page size to use for cursor-based pagination, must be greater or + equal than 1 + example: 1 + in: query + name: size + schema: + default: 1 + type: integer + - description: >- + The cursor to use for fetching the results from, when using a + cursor-base pagination. + in: query + name: searchAfter + schema: + items: type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + type: array + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + findSloResponse: + summary: A paginated list of SLOs + value: + page: 1 + perPage: 25 + results: + - budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name + : "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + total: 42 + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''invalid'' supplied to: sortBy' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_read] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + createSloKqlExample: + summary: Create an SLO with a KQL indicator + value: + budgetingMethod: occurrences + description: >- + Availability of my web service measured by successful HTTP + responses + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json: + examples: + createSloResponse: + summary: Create SLO response + value: + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '409': + content: + application/json: + examples: + conflictExample: + summary: Conflict + value: + error: Conflict + message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + statusCode: 409 + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/_bulk_delete: + post: + description: > + Bulk delete SLO definitions and their associated summary and rollup + data. This endpoint initiates a bulk deletion operation for SLOs, which + may take some time to complete. The status of the operation can be + checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + operationId: bulkDeleteOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + bulkDeleteRequest: + summary: Bulk delete two SLOs + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_request' + required: true + responses: + '200': + content: + application/json: + examples: + bulkDeleteResponse: + summary: Bulk delete response with task ID + value: + taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: >- + Bulk delete SLO definitions and their associated summary and rollup + data. + tags: + - slo + /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: + get: + description: > + Retrieve the status of the bulk deletion operation for SLOs. This + endpoint returns the status of the bulk deletion operation, including + whether it is completed and the results of the operation. + operationId: bulkDeleteStatusOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: The task id of the bulk delete operation + in: path + name: taskId + required: true + schema: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + responses: + '200': + content: + application/json: + examples: + bulkDeleteStatusComplete: + summary: Completed bulk deletion + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - id: d077e940-1515-11ee-9c50-9d096392f520 + success: true + bulkDeleteStatusPartialFailure: + summary: Completed with partial failure + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found + id: d077e940-1515-11ee-9c50-9d096392f520 + success: false + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_status_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: taskId' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Retrieve the status of the bulk deletion + tags: + - slo + /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: + post: + description: > + The deletion occurs for the specified list of `sloId`. You must have + `all` privileges for the **SLOs** feature in the **Observability** + section of the Kibana feature privileges. + operationId: deleteRollupDataOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + purgeByAgeExample: + summary: Purge rollup data older than 7 days + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + purgePolicy: + age: 7d + purgeType: fixed-age + purgeByTimestampExample: + summary: Purge rollup data before a specific date + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 + purgePolicy: + purgeType: fixed-time + timestamp: '2024-12-31T00:00:00.000Z' + schema: + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' + required: true + responses: + '200': + content: + application/json: + examples: + bulkPurgeResponse: + summary: Bulk purge response with task ID + value: + taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + deleteInstancesExample: + summary: Delete specific SLO instances + value: + list: + - instanceId: host-abc123 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + - instanceId: host-def456 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list/0/sloId' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: SLO burn rate - type: object - Kibana_HTTP_APIs_StreamlangConditionBlock: - additionalProperties: false - type: object - properties: - condition: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' - customIdentifier: - type: string - required: - - condition - Kibana_HTTP_APIs_StreamlangStep: - anyOf: - - anyOf: - - additionalProperties: false - description: Grok processor - Extract fields from text using grok patterns - type: object - properties: - action: - enum: - - grok - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to parse with grok patterns - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - pattern_definitions: - additionalProperties: - type: string - type: object - patterns: - description: Grok patterns applied in order to extract fields - items: - description: A non-empty string. - minLength: 1 - type: string - minItems: 1 - type: array - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - patterns - - additionalProperties: false - description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser - type: object - properties: - action: - enum: - - dissect - type: string - append_separator: - description: Separator inserted when target fields are concatenated - minLength: 1 - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to parse with dissect pattern - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - pattern: - description: Dissect pattern describing field boundaries - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - pattern - - additionalProperties: false - description: Date processor - Parse dates from strings using one or more expected formats - type: object - properties: - action: - enum: - - date - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - formats: - description: Accepted input date formats, tried in order - items: - description: A non-empty string. - minLength: 1 - type: string - type: array - from: - description: Source field containing the date/time text - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - locale: - description: Optional locale for date parsing - minLength: 1 - type: string - output_format: - description: Optional output format for storing the parsed date as text - minLength: 1 - type: string - timezone: - description: Optional timezone for date parsing - minLength: 1 - type: string - to: - description: Target field for the parsed date (defaults to source) - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - formats - - additionalProperties: false - type: object - properties: - action: - enum: - - drop_document - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - additionalProperties: false - type: object - properties: - action: - enum: - - math - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - expression: - description: A non-empty string. - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - expression - - to - - additionalProperties: false - description: Rename processor - Change a field name and optionally its location - type: object - properties: - action: - enum: - - rename - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Existing source field to rename or move - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip when source field is missing - type: boolean - override: - description: Allow overwriting the target field if it already exists - type: boolean - to: - description: New field name or destination path - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - to - - additionalProperties: false - description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) - type: object - properties: - action: - enum: - - set - type: string - copy_from: - description: Copy value from another field instead of providing a literal - minLength: 1 - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - override: - description: Allow overwriting an existing target field - type: boolean - to: - description: Target field to set or create - minLength: 1 - type: string + responses: + '200': + content: + application/json: + examples: + getSloResponse: + summary: Get SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_read] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json: + examples: + updateSloNameExample: + summary: Update the SLO name and tags value: - description: Literal value to assign to the target field - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - to - - additionalProperties: false - description: Append processor - Append one or more values to an existing or new array field - type: object - properties: - action: - enum: - - append - type: string - allow_duplicates: - description: If true, do not deduplicate appended values - type: boolean - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - to: - description: Array field to append values to - minLength: 1 - type: string + name: Updated Service Availability + tags: + - production + - updated + updateSloObjectiveExample: + summary: Update the SLO objective value: - description: Values to append (must be literal, no templates) - items: {} - minItems: 1 - type: array - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - to - - value - - additionalProperties: false - description: Remove by prefix processor - Remove a field and all nested fields matching the prefix - type: object - properties: - action: - enum: - - remove_by_prefix - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Field to remove along with all its nested fields - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - required: - - action - - from - - additionalProperties: false - description: Remove processor - Delete one or more fields from the document - type: object - properties: - action: - enum: - - remove - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Field to remove from the document - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - replace - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - pattern: - minLength: 1 - type: string - replacement: - type: string - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - pattern - - replacement - - additionalProperties: false - description: Redact processor - Mask sensitive data using Grok patterns - type: object - properties: - action: - enum: - - redact - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to redact sensitive data from - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing (defaults to true) - type: boolean - pattern_definitions: - additionalProperties: - type: string - description: Custom pattern definitions to use in the patterns - type: object - patterns: - description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") - items: - description: A non-empty string. - minLength: 1 - type: string - minItems: 1 - type: array - prefix: - description: Prefix to prepend to the redacted pattern name (defaults to "<") - type: string - suffix: - description: Suffix to append to the redacted pattern name (defaults to ">") - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - patterns - - additionalProperties: false - type: object - properties: - action: - enum: - - uppercase - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - lowercase - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - trim - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - join - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - delimiter: - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - items: - minLength: 1 - type: string - minItems: 1 - type: array - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - delimiter - - to - - additionalProperties: false - description: Split processor - Split a field value into an array using a separator - type: object - properties: - action: - enum: - - split - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to split into an array - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - preserve_trailing: - description: Preserve empty trailing fields in the split result - type: boolean - separator: - description: Regex separator used to split the field value into an array - minLength: 1 - type: string - to: - description: Target field for the split array (defaults to source) - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - separator - - additionalProperties: false - type: object - properties: - action: - enum: - - sort - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Array field to sort - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - order: - description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" - enum: - - asc - - desc - type: string - to: - description: Target field for the sorted array (defaults to source) - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) - type: object - properties: - action: - enum: - - convert - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to convert to a different data type - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - to: - description: Target field for the converted value (defaults to source) - minLength: 1 - type: string - type: - description: 'Target data type: integer, long, double, boolean, or string' - enum: - - integer - - long - - double - - boolean - - string - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - type - - additionalProperties: false - type: object - properties: - action: - enum: - - concat - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - items: - anyOf: - - type: object - properties: - type: - enum: - - field - type: string - value: - minLength: 1 - type: string - required: - - type - - value - - type: object - properties: - type: - enum: - - literal - type: string - value: - type: string - required: - - type - - value - minItems: 1 - type: array - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - to - - allOf: - - additionalProperties: false - type: object - properties: - action: - enum: - - network_direction - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - destination_ip: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - source_ip: - minLength: 1 - type: string - target_field: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - source_ip - - destination_ip - - anyOf: - - additionalProperties: false - type: object - properties: - internal_networks: - items: - type: string - type: array - required: - - internal_networks - - additionalProperties: false - type: object - properties: - internal_networks_field: - minLength: 1 - type: string - required: - - internal_networks_field - - additionalProperties: false - description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors - type: object - properties: - action: - enum: - - json_extract - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - extractions: - description: List of extraction specifications - items: - description: A single extraction specification - type: object - properties: - selector: - description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") - minLength: 1 - type: string - target_field: - description: Target field to store the extracted value - minLength: 1 - type: string - type: - description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. - enum: - - keyword - - integer - - long - - double - - boolean - type: string - required: - - selector - - target_field - minItems: 1 - type: array - field: - description: Source field containing the JSON string to parse - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - field - - extractions - - additionalProperties: false - type: object - properties: - action: - enum: - - enrich - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - override: - type: boolean - policy_name: - description: A non-empty string. - minLength: 1 - type: string - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - policy_name - - to - - additionalProperties: false - description: Manual ingest pipeline wrapper around native Elasticsearch processors - type: object - properties: - action: - description: Manual ingest pipeline - executes raw Elasticsearch ingest processors - enum: - - manual_ingest_pipeline - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - on_failure: - description: Fallback processors to run when a processor fails - items: - additionalProperties: {} - type: object - type: array - processors: - description: List of raw Elasticsearch ingest processors to run - items: - additionalProperties: {} - type: object - type: array - tag: - description: Optional ingest processor tag for Elasticsearch - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - processors - - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' - Kibana_HTTP_APIs_StreamUpsertRequest: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' - Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string + objective: + target: 0.995 + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json: + examples: + updateSloResponse: + summary: Update SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: Updated Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - updated + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + content: + application/json: + examples: + resetSloResponse: + summary: Reset SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo + /s/{spaceId}/internal/observability/slos/_definitions: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getDefinitionsOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: >- + Indicates if the API returns only outdated SLO or all SLO + definitions + in: query + name: includeOutdatedOnly + schema: + type: boolean + - description: Indicates if the API returns SLO health data with definitions + example: true + in: query + name: includeHealth + schema: + type: boolean + - description: Filters the SLOs by tag + in: query + name: tags + schema: + type: string + - description: Filters the SLOs by name + example: my service availability + in: query + name: search + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + type: number + - description: Number of SLOs returned by page + example: 100 + in: query + name: perPage + schema: + default: 100 + maximum: 1000 + type: integer + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_find_slo_definitions_response' + description: Successful request + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Get the SLO definitions + tags: + - slo +components: + examples: + APM_UI_agent_configuration_environments_200_response1: + description: >- + An example of a successful response from `GET + /api/apm/settings/agent-configuration/environments`. + value: + environments: + - alreadyConfigured: true + name: production + - alreadyConfigured: false + name: development + - alreadyConfigured: false + name: ALL_OPTION_VALUE + APM_UI_agent_configuration_intake_object_delete_200_response1: + description: >- + An example of a successful response from `DELETE + /api/apm/settings/agent-configuration`. + value: + result: deleted + APM_UI_agent_configuration_intake_object_delete_request1: + description: >- + Run `DELETE /api/apm/settings/agent-configuration` to delete a + configuration. + value: + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_get_200_response1: + description: >- + An example of a successful response from `GET + /api/apm/settings/agent-configuration`. + value: + - '@timestamp': 1581934104843 + agent_name: go + applied_by_agent: false + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '200' + transaction_sample_rate: '1' + - '@timestamp': 1581934111727 + agent_name: go + applied_by_agent: false + etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 + service: + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '300' + transaction_sample_rate: '1' + - '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_put_200_response1: + description: >- + An example of a successful response from `PUT + /api/apm/settings/agent-configuration`. The response body is + intentionally empty. + value: {} + APM_UI_agent_configuration_intake_object_put_request1: + description: >- + Run `PUT /api/apm/settings/agent-configuration` to create or update + configuration details. + value: + agent_name: nodejs + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_configuration_intake_object_search_200_response1: + description: >- + An example of a successful response from `POST + /api/apm/settings/agent-configuration/search`. + value: + _id: CIaqXXABmQCdPphWj8EJ + _index: .apm-agent-configuration + _score: 2 + _source: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_search_request1: + description: >- + Run `POST /api/apm/settings/agent-configuration/search` to search + configuration details. + value: + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_view_200_response1: + description: >- + An example of a successful response from `GET + /api/apm/settings/agent-configuration/view`. + value: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: true + etag: 5080ed25785b7b19f32713681e79f46996801a5b + id: CIaqXXABmQCdPphWj8EJ + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_keys_object_post_200_response1: + description: >- + An example of a successful response from `POST /api/apm/agent_keys`, + which creates an APM agent API key. + value: + agentKey: + api_key: PjGloCGOTzaZr8ilUPvkjA + encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== + id: 3DCLmn0B3ZMhLUa7WBG9 + name: apm-key + APM_UI_agent_keys_object_post_request1: + description: >- + Run `POST /api/apm/agent_keys` to create an APM agent API key with the + specified privileges. + value: + name: apm-key + privileges: + - event:write + - config_agent:read + APM_UI_annotation_object_post_200_response1: + description: >- + An example of a successful response from `POST + /api/apm/services/opbeans-java/annotation`, which creates an annotation + for a service named `opbeans-java`. + value: + _id: Lc9I93EBh6DbmkeV7nFX + _index: observability-annotations + _primary_term: 1 + _seq_no: 12 + _source: + '@timestamp': '2020-05-08T10:31:30.452Z' + annotation: + type: deployment + event: + created: '2020-05-09T02:34:43.937Z' + message: Deployment 1.2 + service: + name: opbeans-java + version: '1.2' + tags: + - apm + - elastic.co + - customer + _version: 1 + found: true + APM_UI_annotation_object_post_request1: + description: >- + Run `POST /api/apm/services/{serviceName}/annotation` to create a + deployment annotation for a service. + value: + '@timestamp': '2024-01-15T12:00:00.000Z' + message: Deployment 1.2.0 + service: + environment: production + version: 1.2.0 + tags: + - apm + - deployment + APM_UI_fleet_apm_server_schema_200_response1: + description: >- + An example of a successful response from `POST + /api/apm/fleet/apm_server_schema`. The response body is intentionally + empty. + value: {} + APM_UI_source_maps_delete_200_response1: + description: >- + An example of a successful response from `DELETE + /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + value: {} + APM_UI_source_maps_get_200_response1: + description: A successful response from `GET /api/apm/sourcemaps`. + value: + artifacts: + - body: + bundleFilepath: /test/e2e/general-usecase/bundle.js + serviceName: foo + serviceVersion: 1.0.0 + sourceMap: + file: static/js/main.chunk.js + mappings: mapping + sourceRoot: '' + sources: + - fleet-source-map-client/src/index.css + - fleet-source-map-client/src/App.js + - webpack:///./src/index.css?bb0a + - fleet-source-map-client/src/index.js + - fleet-source-map-client/src/reportWebVitals.js + sourcesContent: + - content + version: 3 + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: >- + apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: >- + /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_200_response1: + description: A successful response from `POST /api/apm/sourcemaps`. + value: + body: >- + eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: >- + apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: >- + /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. - properties: - excludeTransforms: - default: [] - items: - type: string - nullable: true - type: array - includeTransforms: - items: - type: string - type: array - testsConfig: - additionalProperties: false - nullable: true - type: object - properties: - errorMessages: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: false - type: boolean - healthCheck: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - notStarted: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - required: - - notStarted - - errorMessages - - healthCheck - required: - - includeTransforms - - testsConfig - title: Transform Health Rule Params - type: object - rule_type_id: - enum: - - transform_health - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Transform health - type: object - Kibana_HTTP_APIs_update_output_elasticsearch: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_elasticsearch - type: object - Kibana_HTTP_APIs_update_output_kafka: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - client_id: - type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - type: number - config_yaml: - nullable: true - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - hash: - additionalProperties: false - type: object - properties: - hash: + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer type: string - random: - type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - partition: - enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true - type: string - random: - additionalProperties: false - type: object - properties: - group_events: + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: false - type: object - properties: - group_events: + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - sasl: - additionalProperties: false - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: false - type: object - properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string - required: - - name - title: update_output_kafka - type: object - Kibana_HTTP_APIs_update_output_logstash: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - logstash - type: string - title: update_output_logstash - type: object - Kibana_HTTP_APIs_update_output_remote_elasticsearch: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_WiredStreamUpsertRequest: - additionalProperties: false - type: object - properties: - dashboards: - items: - type: string - type: array - queries: - items: - type: object - properties: - description: - type: string - esql: - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - type: - default: match - enum: - - match - - stats - type: string - required: - - id - - title - - description - - esql - type: array - rules: - items: - type: string - type: array - stream: - additionalProperties: false - type: object - properties: - description: + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - ingest: - additionalProperties: false - type: object - properties: - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - wired: - additionalProperties: false - type: object - properties: - draft: - type: boolean - fields: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' - routing: - items: - type: object - properties: - destination: - description: A non-empty string. - minLength: 1 - type: string - draft: - type: boolean - status: - enum: - - enabled - - disabled - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - required: - - destination - - where - type: array - required: - - fields - - routing - required: - - lifecycle - - processing - - settings - - failure_store - - wired - query_streams: - items: - type: object - properties: - name: - type: string - required: - - name - type: array + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number type: - enum: - - wired + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - description - - ingest - - type - required: - - dashboards - - rules - - queries - - stream - Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. - properties: - includeInterim: - default: true + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: boolean - jobSelection: - additionalProperties: false - type: object - properties: - groupIds: - default: [] - items: - type: string - type: array - jobIds: - default: [] - items: - type: string - type: array - kqlQueryString: - nullable: true + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - lookbackInterval: - nullable: true + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - resultType: - enum: - - record - - bucket - - influencer + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - severity: - maximum: 100 - minimum: 0 + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - topNBuckets: - minimum: 1 - nullable: true + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - jobSelection - - severity - - resultType - - lookbackInterval - - topNBuckets - - kqlQueryString - title: Anomaly Detection Rule Params - type: object - rule_type_id: - enum: - - xpack.ml.anomaly_detection_alert - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSync401Example: + summary: Two anomaly detection jobs required synchronization in this example. + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" + statusCode: 401 + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Observability_AI_Assistant_API_ChatCompleteRequestExample: + summary: Example of completing a chat interaction + value: | + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + } + Observability_AI_Assistant_API_ChatCompleteResponseExample: + summary: Get a chat completion from the Observability AI Assistant + value: > + data: + {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} + + + data: [DONE] + Security_Detections_API_SetAlertAssigneesBodyAdd: + value: + assignees: + add: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + remove: [] + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertAssigneesBodyRemove: + value: + assignees: + add: [] + remove: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertTagsBodyAdd: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Anomaly detection + tags_to_add: + - Duplicate + tags_to_remove: [] + Security_Detections_API_SetAlertTagsBodyRemove: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: [] + tags_to_remove: + - Duplicate + Task_manager_health_Serverless_APIs_health_200response_serverless: + description: A successful response from `GET api/task_manager/_health`. + value: |- + { + "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", + "timestamp": "2025-03-21T21:49:50.409Z", + "status": "OK", + "last_update": "2025-03-21T21:48:53.996Z", + "stats": { + "configuration": { + "timestamp": "2025-03-21T21:47:51.663Z", + "value": { + "request_capacity": 1000, + "monitored_aggregated_stats_refresh_rate": 60000, + "monitored_stats_running_average_window": 50, + "monitored_task_execution_thresholds": { + "custom": {}, + "default": { + "error_threshold": 90, + "warn_threshold": 80 + } + }, + "claim_strategy": "mget", + "poll_interval": 500, + "capacity": { + "config": 10, + "as_workers": 10, + "as_cost": 20 + } + }, + "status": "OK" + }, + "workload": { + "timestamp": "2025-03-21T21:48:53.996Z", + "value": { + "count": 21, + "cost": 42, + "task_types": { + "Fleet-Metrics-Task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Logger": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Sender": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "ML:saved-objects-sync": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions:connector_usage_reporting": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_health_check": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerts_invalidate_api_keys": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "cases-telemetry-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "dashboard_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:automatic-agent-upgrade-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:check-deleted-files-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:delete-unenrolled-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:sync-integrations-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:unenroll-inactive-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:upgrade-agentless-deployments-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "session_cleanup": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:delete_inactive_background_task_nodes": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + } + }, + "non_recurring": 1, + "non_recurring_cost": 2, + "schedule": [ + [ + "1m", + 2 + ], + [ + "5m", + 2 + ], + [ + "10m", + 1 + ], + [ + "15m", + 1 + ], + [ + "30m", + 1 + ], + [ + "1h", + 5 + ], + [ + "3600s", + 1 + ], + [ + "60m", + 1 + ], + [ + "720m", + 1 + ], + [ + "1d", + 4 + ], + [ + "1440m", + 1 + ] + ], + "overdue": 0, + "overdue_cost": 0, + "overdue_non_recurring": 0, + "estimated_schedule_density": [ + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "capacity_requirements": { + "per_minute": 2, + "per_hour": 43, + "per_day": 7 + } + }, + "status": "OK" + } + } + } + parameters: + APM_UI_elastic_api_version: + description: The version of the API to use + in: header + name: elastic-api-version + required: true + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + APM_UI_kbn_xsrf: + description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + APM_UI_400_response: type: object - Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + error: + description: Error type + example: Not Found type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + message: + description: Error message + example: Not Found type: string - params: - additionalProperties: false - description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. - properties: - excludeJobs: - additionalProperties: false - nullable: true - type: object - properties: - groupIds: - default: [] - items: - type: string - type: array - jobIds: - default: [] - items: - type: string - type: array - includeJobs: - additionalProperties: false - type: object - properties: - groupIds: - default: [] - items: - type: string - type: array - jobIds: - default: [] - items: - type: string - type: array - testsConfig: - additionalProperties: false - nullable: true - type: object - properties: - behindRealtime: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - timeInterval: - nullable: true - type: string - required: - - timeInterval - datafeed: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - delayedData: - additionalProperties: false - nullable: true - type: object - properties: - docsCount: - minimum: 1 - nullable: true - type: number - enabled: - default: true - type: boolean - timeInterval: - nullable: true - type: string - required: - - docsCount - - timeInterval - errorMessages: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - mml: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - required: - - datafeed - - mml - - delayedData - - behindRealtime - - errorMessages - required: - - includeJobs - - excludeJobs - - testsConfig - title: Anomaly Detection Jobs Health Rule Params - type: object - rule_type_id: - enum: - - xpack.ml.anomaly_detection_jobs_health + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: + description: Error message type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Anomaly detection jobs health + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: type: object - Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + error: + description: Error type + example: Forbidden type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + message: + description: Error message type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found type: string - params: - additionalProperties: false - description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. - properties: - condition: - additionalProperties: false - type: object - properties: - alertOnNoData: - type: boolean - downThreshold: - type: number - groupBy: - type: string - includeRetests: - type: boolean - locationsThreshold: - type: number - recoveryStrategy: - enum: - - firstUp - - conditionNotMet - type: string - window: - anyOf: - - additionalProperties: false - type: object - properties: - time: - additionalProperties: false - type: object - properties: - size: - default: 5 - type: number - unit: - default: m - enum: - - s - - m - - h - - d - type: string - required: - - time - - additionalProperties: false - type: object - properties: - numberOfChecks: - default: 5 - maximum: 100 - minimum: 1 - type: number - required: - - window - kqlQuery: - type: string - locations: - items: - type: string - type: array - monitorIds: - items: - type: string - type: array - monitorTypes: - items: - type: string - type: array - projects: - items: - type: string - type: array - tags: - items: - type: string - type: array - title: Synthetics Monitor Status Rule Params - type: object - rule_type_id: - enum: - - xpack.synthetics.alerts.monitorStatus + message: + description: Error message + example: Not Found type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Synthetics monitor status + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: type: object - Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: >- + The agent name is used by the UI to determine which settings to + display. type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: > + `etag` is sent by the APM agent to indicate the `etag` of the last + successfully applied configuration. If the `etag` matches an + existing configuration its `applied_by_agent` property will be set + to `true`. Every time a configuration is edited `applied_by_agent` + is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string - params: - additionalProperties: false - description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. - properties: - certAgeThreshold: - type: number - certExpirationThreshold: - type: number - kqlQuery: - type: string - locations: - items: - type: string - type: array - monitorIds: - items: - type: string - type: array - monitorTypes: - items: - type: string - type: array - projects: - items: - type: string - type: array - search: - type: string - tags: - items: - type: string - type: array - title: Synthetics TLS Rule Params - type: object - rule_type_id: - enum: - - xpack.synthetics.alerts.tls + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. + privileges: + description: > + The APM agent key privileges. It can take one or more of the + following values: + + * `event:write`, which is required for ingesting APM agent events. * + `config_agent:read`, which is required for APM agents to read agent + configuration remotely. items: + enum: + - event:write + - config_agent:read type: string type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string required: - name - - consumer - - schedule - - rule_type_id - - params - title: Synthetics TLS + - privileges + APM_UI_agent_keys_response: type: object - Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations items: - additionalProperties: false - description: An action that runs under defined conditions. type: object properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string + '@timestamp': + type: number id: - description: The identifier for the connector saved object. type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + text: + type: string + type: + enum: + - version type: string - required: - - id type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + created: + description: Created date type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + decodedSha256: + description: Decoded SHA-256 type: string - params: - additionalProperties: false - description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. - properties: - monitorId: - type: string - severity: - type: number - stackVersion: - type: string - required: - - monitorId - - severity - title: Uptime Duration Anomaly Rule Params - type: object - rule_type_id: - enum: - - xpack.uptime.alerts.durationAnomaly + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: >- + The message displayed in the annotation. It defaults to + `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. type: string required: - - interval + - version tags: - default: [] - description: The tags for the rule. + description: > + Tags are used by the Applications UI to distinguish APM annotations + from other annotations. Tags may have additional functionality in + future releases. It defaults to `[apm]`. While you can add + additional tags, you cannot remove the `apm` tag. items: type: string type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Uptime duration anomaly + - '@timestamp' + - service + APM_UI_create_annotation_response: type: object - Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response type: object properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + '@timestamp': + type: string + annotation: type: object properties: - blob: - maxLength: 10000 + title: type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. - properties: - availability: - additionalProperties: false + type: + type: string + event: type: object properties: - range: - type: number - rangeUnit: - type: string - threshold: + created: type: string - required: - - range - - rangeUnit - - threshold - filters: - anyOf: - - additionalProperties: false - type: object - properties: - monitor.type: - items: - type: string - type: array - observer.geo.name: - items: - type: string - type: array - tags: - items: - type: string - type: array - url.port: - items: - type: string - type: array - - type: string - isAutoGenerated: - type: boolean - locations: - items: - type: string - type: array - numTimes: - type: number - search: - type: string - shouldCheckAvailability: - type: boolean - shouldCheckStatus: - type: boolean - stackVersion: + message: type: string - timerange: - additionalProperties: false + service: type: object properties: - from: + environment: type: string - to: + name: type: string - required: - - from - - to - timerangeCount: - type: number - timerangeUnit: - type: string - version: - type: number - required: - - numTimes - - shouldCheckStatus - - shouldCheckAvailability - title: Uptime Monitor Status Rule Params - type: object - rule_type_id: - enum: - - xpack.uptime.alerts.monitorStatus + version: + type: string + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: > + If provided, the agent configuration will be marked as error and + `applied_by_agent` will be set to `false`. + + This is useful for cases where the agent configuration was not + applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. + mark_as_applied_by_agent: + description: > + `markAsAppliedByAgent=true` means "force setting it to true + regardless of etag". + + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list items: - type: string + $ref: '#/components/schemas/APM_UI_service_environment_object' type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Uptime monitor status + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: type: object - Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] + artifacts: + description: Artifacts items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object + allOf: + - type: object properties: - query: - additionalProperties: false + body: type: object properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + bundleFilepath: type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + serviceName: type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + serviceVersion: + type: string + sourceMap: type: object properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + file: + type: string + mappings: type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + sourceRoot: type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: >- + The absolute path of the final bundle as used in the web + application. type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: > + The source map. It can be a string or file upload. It must follow + the + + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + - Not Found + example: Not Found type: string - params: - additionalProperties: false - description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: >- + Allows the data view saved object to exist before the data is available. + Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object properties: - certAgeThreshold: - type: number - certExpirationThreshold: - type: number - search: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. type: string - stackVersion: + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: type: string - title: Uptime TLS Rule Params + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: type: object - rule_type_id: - enum: - - xpack.uptime.alerts.tlsCertificate + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + source: + description: Script for the runtime field. type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. type: string required: - - name - - consumer - - schedule - - rule_type_id + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs - params - title: Uptime TLS certificate + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. type: object savedObjectsCreated: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated savedObjectsDeleted: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -98357,63 +26229,97 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. properties: anomaly-detector: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' - description: If saved objects are missing for anomaly detection jobs, they are created. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. type: object data-frame-analytics: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' - description: If saved objects are missing for data frame analytics jobs, they are created. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. type: object trained-model: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. properties: anomaly-detector: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' - description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' - description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' - description: If there are saved objects exist for nonexistent trained models, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -98421,7 +26327,11 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -98501,7 +26411,8 @@ components: description: The name associated with the message. type: string role: - $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum required: - role required: @@ -98607,7 +26518,8 @@ components: example: user.name type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason description: Reason why the anonymization field was not modified. required: - id @@ -98625,12 +26537,15 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - results - summary @@ -98654,7 +26569,8 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array deleted: items: @@ -98665,12 +26581,14 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult type: array updated: description: List of anonymization fields successfully updated. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array required: - updated @@ -98866,7 +26784,9 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: List of field names within the data object that should be anonymized. + description: >- + List of field names within the data object that should be + anonymized. example: - user.name - source.ip @@ -98889,12 +26809,18 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_EsqlContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_HrefContentReference additionalProperties: false description: A union of all content reference types type: object @@ -99046,7 +26972,9 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -99056,7 +26984,8 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -99074,14 +27003,18 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -99117,8 +27050,10 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -99138,13 +27073,16 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -99190,7 +27128,9 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. + description: >- + The field by which to sort the conversations. Possible values are + `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -99251,7 +27191,9 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -99261,7 +27203,8 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -99279,21 +27222,27 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: Fields to extract from the query result, defaults to all fields if not provided or empty. + description: >- + Fields to extract from the query result, defaults to all fields if + not provided or empty. example: - title - author @@ -99304,7 +27253,9 @@ components: type: object properties: description: - description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. + description: >- + Description for when this index or data stream should be queried for + Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -99316,7 +27267,9 @@ components: example: knowledge_base_index type: string queryDescription: - description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. + description: >- + Description of query field used to fetch Knowledge Base content. + Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -99333,8 +27286,10 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -99354,15 +27309,20 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields Security_AI_Assistant_API_InputSchema: - description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. + description: >- + Array of objects defining the input schema, allowing the LLM to extract + structured data to be used in retrieval. items: type: object properties: @@ -99385,7 +27345,8 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue - type: object properties: type: @@ -99425,9 +27386,11 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue additionalProperties: false - - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -99438,9 +27401,11 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue additionalProperties: false - - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -99459,7 +27424,8 @@ components: example: Skipped Entry type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason required: - id - skip_reason @@ -99479,12 +27445,15 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary required: - results - summary @@ -99516,23 +27485,29 @@ components: id: '456' title: New Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array deleted: - description: List of IDs of Knowledge Base Entries that were successfully deleted. + description: >- + List of IDs of Knowledge Base Entries that were successfully + deleted. example: - '789' items: type: string type: array skipped: - description: List of Knowledge Base Entries that were skipped during the bulk action. + description: >- + List of Knowledge Base Entries that were skipped during the bulk + action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -99541,7 +27516,8 @@ components: id: '123' title: Updated Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array required: - updated @@ -99556,11 +27532,15 @@ components: example: 2 type: integer skipped: - description: Number of Knowledge Base Entries that were skipped during the bulk action. + description: >- + Number of Knowledge Base Entries that were skipped during the bulk + action. example: 1 type: integer succeeded: - description: Number of Knowledge Base Entries that were successfully processed during the bulk action. + description: >- + Number of Knowledge Base Entries that were successfully processed + during the bulk action. example: 5 type: integer total: @@ -99597,12 +27577,16 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields discriminator: mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + document: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + index: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -99648,27 +27632,37 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields discriminator: mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + document: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields + index: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields discriminator: mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + document: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + index: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: Indicates if Defend Insights documentation exists in the KnowledgeBase. + description: >- + Indicates if Defend Insights documentation exists in the + KnowledgeBase. example: true type: boolean elser_exists: @@ -99688,7 +27682,9 @@ components: example: complete type: string security_labs_exists: - description: Indicates if Security Labs documentation exists in the KnowledgeBase. + description: >- + Indicates if Security Labs documentation exists in the + KnowledgeBase. example: true type: boolean user_data_exists: @@ -99696,7 +27692,9 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. + description: >- + Knowledge Base resource name for grouping entries, e.g. 'security_labs', + 'user', etc. enum: - security_labs - defend_insights @@ -99784,10 +27782,16 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. + description: >- + When the agent is resumed after an interrupt, this field is + populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. + description: >- + When the agent is interrupted (for example, when user input is + required), this field is populated with the details of the + interrupt. Messages containing interruptValues in the metadata are + excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -99803,7 +27807,9 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + description: >- + A string that represents a timestamp in ISO 8601 format and does not + contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -99814,7 +27820,8 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError type: array err_code: description: Error code indicating the type of failure. @@ -99842,7 +27849,8 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError type: array message: description: Error message describing the issue. @@ -99868,7 +27876,8 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError type: array status_code: description: The HTTP status code associated with the error. @@ -100027,7 +28036,8 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason description: The reason for skipping the prompt. required: - id @@ -100040,12 +28050,15 @@ components: properties: errors: items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - results - summary @@ -100083,7 +28096,8 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult type: array updated: description: List of prompts that were updated. @@ -100240,7 +28254,8 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue - type: object properties: type: @@ -100249,7 +28264,9 @@ components: example: SELECT_OPTION type: string value: - description: The value of the selected option to resume the graph execution with + description: >- + The value of the selected option to resume the graph execution + with example: option_1 type: string required: @@ -100271,7 +28288,8 @@ components: - label: Option 1 - label: Option 2 items: - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption type: array type: enum: @@ -100315,7 +28333,9 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. + description: >- + Object containing Knowledge Base Entry text embeddings and modelId used + to create the embeddings. type: object properties: modelId: @@ -100413,7 +28433,9 @@ components: type: string type: array alert_rule_uuid: - description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) + description: >- + The optional kibana.alert.rule.uuid of the rule that generated this + attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -100422,16 +28444,22 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: The optional id of the user who last updated the attack discovery alert + description: >- + The optional id of the user who last updated the attack discovery + alert type: string alert_updated_by_user_name: - description: The optional username of the user who updated the attack discovery alert + description: >- + The optional username of the user who updated the attack discovery + alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: The optional time the attack discovery alert workflow status was last updated + description: >- + The optional time the attack discovery alert workflow status was + last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -100442,13 +28470,20 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: The (human readable) name of the connector that generated the attack discovery + description: >- + The (human readable) name of the connector that generated the attack + discovery type: string details_markdown: - description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. + description: >- + Details of the attack with bulleted markdown that always uses + special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax + description: >- + An optional, short (no more than a sentence) summary of the attack + discovery featuring only the host.name and user.name fields (when + they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -100457,7 +28492,9 @@ components: description: The unique ID of the attack discovery type: string index: - description: The concrete Elasticsearch index where this attack discovery is stored + description: >- + The concrete Elasticsearch index where this attack discovery is + stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -100466,9 +28503,13 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: Key-value pairs that are used to replace placeholders in the markdown fields + description: >- + Key-value pairs that are used to replace placeholders in the + markdown fields risk_score: - description: The optional, (but typically populated after generation) risk score of the alert + description: >- + The optional, (but typically populated after generation) risk score + of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -100488,10 +28529,14 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) + description: >- + The optional username of the user who generated the attack + discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. + description: >- + The optional array of users who may view the attack discovery. When + empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -100512,7 +28557,8 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction type: array created_at: description: The date the schedule was created @@ -100528,16 +28574,19 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams description: The Attack Discovery schedule configuration parameters schedule: - $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -100559,22 +28608,30 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' - - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' + - $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction + - $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). + description: >- + The action frequency defines when the action runs (for example, only on + schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen summary: - description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle nullable: true required: - summary @@ -100587,7 +28644,9 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` enum: - onActiveAlert - onThrottleInterval @@ -100595,10 +28654,14 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: Object containing the allowed connector fields, which varies according to the connector type. + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. + description: >- + Defines how often schedule actions are taken. Time interval in seconds, + minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -100609,7 +28672,8 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction type: array enabled: description: Indicates whether the schedule is enabled @@ -100618,10 +28682,12 @@ components: description: The name of the schedule type: string params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams description: The Attack Discovery schedule configuration parameters schedule: - $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule description: The Attack Discovery schedule interval required: - name @@ -100641,7 +28707,8 @@ components: message: type: string status: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus description: Status of the execution required: - date @@ -100663,15 +28730,20 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter frequency: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency group: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup id: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -100721,9 +28793,11 @@ components: description: The action type used for sending notifications. type: string id: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -100737,16 +28811,19 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction type: array name: description: The name of the schedule type: string params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams description: The Attack Discovery schedule configuration parameters schedule: - $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule description: The Attack Discovery schedule interval required: - name @@ -100754,7 +28831,9 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. + description: >- + Allowed field names to sort Attack Discovery results by. Clients should + only pass one of the listed values. enum: - '@timestamp' type: string @@ -100762,7 +28841,10 @@ components: type: object properties: alerts_context_count: - description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation + description: >- + The number of alerts sent as context (max + kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM + for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -100772,19 +28854,29 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user + description: >- + The average duration (avg event.duration) in nanoseconds of + successful generations for the same connector id, for the + current user type: number successful_generations: - description: The number of successful generations for the same connector id, for the current user + description: >- + The number of successful generations for the same connector id, + for the current user type: number discoveries: - description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation + description: >- + The number of new Attack discovery alerts (max + kibana.alert.rule.execution.metrics.alert_counts.new) for this + generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation + description: >- + The unique identifier (kibana.alert.rule.execution.uuid) for the + generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -100815,15 +28907,23 @@ components: type: object properties: alertsIndexPattern: - description: | - The (space specific) index pattern that contains the alerts to use as + description: > + The (space specific) index pattern that contains the alerts to use + as + context for the attack discovery. + Example: .alerts-security.alerts-default type: string anonymizationFields: - description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. + description: >- + The list of fields, and whether or not they are anonymized, allowed + to be sent to LLMs. Consider using the output of the + `/api/security_ai_assistant/anonymization_fields/_find` API (for a + specific Kibana space) to provide this value. items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -100834,8 +28934,10 @@ components: type: string filter: additionalProperties: true - description: |- - An Elasticsearch-style query DSL object used to filter alerts. For example: + description: >- + An Elasticsearch-style query DSL object used to filter alerts. For + example: + ```json { "filter": { "bool": { @@ -100896,7 +28998,9 @@ components: example: 400 type: number Security_Attack_discovery_API_Filters: - description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. + description: >- + The filter array used to define the conditions for when alerts are + selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -100914,7 +29018,9 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + description: >- + A string that represents a timestamp in ISO 8601 format and does not + contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -100970,14 +29076,18 @@ components: properties: add: items: - description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. + description: >- + A list of user profile `uid`s to assign. Users need to activate + their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. + description: >- + A list of user profile `uid`s to unassign. Users need to activate + their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -101004,7 +29114,8 @@ components: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsSortCombinations type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -101012,7 +29123,9 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. + description: >- + The status of an alert, which can be `open`, `acknowledged`, + `in-progress`, or `closed`. enum: - open - acknowledged @@ -101023,18 +29136,21 @@ components: type: object properties: duration: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit value: minimum: 1 type: integer @@ -101055,48 +29171,72 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: |- - Describes how alerts will be generated for documents with missing suppress by fields: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + doNotSuppress - per each document a separate alert will be created + suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: Use alert tags to organize related alerts into categories that you can filter and group. + description: >- + Use alert tags to organize related alerts into categories that you can + filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: List of keywords to organize related alerts into categories that you can filter and group. + description: >- + List of keywords to organize related alerts into categories that you can + filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array Security_Detections_API_AnomalyThreshold: - description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. + description: >- + Anomaly score threshold above which the rule creates an alert. Valid + values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: | - Determines if the rule acts as a building block. If yes, the value must be `default`. - By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. - For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: > + Determines if the rule acts as a building block. If yes, the value must + be `default`. + + By default, building-block alerts are not displayed in the UI. These + rules are used as a foundation for other rules that do generate alerts. + + For more information, refer to [About building block + rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -101107,12 +29247,19 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: | + description: > Edits index patterns of rulesClient. - - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. - - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. - - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + + - `add_index_patterns` adds index patterns to rules. If an index pattern + already exists for a rule, no changes are made. + + - `delete_index_patterns` removes index patterns from rules. If an index + pattern does not exist for a rule, no changes are made. + + - `set_index_patterns` sets index patterns for rules, overwriting any + existing index patterns. If the set of index patterns is the same as the + existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -101130,12 +29277,20 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: | + description: > Edits investigation fields of rules. - - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. - - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. - - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + + - `add_investigation_fields` adds investigation fields to rules. If an + investigation field already exists for a rule, no changes are made. + + - `delete_investigation_fields` removes investigation fields from rules. + If an investigation field does not exist for a rule, no changes are + made. + + - `set_investigation_fields` sets investigation fields for rules. If the + set of investigation fields is the same as the existing investigation + fields, no changes are made. type: object properties: type: @@ -101150,11 +29305,18 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: | + description: > Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. - - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. + + - `add_rule_actions` adds rule actions to rules. This action is + non-idempotent, meaning that even if the same rule action already exists + for a rule, it will be added again with a new unique ID. + + - `set_rule_actions` sets rule actions for rules. This action is + non-idempotent, meaning that even if the same set of rule actions + already exists for a rule, it will be set again and the actions will + receive new unique IDs. type: object properties: type: @@ -101167,22 +29329,30 @@ components: properties: actions: items: - $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleAction type: array throttle: - $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' + $ref: >- + #/components/schemas/Security_Detections_API_ThrottleForBulkActions required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: | + description: > Overwrites schedule of rules. - - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" + - `set_schedule` sets a schedule for rules. If the same schedule already + exists for a rule, no changes are made. + + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", + where accepted time units are `s` for seconds, `m` for minutes, and `h` + for hours. The integer must be positive and larger than 0. Examples: + "45s", "30m", "6h" type: object properties: type: @@ -101193,15 +29363,20 @@ components: type: object properties: interval: - description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: | + description: > Lookback time for the rules. - Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. + + Additional look-back time that the rule analyzes. For example, + "10m" means the rule analyzes the last 10 minutes of data in + addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -101231,17 +29406,24 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: | + description: > Edits tags of rules. - - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. - - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. - - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no + changes are made. + + - `delete_tags` removes tags from rules. If a tag does not exist for a + rule, no changes are made. + + - `set_tags` sets tags for rules, overwriting any existing tags. If the + set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -101256,10 +29438,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: | + description: > Edits timeline of rules. - - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. + + - `set_timeline` sets a timeline for rules. If the same timeline already + exists for a rule, no changes are made. type: object properties: type: @@ -101272,7 +29456,8 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle required: - timeline_id - timeline_title @@ -101303,7 +29488,8 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason required: - id - skip_reason @@ -101315,10 +29501,14 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101329,8 +29519,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101349,10 +29541,14 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101363,8 +29559,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101396,10 +29594,14 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101410,8 +29612,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101430,12 +29634,15 @@ components: properties: errors: items: - $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleError type: array results: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResults summary: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionSummary required: - results - summary @@ -101474,7 +29681,13 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. + description: >- + A rule can only be skipped when the bulk action to be performed on it + results in nothing being done. For example, if the `edit` action is used + to add a tag to a rule that already has that tag, or to delete an index + pattern that is not specified in a rule. Objects returned in + `attributes.results.skipped` will only include rules' `id`, `name`, and + `skip_reason`. type: object properties: failed: @@ -101504,10 +29717,14 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101518,8 +29735,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101543,10 +29762,14 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101557,8 +29780,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101579,10 +29804,14 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101593,8 +29822,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101617,7 +29848,9 @@ components: - fill_gaps type: string fill_gaps: - description: Object that describes applying a manual gap fill action for the specified time range. + description: >- + Object that describes applying a manual gap fill action for the + specified time range. type: object properties: end_date: @@ -101630,10 +29863,14 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101644,8 +29881,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101665,10 +29904,14 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -101679,8 +29922,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -101711,7 +29956,9 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + description: >- + List of alert ids. Use field `_id` on alert document or + `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. items: format: nonempty minLength: 1 @@ -101774,7 +30021,9 @@ components: - items: type: string type: array - description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' + description: >- + Map Osquery results columns or static values to Elastic Common Schema + (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} type: object Security_Detections_API_EndpointResponseAction: type: object @@ -101834,14 +30083,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -101855,7 +30108,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -101871,24 +30125,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -101915,11 +30180,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -101958,14 +30225,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -101979,7 +30250,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -101995,24 +30267,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -102041,11 +30324,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -102076,14 +30361,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -102097,11 +30386,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -102115,24 +30405,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -102161,11 +30462,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -102180,274 +30483,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' - alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_UUID' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' - required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. - > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_ErrorSchema: - additionalProperties: false - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - id: - type: string - item_id: - minLength: 1 - type: string - list_id: - minLength: 1 - type: string - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - required: - - error - Security_Detections_API_EsqlQueryLanguage: - enum: - - esql - type: string - Security_Detections_API_EsqlRule: - allOf: - - type: object - properties: - actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' - alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' - required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. - > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' - Security_Detections_API_EsqlRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleCreateProps: - allOf: - - type: object - properties: - actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -102461,125 +30508,16 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' - required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. - > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EsqlRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_EsqlRulePatchProps: - allOf: - - type: object - properties: - actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' - alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: @@ -102589,151 +30527,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. - > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - type: - description: Rule type - enum: - - esql - type: string - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - Security_Detections_API_EsqlRuleRequiredFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - type: - description: Rule type - enum: - - esql - type: string - required: - - type - - language - - query - Security_Detections_API_EsqlRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleUpdateProps: - allOf: - - type: object - properties: - actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' - alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_UUID' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' - required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -102762,11 +30584,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -102776,156 +30600,55 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EventCategoryOverride: - type: string - Security_Detections_API_ExceptionListType: - description: The exception type - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Detections_API_ExternalRuleCustomizedFields: - description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. - items: - type: object - properties: - field_name: - description: Name of a user-modified field in the rule object. - type: string - required: - - field_name - type: array - Security_Detections_API_ExternalRuleHasBaseVersion: - description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). - type: boolean - Security_Detections_API_ExternalRuleSource: - description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_ErrorSchema: + additionalProperties: false type: object properties: - customized_fields: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' - has_base_version: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' - is_customized: - $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' - type: - enum: - - external + error: + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + id: type: string - required: - - type - - is_customized - - has_base_version - - customized_fields - Security_Detections_API_FindRulesSortField: - enum: - - created_at - - createdAt - - enabled - - execution_summary.last_execution.date - - execution_summary.last_execution.metrics.execution_gap_duration_s - - execution_summary.last_execution.metrics.total_indexing_duration_ms - - execution_summary.last_execution.metrics.total_search_duration_ms - - execution_summary.last_execution.status - - name - - risk_score - - riskScore - - severity - - updated_at - - updatedAt - type: string - Security_Detections_API_GapFillStatus: - enum: - - unfilled - - in_progress - - filled - - error - type: string - Security_Detections_API_HistoryWindowStart: - description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. - format: nonempty - minLength: 1 - type: string - Security_Detections_API_IndexPatternArray: - description: | - Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). - > info - > This field is not supported for ES|QL rules. - items: - type: string - type: array - Security_Detections_API_InternalRuleSource: - description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. - type: object - properties: - type: - enum: - - internal + item_id: + minLength: 1 type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - - type - Security_Detections_API_InvestigationFields: - description: | - Schema for fields relating to investigation fields. These are user defined fields we use to highlight - in various features in the UI such as alert details flyout and exceptions auto-population from alert. - type: object - properties: - field_names: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - required: - - field_names - Security_Detections_API_InvestigationGuide: - description: Notes to help investigate alerts produced by the rule. - type: string - Security_Detections_API_IsExternalRuleCustomized: - description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). - type: boolean - Security_Detections_API_IsRuleEnabled: - description: Determines whether the rule is enabled. Defaults to true. - type: boolean - Security_Detections_API_IsRuleImmutable: - deprecated: true - description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. - type: boolean - Security_Detections_API_ItemsPerSearch: - minimum: 1 - type: integer - Security_Detections_API_KqlQueryLanguage: + - error + Security_Detections_API_EsqlQueryLanguage: enum: - - kuery - - lucene + - esql type: string - Security_Detections_API_MachineLearningJobId: - description: Machine learning job ID(s) the rule monitors for anomaly scores. - oneOf: - - type: string - - items: - type: string - minItems: 1 - type: array - Security_Detections_API_MachineLearningRule: + Security_Detections_API_EsqlRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -102939,7 +30662,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -102955,24 +30679,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -102999,11 +30734,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -103032,24 +30769,28 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' - Security_Detections_API_MachineLearningRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' + Security_Detections_API_EsqlRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' - Security_Detections_API_MachineLearningRuleCreateProps: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103063,7 +30804,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -103079,24 +30821,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103125,11 +30878,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -103139,39 +30894,29 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' - Security_Detections_API_MachineLearningRuleOptionalFields: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EsqlRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_MachineLearningRulePatchFields: - allOf: - - type: object - properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' - type: - description: Rule type - enum: - - machine_learning - type: string - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' - Security_Detections_API_MachineLearningRulePatchProps: + Security_Detections_API_EsqlRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103185,15 +30930,18 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: @@ -103203,24 +30951,37 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103249,49 +31010,60 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + type: + description: Rule type + enum: + - esql + type: string version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' - Security_Detections_API_MachineLearningRuleRequiredFields: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + Security_Detections_API_EsqlRuleRequiredFields: type: object properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - - machine_learning + - esql type: string required: - type - - machine_learning_job_id - - anomaly_threshold - Security_Detections_API_MachineLearningRuleResponseFields: + - language + - query + Security_Detections_API_EsqlRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' - Security_Detections_API_MachineLearningRuleUpdateProps: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103305,11 +31077,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -103323,24 +31096,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103369,11 +31153,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -103383,35 +31169,190 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' - Security_Detections_API_MaxSignals: - default: 100 - description: | - Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EventCategoryOverride: + type: string + Security_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Detections_API_ExternalRuleCustomizedFields: + description: >- + An array of customized field names — that is, fields that the user has + modified from their base value. Defaults to an empty array. + items: + type: object + properties: + field_name: + description: Name of a user-modified field in the rule object. + type: string + required: + - field_name + type: array + Security_Detections_API_ExternalRuleHasBaseVersion: + description: >- + Determines whether an external/prebuilt rule has its original, + unmodified version present when the calculation of its customization + status is performed (`rule_source.is_customized` and + `rule_source.customized_fields`). + type: boolean + Security_Detections_API_ExternalRuleSource: + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + customized_fields: + $ref: >- + #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields + has_base_version: + $ref: >- + #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion + is_customized: + $ref: >- + #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + type: + enum: + - external + type: string + required: + - type + - is_customized + - has_base_version + - customized_fields + Security_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Detections_API_GapFillStatus: + enum: + - unfilled + - in_progress + - filled + - error + type: string + Security_Detections_API_HistoryWindowStart: + description: >- + Start date to use when checking if a term has been seen before. Supports + relative dates – for example, now-30d will search the last 30 days of + data when checking if a term is new. We do not recommend using absolute + dates, which can cause issues with rule performance due to querying + increasing amounts of data over time. + format: nonempty + minLength: 1 + type: string + Security_Detections_API_IndexPatternArray: + description: > + Indices on which the rule functions. Defaults to the Security Solution + indices defined on the Kibana Advanced Settings page (Kibana → Stack + Management → Advanced Settings → `securitySolution:defaultIndex`). + > info - > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. - minimum: 1 - type: integer - Security_Detections_API_NewTermsFields: - description: Fields to monitor for new values. + + > This field is not supported for ES|QL rules. items: type: string - maxItems: 3 - minItems: 1 type: array - Security_Detections_API_NewTermsRule: + Security_Detections_API_InternalRuleSource: + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + type: object + properties: + field_names: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 + type: array + required: + - field_names + Security_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. Defaults to true. + type: boolean + Security_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Detections_API_MachineLearningJobId: + description: Machine learning job ID(s) the rule monitors for anomaly scores. + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Detections_API_MachineLearningRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103425,7 +31366,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -103441,24 +31383,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103485,11 +31438,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -103518,25 +31473,31 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' - Security_Detections_API_NewTermsRuleCreateFields: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' - Security_Detections_API_NewTermsRuleCreateProps: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103550,7 +31511,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -103566,24 +31528,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103612,11 +31585,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -103626,53 +31601,46 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' - Security_Detections_API_NewTermsRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_NewTermsRuleOptionalFields: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - Security_Detections_API_NewTermsRulePatchFields: - allOf: - - type: object - properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningJobId type: description: Rule type enum: - - new_terms + - machine_learning type: string - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' - Security_Detections_API_NewTermsRulePatchProps: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103686,11 +31654,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -103704,24 +31673,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103750,58 +31730,58 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' - Security_Detections_API_NewTermsRuleRequiredFields: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - - new_terms + - machine_learning type: string required: - type - - query - - new_terms_fields - - history_window_start - Security_Detections_API_NewTermsRuleResponseFields: + - machine_learning_job_id + - anomaly_threshold + Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_NewTermsRuleUpdateProps: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -103815,11 +31795,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -103833,24 +31814,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -103879,11 +31871,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -103893,185 +31887,51 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' - Security_Detections_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 - type: string - Security_Detections_API_NormalizedRuleAction: - additionalProperties: false - type: object - properties: - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - required: - - id - - params - Security_Detections_API_NormalizedRuleError: - type: object - properties: - err_code: - $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' - message: - type: string - rules: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' - type: array - status_code: - type: integer - required: - - message - - status_code - - rules - Security_Detections_API_OsqueryParams: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - pack_id: - description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' - type: string - queries: - items: - $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' - type: array - query: - description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' - type: string - saved_query_id: - description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' - type: string - timeout: - description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' - type: number - Security_Detections_API_OsqueryQuery: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - id: - description: Query ID - type: string - platform: - type: string - query: - description: Query to run - type: string - removed: - type: boolean - snapshot: - type: boolean - version: - description: Query version - type: string - required: - - id - - query - Security_Detections_API_OsqueryResponseAction: - type: object - properties: - action_type_id: - enum: - - .osquery - type: string - params: - $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' - required: - - action_type_id - - params - Security_Detections_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Detections_API_ProcessesParams: - type: object - properties: - command: - description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' - enum: - - kill-process - - suspend-process - type: string - comment: - description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' - type: string - config: - type: object - properties: - field: - description: Field to use instead of process.pid - type: string - overwrite: - default: true - description: Whether to overwrite field with process.pid - type: boolean - required: - - field - required: - - command - - config - Security_Detections_API_QueryAlertsBodyParams: - type: object - properties: - _source: - oneOf: - - type: boolean - - type: string - - items: - type: string - type: array - aggs: - additionalProperties: true - type: object - fields: - items: - type: string - type: array - query: - additionalProperties: true - type: object - runtime_mappings: - additionalProperties: true - type: object - size: - minimum: 0 - type: integer - sort: - $ref: '#/components/schemas/Security_Detections_API_AlertsSort' - track_total_hits: - type: boolean - Security_Detections_API_QueryRule: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + Security_Detections_API_MaxSignals: + default: 100 + description: > + Maximum number of alerts the rule can create during a single run (the + rule’s Max alerts per run [advanced + setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) + value). + + > info + + > This setting can be superseded by the [Kibana configuration + setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) + `xpack.alerting.rules.run.alerts.max`, which determines the maximum + alerts generated by any rule in the Kibana alerting framework. For + example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the + rule can generate no more than 1000 alerts even if `max_signals` is set + higher. + minimum: 1 + type: integer + Security_Detections_API_NewTermsFields: + description: Fields to monitor for new values. + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_NewTermsRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -104085,7 +31945,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -104101,24 +31962,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -104145,11 +32017,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -104178,25 +32052,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' - Security_Detections_API_QueryRuleCreateFields: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' - Security_Detections_API_QueryRuleCreateProps: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -104210,7 +32092,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -104226,24 +32109,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -104272,11 +32166,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -104286,15 +32182,14 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_QueryRuleDefaultableFields: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_QueryRuleOptionalFields: + Security_Detections_API_NewTermsRuleOptionalFields: type: object properties: alert_suppression: @@ -104305,155 +32200,42 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_QueryRulePatchFields: + Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - - query + - new_terms type: string - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' - Security_Detections_API_QueryRulePatchProps: - allOf: - - type: object - properties: - actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' - alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_UUID' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' - required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. - > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' - Security_Detections_API_QueryRuleRequiredFields: - type: object - properties: - type: - description: Rule type - enum: - - query - type: string - required: - - type - Security_Detections_API_QueryRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - required: - - query - - language - Security_Detections_API_QueryRuleUpdateProps: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -104467,11 +32249,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -104485,24 +32268,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -104531,240 +32325,182 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_Reason: - description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - - type: string - Security_Detections_API_ReasonEnum: - enum: - - false_positive - - duplicate - - true_positive - - benign_positive - - automated_closure - - other - type: string - Security_Detections_API_RelatedIntegration: - description: | - Related integration is a potential dependency of a rule. It's assumed that if the user installs - one of the related integrations of a rule, the rule might start to work properly because it will - have source events (generated by this integration) potentially matching the rule's query. - - NOTE: Proper work is not guaranteed, because a related integration, if installed, can be - configured differently or generate data that is not necessarily relevant for this rule. - - Related integration is a combination of a Fleet package and (optionally) one of the - package's "integrations" that this package contains. It is represented by 3 properties: - - - `package`: name of the package (required, unique id) - - `version`: version of the package (required, semver-compatible) - - `integration`: name of the integration of this package (optional, id within the package) - - There are Fleet packages like `windows` that contain only one integration; in this case, - `integration` should be unspecified. There are also packages like `aws` and `azure` that contain - several integrations; in this case, `integration` should be specified. - example: - integration: activitylogs - package: azure - version: ~1.1.6 - type: object - properties: - integration: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - package: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - version: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - package - - version - Security_Detections_API_RelatedIntegrationArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' - type: array - Security_Detections_API_RequiredField: - description: | - Describes an Elasticsearch field that is needed for the rule to function. - - Almost all types of Security rules check source event documents for a match to some kind of - query or filter. If a document has certain field with certain values, then it's a match and - the rule will generate an alert. - - Required field is an event field that must be present in the source indices of a given rule. - - @example - const standardEcsField: RequiredField = { - name: 'event.action', - type: 'keyword', - ecs: true, - }; - - @example - const nonEcsField: RequiredField = { - name: 'winlog.event_data.AttributeLDAPDisplayName', - type: 'keyword', - ecs: false, - }; - type: object - properties: - ecs: - description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. - type: boolean - name: - description: Name of an Elasticsearch field - format: nonempty - minLength: 1 - type: string - type: - description: Type of the Elasticsearch field - format: nonempty - minLength: 1 - type: string - required: - - name - - type - - ecs - Security_Detections_API_RequiredFieldArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredField' - type: array - Security_Detections_API_RequiredFieldInput: - description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. - type: object - properties: - name: - description: Name of an Elasticsearch field - format: nonempty - minLength: 1 - type: string - type: - description: Type of the Elasticsearch field - format: nonempty - minLength: 1 - type: string - required: - - name - - type - Security_Detections_API_ResponseAction: - discriminator: - mapping: - .endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction' - .osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - propertyName: action_type_id - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' - Security_Detections_API_ResponseFields: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - type: string - execution_summary: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' - id: - $ref: '#/components/schemas/Security_Detections_API_UUID' - immutable: - $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' - required_fields: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' - revision: - $ref: '#/components/schemas/Security_Detections_API_RuleRevision' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_source: - $ref: '#/components/schemas/Security_Detections_API_RuleSource' - updated_at: - format: date-time - type: string - updated_by: + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' + Security_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms type: string required: - - id - - rule_id - - immutable - - rule_source - - updated_at - - updated_by - - created_at - - created_by - - revision - - related_integrations - - required_fields - Security_Detections_API_RiskScore: - description: | - A numerical representation of the alert's severity from 0 to 100, where: - * `0` - `21` represents low severity - * `22` - `47` represents medium severity - * `48` - `73` represents high severity - * `74` - `100` represents critical severity - maximum: 100 - minimum: 0 - type: integer - Security_Detections_API_RiskScoreMapping: - description: Overrides generated alerts' risk_score with a value from the source event - items: - type: object - properties: - field: - description: Source event field used to override the default `risk_score`. - type: string - operator: - enum: - - equals - type: string - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - value: - type: string - required: - - field - - operator - - value - type: array - Security_Detections_API_RuleAction: + - type + - query + - new_terms_fields + - history_window_start + Security_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + + > info + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + Security_Detections_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Detections_API_NormalizedRuleAction: + additionalProperties: false type: object properties: - action_type_id: - description: | - The action type used for sending notifications, can be: - - - `.slack` - - `.slack_api` - - `.email` - - `.index` - - `.pagerduty` - - `.swimlane` - - `.webhook` - - `.servicenow` - - `.servicenow-itom` - - `.servicenow-sir` - - `.jira` - - `.resilient` - - `.opsgenie` - - `.teams` - - `.torq` - - `.tines` - - `.d3security` - type: string alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: @@ -104775,513 +32511,186 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - uuid: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - - action_type_id - id - params - Security_Detections_API_RuleActionAlertsFilter: - additionalProperties: true - description: | - Object containing an action’s conditional filters. - - - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - - start (string, required): Start time in `hh:mm` format. - - end (string, required): End time in `hh:mm` format. - - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - - `kql` (string, required): A KQL string. - - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. - type: object - Security_Detections_API_RuleActionFrequency: - description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). + Security_Detections_API_NormalizedRuleError: type: object properties: - notifyWhen: - $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' - summary: - description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert - type: boolean - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - nullable: true - required: - - summary - - notifyWhen - - throttle - Security_Detections_API_RuleActionGroup: - description: Optionally groups actions by use cases. Use `default` for alert notifications. - type: string - Security_Detections_API_RuleActionId: - description: The connector ID. - type: string - Security_Detections_API_RuleActionNotifyWhen: - description: Defines how often rules run actions. - enum: - - onActiveAlert - - onThrottleInterval - - onActionGroupChange - type: string - Security_Detections_API_RuleActionParams: - additionalProperties: true - description: | - Object containing the allowed connector fields, which varies according to the connector type. - - For Slack: - - - `message` (string, required): The notification message. - - For email: - - - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. - - `subject` (string, optional): Email subject line. - - `message` (string, required): Email body text. - - For Webhook: - - - `body` (string, required): JSON payload. - - For PagerDuty: - - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - - `group` (string, optional): Enables logical grouping of service components. - - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. - - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. - - `class` (string, optional): Value indicating the class/type of the event. - type: object - Security_Detections_API_RuleActionThrottle: - description: Defines how often rule actions are taken. - oneOf: - - enum: - - no_actions - - rule - type: string - - description: Time interval in seconds, minutes, hours, or days. - example: 1h - pattern: ^[1-9]\d*[smhd]$ + err_code: + $ref: >- + #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + message: type: string - Security_Detections_API_RuleAuthorArray: - description: The rule’s author. - items: - type: string - type: array - Security_Detections_API_RuleCreateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - discriminator: - mapping: - eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - propertyName: type - Security_Detections_API_RuleDescription: - description: The rule’s description. - example: Detects anomalous Windows process creation events. - minLength: 1 - type: string - Security_Detections_API_RuleDetailsInError: + rules: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Detections_API_OsqueryParams: type: object properties: - id: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + pack_id: + description: >- + To specify a query pack, use the packId field. Example: "packId": + "processes_elastic" type: string - name: + queries: + items: + $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' + type: array + query: + description: >- + To run a single query, use the query field and enter a SQL query. + Example: "query": "SELECT * FROM processes;" type: string - required: - - id - Security_Detections_API_RuleExceptionList: - description: | - Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. + saved_query_id: + description: >- + To run a saved query, use the saved_query_id field and specify the + saved query ID. Example: "saved_query_id": "processes_elastic" + type: string + timeout: + description: >- + A timeout period, in seconds, after which the query will stop + running. Overwriting the default timeout allows you to support + queries that require more time to complete. The default and minimum + supported value is 60. The maximum supported value is 900. Example: + "timeout": 120. + type: number + Security_Detections_API_OsqueryQuery: type: object properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' id: - description: ID of the exception container - format: nonempty - minLength: 1 + description: Query ID type: string - list_id: - description: List ID of the exception container - format: nonempty - minLength: 1 + platform: type: string - namespace_type: - description: Determines the exceptions validity in rule's Kibana space - enum: - - agnostic - - single + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version type: string - type: - $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' - required: - - id - - list_id - - type - - namespace_type - Security_Detections_API_RuleExecutionMetrics: - type: object - properties: - execution_gap_duration_s: - description: Duration in seconds of execution gap - minimum: 0 - type: integer - frozen_indices_queried_count: - description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. - minimum: 0 - type: integer - gap_range: - description: Range of the execution gap - type: object - properties: - gte: - description: Start date of the execution gap - type: string - lte: - description: End date of the execution gap - type: string - required: - - gte - - lte - gap_reason: - description: Detected reason for the execution gap - type: object - properties: - type: - description: The type of reason for the gap (rule_disabled or rule_did_not_run) - enum: - - rule_disabled - - rule_did_not_run - type: string - required: - - type - total_enrichment_duration_ms: - description: Total time spent enriching documents during current rule execution cycle - minimum: 0 - type: integer - total_indexing_duration_ms: - description: Total time spent indexing documents during current rule execution cycle - minimum: 0 - type: integer - total_search_duration_ms: - description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response - minimum: 0 - type: integer - Security_Detections_API_RuleExecutionStatus: - description: |- - Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. - - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. - - running - Rule execution started but not reached any intermediate or final status. - - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. - - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. - - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. - enum: - - going to run - - running - - partial failure - - failed - - succeeded - type: string - Security_Detections_API_RuleExecutionStatusOrder: - type: integer - Security_Detections_API_RuleExecutionSummary: - description: | - Summary of the last execution of a rule. - > info - > This field is under development and its usage or schema may change - type: object - properties: - last_execution: - type: object - properties: - date: - description: Date of the last execution - format: date-time - type: string - message: - type: string - metrics: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' - status: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' - description: Status of the last execution - status_order: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' - required: - - date - - status - - status_order - - message - - metrics - required: - - last_execution - Security_Detections_API_RuleFalsePositiveArray: - description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleFilterArray: - description: | - The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. - > info - > This field is not supported for ES|QL rules. - items: {} - type: array - Security_Detections_API_RuleInterval: - description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). - type: string - Security_Detections_API_RuleIntervalFrom: - description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). - format: date-math - type: string - Security_Detections_API_RuleIntervalTo: - type: string - Security_Detections_API_RuleLicense: - description: The rule's license. - type: string - Security_Detections_API_RuleMetadata: - additionalProperties: true - description: | - Placeholder for metadata about the rule. - > info - > This field is overwritten when you save changes to the rule’s settings. - type: object - Security_Detections_API_RuleName: - description: A human-readable name for the rule. - example: Anomalous Windows Process Creation - minLength: 1 - type: string - Security_Detections_API_RuleNameOverride: - description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. - type: string - Security_Detections_API_RuleObjectId: - $ref: '#/components/schemas/Security_Detections_API_UUID' - description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. - Security_Detections_API_RulePatchProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' - Security_Detections_API_RulePreviewLoggedRequest: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - duration: - type: integer - request: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - request_type: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - Security_Detections_API_RulePreviewLogs: - type: object - properties: - duration: - description: Execution duration in milliseconds - type: integer - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - requests: - items: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' - type: array - startedAt: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array required: - - errors - - warnings - - duration - Security_Detections_API_RulePreviewParams: + - id + - query + Security_Detections_API_OsqueryResponseAction: type: object properties: - invocationCount: - type: integer - timeframeEnd: - format: date-time + action_type_id: + enum: + - .osquery type: string + params: + $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' required: - - invocationCount - - timeframeEnd - Security_Detections_API_RuleQuery: - description: | - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - - - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. - type: string - Security_Detections_API_RuleReferenceArray: - description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleResponse: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' - discriminator: - mapping: - eql: '#/components/schemas/Security_Detections_API_EqlRule' - esql: '#/components/schemas/Security_Detections_API_EsqlRule' - machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' - new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' - query: '#/components/schemas/Security_Detections_API_QueryRule' - saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' - threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' - propertyName: type - Security_Detections_API_RuleRevision: - description: | - The rule's revision number. - - It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. - > info - > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. - minimum: 0 - type: integer - Security_Detections_API_RuleSignatureId: - description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. - type: string - Security_Detections_API_RuleSource: - description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' - Security_Detections_API_RuleTagArray: - description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleUpdateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - discriminator: - mapping: - eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - propertyName: type - Security_Detections_API_RuleVersion: - description: | - The rule's version number. - - - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - - For custom rules it is set to `1` when the rule is created. - > info - > It is not incremented on each update. Compare this to the `revision` field. - minimum: 1 - type: integer - Security_Detections_API_RunScriptOsConfigValues: - minProperties: 1 + - action_type_id + - params + Security_Detections_API_PlatformErrorResponse: type: object properties: - scriptId: + error: type: string - scriptInput: + message: type: string - timeout: - description: Specify the timeout in seconds for the script execution - example: 60 + statusCode: type: integer - Security_Detections_API_RunscriptParams: - description: | - > warn - > This functionality is currently not available + required: + - statusCode + - error + - message + Security_Detections_API_ProcessesParams: type: object properties: command: + description: >- + To run an endpoint response action, specify a value for the command + field. Example: "command": "isolate" enum: - - runscript + - kill-process + - suspend-process type: string comment: - description: Add a note that explains or describes the action. You can find your comment in the response actions history log + description: >- + Add a note that explains or describes the action. You can find your + comment in the response actions history log. Example: "comment": + "Check processes" type: string config: type: object properties: - linux: - $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' - macos: - $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' - windows: - $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' + field: + description: Field to use instead of process.pid + type: string + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field required: - command - Security_Detections_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Detections_API_SavedObjectResolveAliasTargetId: - type: string - Security_Detections_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Detections_API_SavedQueryId: - description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. - type: string - Security_Detections_API_SavedQueryRule: + - config + Security_Detections_API_QueryAlertsBodyParams: + type: object + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: '#/components/schemas/Security_Detections_API_AlertsSort' + track_total_hits: + type: boolean + Security_Detections_API_QueryRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -105295,7 +32704,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -105311,24 +32721,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -105355,11 +32776,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -105388,25 +32811,30 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' - Security_Detections_API_SavedQueryRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' + Security_Detections_API_QueryRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' - Security_Detections_API_SavedQueryRuleCreateProps: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -105420,7 +32848,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -105436,24 +32865,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -105482,11 +32922,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -105496,13 +32938,15 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' - Security_Detections_API_SavedQueryRuleDefaultableFields: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_QueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_SavedQueryRuleOptionalFields: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_QueryRuleOptionalFields: type: object properties: alert_suppression: @@ -105513,34 +32957,37 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_SavedQueryRulePatchFields: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_QueryRulePatchFields: allOf: - type: object properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - - saved_query + - query type: string - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' - Security_Detections_API_SavedQueryRulePatchProps: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -105554,11 +33001,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -105572,24 +33020,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -105618,52 +33077,58 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' - Security_Detections_API_SavedQueryRuleRequiredFields: + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' + Security_Detections_API_QueryRuleRequiredFields: type: object properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - - saved_query + - query type: string required: - type - - saved_id - Security_Detections_API_SavedQueryRuleResponseFields: + Security_Detections_API_QueryRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' required: + - query - language - Security_Detections_API_SavedQueryRuleUpdateProps: + Security_Detections_API_QueryRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -105677,11 +33142,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -105695,24 +33161,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -105741,11 +33218,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -105755,226 +33234,927 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' - Security_Detections_API_SetAlertAssigneesBody: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_Reason: + description: >- + The reason for closing the alerts. Can be one of following predefined + reasons: [false_positive, duplicate, true_positive, benign_positive, + automated_closure, other] or a custom reason provided by the user + through the advanced settings. + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' + - type: string + Security_Detections_API_ReasonEnum: + enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + Security_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + example: + integration: activitylogs + package: azure + version: ~1.1.6 + type: object + properties: + integration: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - package + - version + Security_Detections_API_RelatedIntegrationArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' + type: array + Security_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: >- + Indicates whether the field is ECS-compliant. This property is only + present in responses. Its value is computed based on field’s name + and type. + type: boolean + name: + description: Name of an Elasticsearch field + format: nonempty + minLength: 1 + type: string + type: + description: Type of the Elasticsearch field + format: nonempty + minLength: 1 + type: string + required: + - name + - type + - ecs + Security_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredField' + type: array + Security_Detections_API_RequiredFieldInput: + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. + type: object + properties: + name: + description: Name of an Elasticsearch field + format: nonempty + minLength: 1 + type: string + type: + description: Type of the Elasticsearch field + format: nonempty + minLength: 1 + type: string + required: + - name + - type + Security_Detections_API_ResponseAction: + discriminator: + mapping: + .endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + .osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + propertyName: action_type_id + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + Security_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + immutable: + $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' + required_fields: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' + revision: + $ref: '#/components/schemas/Security_Detections_API_RuleRevision' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_source: + $ref: '#/components/schemas/Security_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - rule_source + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Detections_API_RiskScore: + description: | + A numerical representation of the alert's severity from 0 to 100, where: + * `0` - `21` represents low severity + * `22` - `47` represents medium severity + * `48` - `73` represents high severity + * `74` - `100` represents critical severity + maximum: 100 + minimum: 0 + type: integer + Security_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: + type: object + properties: + field: + description: Source event field used to override the default `risk_score`. + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Detections_API_RuleAction: + type: object + properties: + action_type_id: + description: | + The action type used for sending notifications, can be: + + - `.slack` + - `.slack_api` + - `.email` + - `.index` + - `.pagerduty` + - `.swimlane` + - `.webhook` + - `.servicenow` + - `.servicenow-itom` + - `.servicenow-sir` + - `.jira` + - `.resilient` + - `.opsgenie` + - `.teams` + - `.torq` + - `.tines` + - `.d3security` + type: string + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + uuid: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + description: > + Object containing an action’s conditional filters. + + + - `timeframe` (object, optional): Object containing the time frame for + when this action can be run. + - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. + - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. + - start (string, required): Start time in `hh:mm` format. + - end (string, required): End time in `hh:mm` format. + - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. + - `query` (object, optional): Object containing a query filter which + gets applied to an action and determines whether the action should run. + - `kql` (string, required): A KQL string. + - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. + type: object + Security_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Detections_API_RuleActionNotifyWhen: + description: Defines how often rules run actions. + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Detections_API_RuleActionParams: + additionalProperties: true + description: > + Object containing the allowed connector fields, which varies according + to the connector type. + + + For Slack: + + - `message` (string, required): The notification message. + + For email: + + - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. + - `subject` (string, optional): Email subject line. + - `message` (string, required): Email body text. + + For Webhook: + + - `body` (string, required): JSON payload. + + For PagerDuty: + + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). + - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. + - `group` (string, optional): Enables logical grouping of service components. + - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. + - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. + - `class` (string, optional): Value indicating the class/type of the event. type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - required: - - assignees - - ids - Security_Detections_API_SetAlertsStatusByIds: + Security_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Detections_API_RuleAuthorArray: + description: The rule’s author. + items: + type: string + type: array + Security_Detections_API_RuleCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' - Security_Detections_API_SetAlertsStatusByIdsBase: + eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + machine_learning: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + saved_query: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + threat_match: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + threshold: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + propertyName: type + Security_Detections_API_RuleDescription: + description: The rule’s description. + example: Detects anomalous Windows process creation events. + minLength: 1 + type: string + Security_Detections_API_RuleDetailsInError: type: object properties: - signal_ids: - description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + id: + type: string + name: + type: string required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' - Security_Detections_API_SetAlertsStatusByQueryBase: + - id + Security_Detections_API_RuleExceptionList: + description: > + Array of [exception + containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), + which define exceptions that prevent the rule from generating alerts + even when its other criteria are met. type: object properties: - conflicts: - default: abort + id: + description: ID of the exception container + format: nonempty + minLength: 1 + type: string + list_id: + description: List ID of the exception container + format: nonempty + minLength: 1 + type: string + namespace_type: + description: Determines the exceptions validity in rule's Kibana space enum: - - abort - - proceed + - agnostic + - single type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + type: + $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' required: - - query - - status - Security_Detections_API_SetAlertTags: - description: Object with list of tags to add and remove. + - id + - list_id + - type + - namespace_type + Security_Detections_API_RuleExecutionMetrics: type: object properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetAlertTagsBody: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + frozen_indices_queried_count: + description: >- + Count of frozen indices queried during the rule execution. These + indices could not be entirely excluded after applying the time range + filter. + minimum: 0 + type: integer + gap_range: + description: Range of the execution gap + type: object + properties: + gte: + description: Start date of the execution gap + type: string + lte: + description: End date of the execution gap + type: string + required: + - gte + - lte + gap_reason: + description: Detected reason for the execution gap + type: object + properties: + type: + description: >- + The type of reason for the gap (rule_disabled or + rule_did_not_run) + enum: + - rule_disabled + - rule_did_not_run + type: string + required: + - type + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Detections_API_RuleExecutionSummary: + description: | + Summary of the last execution of a rule. + > info + > This field is under development and its usage or schema may change type: object properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionMetrics + status: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics required: - - ids - - tags - Security_Detections_API_SetupGuide: - description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. - type: string - Security_Detections_API_Severity: - description: | - Severity level of alerts produced by the rule, which must be one of the following: - * `low`: Alerts that are of interest but generally not considered to be security incidents - * `medium`: Alerts that require investigation - * `high`: Alerts that require immediate investigation - * `critical`: Alerts that indicate it is highly likely a security incident has occurred - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event + - last_execution + Security_Detections_API_RuleFalsePositiveArray: + description: >- + String array used to describe common reasons why the rule may issue + false-positive alerts. Defaults to an empty array. items: - type: object - properties: - field: - description: Source event field used to override the default `severity`. - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value + type: string type: array - Security_Detections_API_SiemErrorResponse: + Security_Detections_API_RuleFilterArray: + description: > + The query and filter context array used to define the conditions for + when alerts are created from events. Defaults to an empty array. + + > info + + > This field is not supported for ES|QL rules. + items: {} + type: array + Security_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Detections_API_RuleIntervalTo: + type: string + Security_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Detections_API_RuleMetadata: + additionalProperties: true + description: > + Placeholder for metadata about the rule. + + > info + + > This field is overwritten when you save changes to the rule’s + settings. + type: object + Security_Detections_API_RuleName: + description: A human-readable name for the rule. + example: Anomalous Windows Process Creation + minLength: 1 + type: string + Security_Detections_API_RuleNameOverride: + description: >- + Sets which field in the source event is used to populate the alert's + `signal.rule.name` value (in the UI, this value is displayed on the + Rules page in the Rule column). When unspecified, the rule’s `name` + value is used. The source field must be a string data type. + type: string + Security_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Detections_API_UUID' + description: >- + A dynamic unique identifier for the rule object. It is randomly + generated when a rule is created and cannot be changed after that. It is + always a UUID. It is unique within a given Kibana space. The same + prebuilt Elastic rule, when installed in two different Kibana spaces or + two different Elastic environments, will have different object `id`s. + Security_Detections_API_RulePatchProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' + Security_Detections_API_RulePreviewLoggedRequest: type: object properties: - message: - type: string - status_code: + description: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + duration: type: integer - required: - - status_code - - message - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - description: | - > info - > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + request: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + request_type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + Security_Detections_API_RulePreviewLogs: type: object properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) + duration: + description: Execution duration in milliseconds + type: integer + errors: items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + requests: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + type: array + startedAt: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - description: Elasticsearch indices used to check which field values generate alerts. + - errors + - warnings + - duration + Security_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Detections_API_RuleQuery: + description: > + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used + by the rule to create alerts. + + + - For indicator match rules, only the query’s results are used to + determine whether an alert is generated. + + - ES|QL rules have additional query requirements. Refer to [Create + ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) + rules for more information. + type: string + Security_Detections_API_RuleReferenceArray: + description: >- + Array containing notes about or references to relevant information about + the rule. Defaults to an empty array. items: type: string type: array - Security_Detections_API_ThreatIndicatorPath: - description: Defines the path to the threat indicator in the indicator documents (optional) - type: string - Security_Detections_API_ThreatMapping: - description: | - Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: + Security_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRule' + esql: '#/components/schemas/Security_Detections_API_EsqlRule' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' + query: '#/components/schemas/Security_Detections_API_QueryRule' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' + propertyName: type + Security_Detections_API_RuleRevision: + description: > + The rule's revision number. - - field: field from the event indices on which the rule runs - - type: must be mapping - - value: field from the Elasticsearch threat index - - You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. + + It represents the version of rule's object in Kibana. It is set to `0` + when the rule is installed or created and then gets incremented on each + update. + + > info + + > Not all updates to any rule fields will increment the revision. Only + those fields that are considered static `rule parameters` can trigger + revision increments. For example, an update to a rule's query or index + fields will increment the rule's revision by `1`. However, changes to + dynamic or technical fields like enabled or execution_summary will not + cause revision increments. + minimum: 0 + type: integer + Security_Detections_API_RuleSignatureId: + description: >- + A stable unique identifier for the rule object. It can be assigned + during rule creation. It can be any string, but often is a UUID. It + should be unique not only within a given Kibana space, but also across + spaces and Elastic environments. The same prebuilt Elastic rule, when + installed in two different Kibana spaces or two different Elastic + environments, will have the same `rule_id`s. + type: string + Security_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' + - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' + Security_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. items: - type: object - properties: - entries: - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' - type: array - required: - - entries - minItems: 1 + type: string type: array - Security_Detections_API_ThreatMappingEntry: + Security_Detections_API_RuleUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + machine_learning: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + saved_query: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + threat_match: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + threshold: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + propertyName: type + Security_Detections_API_RuleVersion: + description: > + The rule's version number. + + + - For prebuilt rules it represents the version of the rule's content in + the source [detection-rules](https://github.com/elastic/detection-rules) + repository (and the corresponding `security_detection_engine` Fleet + package that is used for distributing prebuilt rules). + + - For custom rules it is set to `1` when the rule is created. + + > info + + > It is not incremented on each update. Compare this to the `revision` + field. + minimum: 1 + type: integer + Security_Detections_API_RunScriptOsConfigValues: + minProperties: 1 type: object properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - negate: - type: boolean - type: + scriptId: + type: string + scriptInput: + type: string + timeout: + description: Specify the timeout in seconds for the script execution + example: 60 + type: integer + Security_Detections_API_RunscriptParams: + description: | + > warn + > This functionality is currently not available + type: object + properties: + command: enum: - - mapping + - runscript type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + comment: + description: >- + Add a note that explains or describes the action. You can find your + comment in the response actions history log + type: string + config: + type: object + properties: + linux: + $ref: >- + #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + macos: + $ref: >- + #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + windows: + $ref: >- + #/components/schemas/Security_Detections_API_RunScriptOsConfigValues required: - - field - - type - - value - Security_Detections_API_ThreatMatchRule: + - command + Security_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Detections_API_SavedQueryId: + description: >- + Kibana [saved + search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) + used by the rule to create alerts. + type: string + Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -105988,7 +34168,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -106004,24 +34185,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106048,11 +34240,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -106081,25 +34275,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' - Security_Detections_API_ThreatMatchRuleCreateFields: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' - Security_Detections_API_ThreatMatchRuleCreateProps: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106113,7 +34315,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -106129,24 +34332,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106175,11 +34389,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -106189,67 +34405,58 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' - Security_Detections_API_ThreatMatchRuleDefaultableFields: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRuleOptionalFields: + Security_Detections_API_SavedQueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - concurrent_searches: - $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - items_per_search: - $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - threat_filters: - $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' - threat_indicator_path: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' - threat_language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRulePatchFields: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - - threat_match + - saved_query type: string - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' - Security_Detections_API_ThreatMatchRulePatchProps: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106263,11 +34470,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -106281,24 +34489,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106327,61 +34546,61 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' - Security_Detections_API_ThreatMatchRuleRequiredFields: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - - threat_match + - saved_query type: string required: - type - - query - - threat_query - - threat_mapping - - threat_index - Security_Detections_API_ThreatMatchRuleResponseFields: + - saved_id + Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language - Security_Detections_API_ThreatMatchRuleUpdateProps: + Security_Detections_API_SavedQueryRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106395,11 +34614,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -106413,24 +34633,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106459,11 +34690,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -106473,124 +34706,260 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' - Security_Detections_API_ThreatQuery: - description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. - type: string - Security_Detections_API_ThreatSubtechnique: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SetAlertAssigneesBody: type: object properties: - id: - description: Subtechnique ID - type: string - name: - description: Subtechnique name - type: string - reference: - description: Subtechnique reference - type: string + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' required: - - id - - name - - reference - Security_Detections_API_ThreatTactic: - description: | - Object containing information on the attack type + - assignees + - ids + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase + Security_Detections_API_SetAlertsStatusByIdsBase: type: object properties: - id: - description: Tactic ID - type: string - name: - description: Tactic name - type: string - reference: - description: Tactic reference - type: string + signal_ids: + description: >- + List of alert ids. Use field `_id` on alert document or + `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' required: - - id - - name - - reference - Security_Detections_API_ThreatTechnique: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase + Security_Detections_API_SetAlertsStatusByQueryBase: type: object properties: - id: - description: Technique ID - type: string - name: - description: Technique name - type: string - reference: - description: Technique reference + conflicts: + default: abort + enum: + - abort + - proceed type: string - subtechnique: - description: | - Array containing more specific information on the attack technique. - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' - type: array + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' required: - - id - - name - - reference - Security_Detections_API_Threshold: + - query + - status + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. type: object properties: - cardinality: - $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' - field: - $ref: '#/components/schemas/Security_Detections_API_ThresholdField' - value: - $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' required: - - field - - value - Security_Detections_API_ThresholdAlertSuppression: - description: Defines alert suppression configuration. + - tags_to_add + - tags_to_remove + Security_Detections_API_SetAlertTagsBody: type: object properties: - duration: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' required: - - duration - Security_Detections_API_ThresholdCardinality: - description: The field on which the cardinality is applied. + - ids + - tags + Security_Detections_API_SetupGuide: + description: >- + Populates the rule’s setup guide with instructions on rule prerequisites + such as required integrations, configuration steps, and anything else + needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: > + Severity level of alerts produced by the rule, which must be one of the + following: + + * `low`: Alerts that are of interest but generally not considered to be + security incidents + + * `medium`: Alerts that require investigation + + * `high`: Alerts that require immediate investigation + + * `critical`: Alerts that indicate it is highly likely a security + incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event items: type: object properties: field: - description: The field on which to calculate and compare the cardinality. + description: Source event field used to override the default `severity`. type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' value: - description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. - minimum: 0 - type: integer + type: string required: - field + - operator + - severity - value type: array - Security_Detections_API_ThresholdField: - description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. - oneOf: - - type: string - - items: - type: string - maxItems: 5 - minItems: 0 + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: > + > info + + > Currently, only threats described using the MITRE ATT&CK™ + framework are supported. + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' type: array - Security_Detections_API_ThresholdRule: + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Detections_API_ThreatMapping: + description: > + Array of entries objects that define mappings between the source event + fields and the values in the Elasticsearch threat index. Each entries + object must contain these fields: + + + - field: field from the event indices on which the rule runs + + - type: must be mapping + + - value: field from the Elasticsearch threat index + + You can use Boolean and and or logic to define the conditions for when + matching fields and values generate alerts. Sibling entries objects are + evaluated using or logic, whereas multiple entries in a single entries + object use and logic. See Example of Threat Match rule which uses both + `and` and `or` logic. + items: + type: object + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMappingEntry: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + Security_Detections_API_ThreatMatchRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106604,7 +34973,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -106620,24 +34990,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106664,11 +35045,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -106697,25 +35080,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' - Security_Detections_API_ThresholdRuleCreateFields: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' - Security_Detections_API_ThresholdRuleCreateProps: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106729,7 +35120,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -106745,24 +35137,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106791,11 +35194,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -106805,53 +35210,74 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' - Security_Detections_API_ThresholdRuleDefaultableFields: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThresholdRuleOptionalFields: + Security_Detections_API_ThreatMatchRuleOptionalFields: type: object properties: alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + concurrent_searches: + $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + items_per_search: + $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_ThresholdRulePatchFields: + threat_filters: + $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' + threat_language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThreatMatchRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - - threshold + - threat_match type: string - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' - Security_Detections_API_ThresholdRulePatchProps: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106865,11 +35291,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -106883,24 +35310,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -106929,55 +35367,70 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' - Security_Detections_API_ThresholdRuleRequiredFields: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - - threshold + - threat_match type: string required: - type - query - - threshold - Security_Detections_API_ThresholdRuleResponseFields: + - threat_query + - threat_mapping + - threat_index + Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language - Security_Detections_API_ThresholdRuleUpdateProps: + Security_Detections_API_ThreatMatchRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -106991,11 +35444,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -107009,24 +35463,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -107055,11 +35520,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -107069,1385 +35536,1444 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' - Security_Detections_API_ThresholdValue: - description: The threshold value from which an alert is generated. - minimum: 1 - type: integer - Security_Detections_API_ThrottleForBulkActions: - description: | - Defines the maximum interval in which a rule’s actions are executed. - > info - > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. - > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. - enum: - - rule - - 1h - - 1d - - 7d - type: string - Security_Detections_API_TiebreakerField: - description: Sets a secondary field for sorting events - type: string - Security_Detections_API_TimelineTemplateId: - description: Timeline template ID - type: string - Security_Detections_API_TimelineTemplateTitle: - description: Timeline template title - type: string - Security_Detections_API_TimestampField: - description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. - type: string - Security_Detections_API_TimestampOverride: - description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. - type: string - Security_Detections_API_TimestampOverrideFallbackDisabled: - description: Disables the fallback to the event's @timestamp field - type: boolean - Security_Detections_API_UUID: - description: A universally unique identifier - format: uuid + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + Security_Detections_API_ThreatQuery: + description: >- + Query used to determine which fields in the Elasticsearch index are used + for generating alerts. type: string - Security_Detections_API_WarningSchema: - type: object - properties: - actionPath: - type: string - buttonLabel: - type: string - message: - type: string - type: - type: string - required: - - type - - message - - actionPath - Security_Endpoint_Exceptions_API_EndpointList: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - - additionalProperties: false - type: object - Security_Endpoint_Exceptions_API_EndpointListItem: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - Security_Endpoint_Exceptions_API_ExceptionList: + Security_Detections_API_ThreatSubtechnique: type: object properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string - description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' - immutable: - type: boolean - list_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' - tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string - version: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' - required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListDescription: - description: Describes the exception list. - example: This list tracks allowlisted values. - type: string - Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: | - The exception list's human-readable string identifier. - - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) - example: simple_list - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListId: - description: Exception list's identifier. - example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItem: - type: object - properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. + description: Subtechnique ID type: string - description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' - expire_time: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - list_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' - updated_at: - description: Autogenerated date of last object update. - format: date-time + description: Subtechnique name type: string - updated_by: - description: Autogenerated value - user that last updated object. + reference: + description: Subtechnique reference type: string required: - id - - item_id - - list_id - - type - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + - reference + Security_Detections_API_ThreatTactic: description: | - Array of comment fields: - - - comment (string): Comments about the exception item. - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemDescription: - description: Describes the exception list. - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' - discriminator: - propertyName: type - Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - list: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' - required: - - id - - type - operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - match_any - type: string - value: - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - wildcard - type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + Object containing information on the attack type type: object properties: - entries: - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - type: - enum: - - nested + id: + description: Tactic ID type: string - required: - - type - - field - - entries - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. - format: date-time - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: - description: Human readable string identifier, e.g. `trusted-linux-processes` - example: simple_list_item - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemId: - description: Exception's identifier. - example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Endpoint_Exceptions_API_ExceptionListItemName: - description: Exception list name. - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemTags: - items: - description: String array containing words and phrases to help categorize exception items. - format: nonempty - minLength: 1 - type: string - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Endpoint_Exceptions_API_ExceptionListMeta: - additionalProperties: true - description: Placeholder for metadata about the list container. - type: object - Security_Endpoint_Exceptions_API_ExceptionListName: - description: The name of the exception list. - example: My exception list - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsType: - description: Use this field to specify the operating system. - enum: - - linux - - macos - - windows - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: - description: Use this field to specify the operating system. Only enter one value. - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' - type: array - Security_Endpoint_Exceptions_API_ExceptionListTags: - description: String array containing words and phrases to help categorize exception containers. - items: - type: string - type: array - Security_Endpoint_Exceptions_API_ExceptionListType: - description: The type of exception list to be created. Different list types may denote where they can be utilized. - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Endpoint_Exceptions_API_ExceptionListVersion: - description: The document version, automatically increasd on updates. - minimum: 1 - type: integer - Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: | - Determines whether the exception container is available in all Kibana spaces or just the space - in which it is created, where: - - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. - enum: - - agnostic - - single - type: string - Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ListType: - description: | - Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - - - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Endpoint_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_PlatformErrorResponse: - type: object - properties: - error: + name: + description: Tactic name type: string - message: + reference: + description: Tactic reference type: string - statusCode: - type: integer required: - - statusCode - - error - - message - Security_Endpoint_Exceptions_API_SiemErrorResponse: + - id + - name + - reference + Security_Detections_API_ThreatTechnique: type: object properties: - message: + id: + description: Technique ID type: string - status_code: - type: integer + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: | + Array containing more specific information on the attack technique. + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' + type: array required: - - status_code - - message - Security_Endpoint_Management_API_ActionDetailsResponse: - discriminator: - mapping: - cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel' - execute: '#/components/schemas/Security_Endpoint_Management_API_Execute' - get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile' - isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' - memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' - scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' - suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - unisolate: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - upload: '#/components/schemas/Security_Endpoint_Management_API_Upload' - propertyName: command - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - Security_Endpoint_Management_API_ActionStateSuccessResponse: + - id + - name + - reference + Security_Detections_API_Threshold: type: object properties: - body: - type: object - properties: - data: - type: object - properties: - canEncrypt: - description: Whether the Kibana instance has encryption enabled for response actions. - type: boolean - required: - - data + cardinality: + $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' + field: + $ref: '#/components/schemas/Security_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' required: - - body - Security_Endpoint_Management_API_ActionStatusSuccessResponse: + - field + - value + Security_Detections_API_ThresholdAlertSuppression: + description: Defines alert suppression configuration. type: object properties: - body: - type: object - properties: - data: - type: object - properties: - agent_id: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - pending_actions: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' - required: - - agent_id - - pending_actions - required: - - data + duration: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration required: - - body - Security_Endpoint_Management_API_AgentId: - description: Agent ID - type: string - Security_Endpoint_Management_API_AgentIds: - description: A list of agent IDs. Max of 250. - example: - - agent-id-1 - - agent-id-2 - minLength: 1 + - duration + Security_Detections_API_ThresholdCardinality: + description: The field on which the cardinality is applied. + items: + type: object + properties: + field: + description: The field on which to calculate and compare the cardinality. + type: string + value: + description: >- + The threshold value from which an alert is generated based on + unique number of values of cardinality.field. + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Detections_API_ThresholdField: + description: >- + The field on which the threshold is applied. If you specify an empty + array ([]), alerts are generated when the query returns at least the + number of results specified in the value field. oneOf: + - type: string - items: - minLength: 1 type: string - maxItems: 250 - minItems: 1 + maxItems: 5 + minItems: 0 type: array - - minLength: 1 - type: string - Security_Endpoint_Management_API_AgentTypes: - description: List of agent types to retrieve. Defaults to `endpoint`. - enum: - - endpoint - - sentinel_one - - crowdstrike - - microsoft_defender_endpoint - example: endpoint - type: string - Security_Endpoint_Management_API_Cancel: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - type: object - properties: - code: - type: string - type: object - parameters: - type: object - properties: - id: - format: uuid - type: string - Security_Endpoint_Management_API_CancelRouteRequestBody: + Security_Detections_API_ThresholdRule: allOf: - type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + actions: + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 + $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + + > info + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - - endpoint_ids + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + Security_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + Security_Detections_API_ThresholdRuleCreateProps: + allOf: - type: object properties: - parameters: - type: object - properties: - id: - description: ID of the response action to cancel - example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - minLength: 1 - type: string - required: - - id - required: - - parameters - Security_Endpoint_Management_API_CloudFileScriptParameters: - type: object - properties: - cloudFile: - description: Script name in cloud storage. - minLength: 1 - type: string - commandLine: - description: Command line arguments. - minLength: 1 - type: string - timeout: - description: Timeout in seconds. - minimum: 1 - type: integer - required: - - cloudFile - Security_Endpoint_Management_API_Command: - description: The command for the response action - enum: - - isolate - - unisolate - - kill-process - - suspend-process - - running-processes - - get-file - - execute - - upload - - scan - - runscript - - cancel - - memory-dump - minLength: 1 - type: string - Security_Endpoint_Management_API_Commands: - description: A list of response action command names. - example: - - isolate - - unisolate - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' - maxItems: 50 - type: array - Security_Endpoint_Management_API_Comment: - description: Optional comment - example: This is a comment - type: string - Security_Endpoint_Management_API_DownloadUri: - type: object - properties: - downloadUri: - description: | - The server relative URI to download the file associated with the output of the response action. - URI does **not** include the space prefix - example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download - format: uri-reference - type: string - Security_Endpoint_Management_API_EndDate: - description: An end date in ISO format or Date Math format. - example: '2023-10-31T23:59:59.999Z' - type: string - Security_Endpoint_Management_API_EndpointIds: - description: List of endpoint IDs (cannot contain empty strings). Max of 250. - example: - - endpoint-id-1 - - endpoint-id-2 - items: - minLength: 1 - type: string - maxItems: 250 - minItems: 1 - type: array - Security_Endpoint_Management_API_EndpointMetadataResponse: - example: - host_status: healthy - last_checkin: '2023-07-04T15:48:57.360Z' - metadata: - '@timestamp': '2023-07-04T15:48:57.3609346Z' - agent: - build: - original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 7.16.0 - data_stream: - dataset: endpoint.metadata - namespace: default - type: metrics - ecs: - version: 1.11.0 - elastic: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - Endpoint: - capabilities: - - isolation - configuration: - isolation: false - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - version: '3' - state: - isolation: false - status: enrolled - event: - action: endpoint_metadata - agent_id_status: verified - category: - - host - created: '2023-07-04T15:48:57.3609346Z' - dataset: endpoint.metadata - id: MNtRc++KoKHXXwlj+++++OhZ - ingested: '2023-07-04T15:48:58Z' - kind: metric - module: endpoint - sequence: 43757 - type: - - info - host: - architecture: x86_64 - hostname: WinDev2104Eval - id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 - ip: - - 10.0.2.15 - - fe80::21a6:63d3:d70e:e3ad - - 127.0.0.1 - - '::1' - mac: - - 08:00:27:b1:1d:5a - name: WinDev2104Eval - os: - Ext: - variant: Windows 10 Enterprise Evaluation - family: windows - full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) - kernel: 20H2 (10.0.19042.906) - name: Windows - platform: windows - type: windows - version: 20H2 (10.0.19042.906) - message: Endpoint metadata - policy_info: - agent: - applied: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - configured: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - endpoint: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - revision: 2 + actions: + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + + > info + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + Security_Detections_API_ThresholdRuleDefaultableFields: type: object - properties: {} - Security_Endpoint_Management_API_Execute: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_ThresholdRulePatchFields: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - outputs: - additionalProperties: - type: object - properties: - content: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - - type: object - properties: - code: - type: string - cwd: - type: string - output_file_id: - type: string - output_file_stderr_truncated: - type: boolean - output_file_stdout_truncated: - type: boolean - shell_code: - type: number - stderr: - type: string - stderr_truncated: - type: boolean - stdout: - type: string - stdout_truncated: - type: boolean - type: object - parameters: - type: object - properties: - command: - type: string - timeout: - type: number - Security_Endpoint_Management_API_ExecuteRouteRequestBody: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + actions: + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 + $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + + > info + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + Security_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + Security_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - - endpoint_ids + - language + Security_Detections_API_ThresholdRuleUpdateProps: + allOf: - type: object properties: - parameters: - type: object - properties: - command: - description: The shell command to execute on the endpoint. - minLength: 1 - type: string - timeout: - description: The maximum timeout value in seconds before the command is terminated. - minimum: 1 - type: integer - required: - - command + actions: + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + + > info + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - - parameters - Security_Endpoint_Management_API_GetEndpointActionListResponse: - example: - data: - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: running-processes - completedAt: '2022-08-08T09:50:47.672Z' - createdBy: elastic - id: b3d6de74-36b0-4fa8-be46-c375bf1771bf - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:24:57.402Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: kill-process - comment: bad process - taking up too much cpu - completedAt: '2022-08-08T09:44:50.952Z' - createdBy: elastic - id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa - isCompleted: true - isExpired: false - startedAt: '2022-08-08T14:38:44.125Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: unisolate - comment: Not a threat to the network - completedAt: '2022-08-08T09:40:47.398Z' - createdBy: elastic - id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a - isCompleted: true - isExpired: false - startedAt: '2022-08-08T14:38:15.391Z' - wasSuccessful: true - elasticAgentIds: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - endDate: now - page: 1 - pageSize: 10 - startDate: now-24h/h - total: 4 + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + Security_Detections_API_ThresholdValue: + description: The threshold value from which an alert is generated. + minimum: 1 + type: integer + Security_Detections_API_ThrottleForBulkActions: + description: > + Defines the maximum interval in which a rule’s actions are executed. + + > info + + > The rule level `throttle` field is deprecated in Elastic Security 8.8 + and will remain active for at least the next 12 months. + + > In Elastic Security 8.8 and later, you can use the `frequency` field + to define frequencies for individual actions. Actions without + frequencies will acquire a converted version of the rule’s `throttle` + field. In the response, the converted `throttle` setting appears in the + individual actions' `frequency` field. + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Detections_API_TimestampField: + description: >- + Specifies the name of the event timestamp field used for sorting a + sequence of events. Not to be confused with `timestamp_override`, which + specifies the more general field used for querying events within a + range. Defaults to the @timestamp ECS field. + type: string + Security_Detections_API_TimestampOverride: + description: >- + Sets the time field used to query indices. When unspecified, rules query + the `@timestamp` field. The source field must be an Elasticsearch date + data type. + type: string + Security_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Detections_API_WarningSchema: + type: object + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string + required: + - type + - message + - actionPath + Security_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' + - additionalProperties: false + type: object + Security_Endpoint_Exceptions_API_EndpointListItem: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + Security_Endpoint_Exceptions_API_ExceptionList: + type: object + properties: + _version: + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. + type: string + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. + type: string + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + example: This list tracks allowlisted values. + type: string + Security_Endpoint_Exceptions_API_ExceptionListHumanId: + description: > + The exception list's human-readable string identifier. + + + For endpoint artifacts, use one of the following values: + + + * `endpoint_list`: [Elastic Endpoint exception + list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + + * `endpoint_trusted_apps`: [Trusted applications + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + + * `endpoint_trusted_devices`: [Trusted devices + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + + * `endpoint_event_filters`: [Event filters + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + + * `endpoint_blocklists`: [Blocklists + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + example: simple_list + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. + type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. + type: string + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListItemComment: type: object properties: - agentTypes: - description: The list of agent types the query was filtered by. - items: - type: string - type: array - commands: - description: The list of commands the query was filtered by. - items: - type: string - type: array - data: - description: The list of response actions. - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: array - elasticAgentIds: - description: The list of elastic agent IDs the query was filtered by. - items: - type: string - type: array - endDate: - description: The end date filter applied to the query. + comment: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. + format: date-time type: string - page: - description: The current page number. - type: integer - pageSize: - description: The number of items per page. - type: integer - startDate: - description: The start date filter applied to the query. + created_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time type: string - statuses: - description: The list of statuses the query was filtered by. - items: - type: string - type: array - total: - description: The total number of response actions matching the query. - type: integer - userIds: - description: The list of user IDs the query was filtered by. - items: - type: string - type: array - Security_Endpoint_Management_API_GetFile: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - - type: object - properties: - code: - type: string - contents: - items: - type: object - properties: - file_name: - type: string - path: - type: string - sha256: - type: string - size: - type: number - type: - type: string - type: array - zip_size: - type: number - type: object - parameters: - type: object - properties: - path: - type: string - Security_Endpoint_Management_API_GetFileRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object + updated_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + list: + type: object properties: - parameters: - type: object - properties: - path: - description: The full file path to retrieve from the endpoint. - type: string - required: - - path + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' required: - - parameters - Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: items: - minLength: 1 - type: string - maxItems: 50 + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString minItems: 1 type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: items: - minLength: 1 - type: string - maxItems: 50 + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem minItems: 1 type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string required: - - endpoint_ids - Security_Endpoint_Management_API_HostPathScriptParameters: + - type + - field + - entries + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: + description: >- + The exception item’s expiration date, in ISO format. This field is only + available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + example: simple_list_item + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + description: >- + String array containing words and phrases to help categorize exception + items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Endpoint_Exceptions_API_ExceptionListName: + description: The name of the exception list. + example: My exception list + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Endpoint_Exceptions_API_ExceptionListTags: + description: >- + String array containing words and phrases to help categorize exception + containers. + items: + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListType: + description: >- + The type of exception list to be created. Different list types may + denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Endpoint_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + + + For endpoint artifacts, the `namespace_type` must always be `agnostic`. + Space awareness for endpoint artifacts is enforced based on Elastic + Defend policy assignments. + enum: + - agnostic + - single + type: string + Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ListType: + description: > + Specifies the Elasticsearch data type of excludes the list container + holds. Some common examples: + + + - `keyword`: Many ECS fields are Elasticsearch keywords + + - `ip`: IP addresses + + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR + notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Endpoint_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: - commandLine: - description: Command line arguments. - minLength: 1 + error: type: string - hostPath: - description: Absolute or relative path of script on host machine. - minLength: 1 + message: type: string - timeout: - description: Timeout in seconds. - minimum: 1 + statusCode: type: integer required: - - hostPath - Security_Endpoint_Management_API_HostStatuses: - description: A set of agent health statuses to filter by. - example: - - healthy - - updating - items: - enum: - - healthy - - offline - - updating - - inactive - - unenrolled - type: string - maxItems: 20 - type: array - Security_Endpoint_Management_API_Isolate: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - description: Details of an isolate action response. - type: object - Security_Endpoint_Management_API_IsolateRouteResponse: + - statusCode + - error + - message + Security_Endpoint_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Endpoint_Management_API_ActionDetailsResponse: + discriminator: + mapping: + cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel' + execute: '#/components/schemas/Security_Endpoint_Management_API_Execute' + get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile' + isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' + kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' + memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' + running-processes: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' + scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' + suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' + unisolate: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' + upload: '#/components/schemas/Security_Endpoint_Management_API_Upload' + propertyName: command + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' + Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object properties: - action: - description: The action ID (legacy field, same as `data.id`). - type: string - data: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - Security_Endpoint_Management_API_KillProcess: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - type: object + body: + type: object properties: - outputs: - additionalProperties: - type: object - properties: - content: - oneOf: - - type: object - properties: - code: - type: string - command: - type: string - pid: - type: number - - type: object - properties: - code: - type: string - command: - type: string - entity_id: - type: string - - type: object - properties: - code: - type: string - command: - type: string - process_name: - type: string + data: type: object - parameters: - oneOf: - - type: object - properties: - pid: - description: The process ID (PID) of the process to terminate. - minimum: 1 - type: number - - type: object - properties: - entity_id: - description: The entity ID of the process to terminate. - minLength: 1 - type: string - - type: object - properties: - process_name: - description: The name of the process to terminate. Valid for SentinelOne agent type only. - type: string - Security_Endpoint_Management_API_KillProcessRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + properties: + canEncrypt: + description: >- + Whether the Kibana instance has encryption enabled for + response actions. + type: boolean required: - - endpoint_ids - - type: object + - data + required: + - body + Security_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object + properties: + body: + type: object properties: - parameters: - oneOf: - - type: object - properties: - pid: - description: The process ID (PID) of the process to terminate. - example: 123 - minimum: 1 - type: integer - - type: object - properties: - entity_id: - description: The entity ID of the process to terminate. - example: abc123 - minLength: 1 - type: string - - type: object - properties: - process_name: - description: The name of the process to terminate. Valid for SentinelOne agent type only. - example: Elastic - minLength: 1 - type: string + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions required: - - parameters - Security_Endpoint_Management_API_Kuery: - description: A KQL string. - example: 'united.endpoint.host.os.name : ''Windows''' + - data + required: + - body + Security_Endpoint_Management_API_AgentId: + description: Agent ID type: string - Security_Endpoint_Management_API_MDERunScriptParameters: - description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. + Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 250. example: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - endpoint-id-1 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - properties: - args: - description: Optional command line arguments for the script. - minLength: 1 - type: string - scriptName: - description: The name of the script to execute from the cloud storage. - minLength: 1 + - agent-id-1 + - agent-id-2 + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 250 + minItems: 1 + type: array + - minLength: 1 type: string - required: - - scriptName - title: Microsoft Defender Endpoint Run Script Parameters - type: object - Security_Endpoint_Management_API_MemoryDump: + Security_Endpoint_Management_API_AgentTypes: + description: List of agent types to retrieve. Defaults to `endpoint`. + enum: + - endpoint + - sentinel_one + - crowdstrike + - microsoft_defender_endpoint + example: endpoint + type: string + Security_Endpoint_Management_API_Cancel: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -108455,71 +36981,28 @@ components: type: object properties: content: + type: object properties: code: type: string - disk_free_space: - description: The free space on the host machine in bytes after the memory dump is written to disk - type: number - file_size: - description: The size of the memory dump compressed file in bytes - type: string - path: - description: The path to the memory dump compressed file on the host machine - type: string - title: Memory dump output - type: object type: object parameters: - oneOf: - - properties: - type: - description: Kernel-level memory dump - enum: - - kernel - type: string - required: - - type - title: Kernel memory dump - type: object - - properties: - pid: - description: The process ID (PID) - type: number - type: - description: Process-level memory dump using a process ID - enum: - - process - type: string - required: - - type - - pid - title: Process memory dump with PID - type: object - - properties: - entity_id: - description: The process entity ID - type: string - type: - description: Process-level memory dump using an entity ID - enum: - - process - type: string - required: - - type - - entity_id - title: Process memory dump with entity ID - type: object - required: - - parameters - Security_Endpoint_Management_API_MemoryDumpRouteRequestBody: + type: object + properties: + id: + format: uuid + type: string + Security_Endpoint_Management_API_CancelRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -108530,7 +37013,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -108541,467 +37026,194 @@ components: minItems: 1 type: array comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - description: Dump the entire kernel memory. - type: object - properties: - type: - enum: - - kernel - type: string - required: - - type - - description: Dump the entire memory of a process using the PID. - type: object - properties: - pid: - type: number - type: - enum: - - process - type: string - required: - - type - - pid - - description: Dump the entire memory of a process using the entity ID. - type: object - properties: - entity_id: - type: string - type: - enum: - - process - type: string - required: - - type - - entity_id - required: - - parameters - Security_Endpoint_Management_API_MetadataListResponse: - example: - data: - - host_status: healthy - last_checkin: '2023-07-04T15:47:57.432Z' - metadata: - '@timestamp': '2023-07-04T15:47:57.432173535Z' - agent: - build: - original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' - id: 285297c6-3bff-4b83-9a07-f3e749801123 - type: endpoint - version: 7.16.0 - data_stream: - dataset: endpoint.metadata - namespace: default - type: metrics - ecs: - version: 1.11.0 - elastic: - agent: - id: 285297c6-3bff-4b83-9a07-f3e749801123 - Endpoint: - capabilities: - - isolation - configuration: - isolation: false - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - version: '3' - state: - isolation: false - status: enrolled - event: - action: endpoint_metadata - agent_id_status: verified - category: - - host - created: '2023-07-04T15:47:57.432173535Z' - dataset: endpoint.metadata - id: MNtSXK/SkhEBnmgt++++++7S - ingested: '2023-07-04T15:47:58Z' - kind: metric - module: endpoint - sequence: 400 - type: - - info - host: - architecture: x86_64 - hostname: david-Xubuntu - id: 0cfead88e2024bd8a27476352b5ab264 - ip: - - 127.0.0.1 - - '::1' - - 10.0.2.15 - - fe80::2ac7:8e15:b957:2fa1 - mac: - - 08:00:27:e6:78:8b - name: david-Xubuntu - os: - Ext: - variant: Ubuntu - family: ubuntu - full: Ubuntu 20.04.2 - kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' - name: Linux - platform: ubuntu - type: linux - version: 20.04.2 - message: Endpoint metadata - policy_info: - agent: - applied: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 0 - configured: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - endpoint: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - revision: 2 - - host_status: healthy - last_checkin: '2023-07-04T15:44:31.491Z' - metadata: - '@timestamp': '2023-07-04T15:44:31.4917849Z' - agent: - build: - original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 7.16.0 - data_stream: - dataset: endpoint.metadata - namespace: default - type: metrics - ecs: - version: 1.11.0 - elastic: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - Endpoint: - capabilities: - - isolation - configuration: - isolation: false - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - version: '3' - state: - isolation: false - status: enrolled - event: - action: endpoint_metadata - agent_id_status: verified - category: - - host - created: '2023-07-04T15:44:31.4917849Z' - dataset: endpoint.metadata - id: MNtRc++KoKHXXwlj+++++/N9 - ingested: '2023-07-04T15:44:33Z' - kind: metric - module: endpoint - sequence: 5159 - type: - - info - host: - architecture: x86_64 - hostname: WinDev2104Eval - id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 - ip: - - 10.0.2.15 - - fe80::21a6:63d3:d70e:e3ad - - 127.0.0.1 - - '::1' - mac: - - 08:00:27:b1:1d:5a - name: WinDev2104Eval - os: - Ext: - variant: Windows 10 Enterprise Evaluation - family: windows - full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) - kernel: 20H2 (10.0.19042.906) - name: Windows - platform: windows - type: windows - version: 20H2 (10.0.19042.906) - message: Endpoint metadata - policy_info: - agent: - applied: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 0 - configured: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - endpoint: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - revision: 2 - page: 0 - pageSize: 10 - sortDirection: desc - sortField: enrolled_at - total: 2 - type: object - properties: {} - Security_Endpoint_Management_API_Page: - default: 1 - description: Page number - example: 1 - minimum: 1 - type: integer - Security_Endpoint_Management_API_PageSize: - default: 10 - description: Number of items per page - example: 10 - maximum: 100 - minimum: 1 - type: integer - Security_Endpoint_Management_API_Parameters: - description: Parameters object - type: object - Security_Endpoint_Management_API_PendingActionDataType: - description: Number of pending actions of this type. - type: integer - Security_Endpoint_Management_API_PendingActionsSchema: - oneOf: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids - type: object properties: - execute: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending execute actions. - get-file: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending get-file actions. - isolate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending isolate actions. - kill-process: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending kill-process actions. - running-processes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending running-processes (get processes) actions. - scan: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending scan actions. - suspend-process: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending suspend-process actions. - unisolate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending unisolate (release) actions. - upload: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - description: Number of pending upload actions. - - additionalProperties: true - type: object - Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + parameters: + type: object + properties: + id: + description: ID of the response action to cancel + example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + minLength: 1 + type: string + required: + - id + required: + - parameters + Security_Endpoint_Management_API_CloudFileScriptParameters: type: object properties: - note: - description: A note associated with the protection updates for the given package policy. + cloudFile: + description: Script name in cloud storage. + minLength: 1 type: string - Security_Endpoint_Management_API_RawScriptParameters: - type: object - properties: commandLine: description: Command line arguments. minLength: 1 type: string - raw: - description: Raw script content. - minLength: 1 - type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - - raw - Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse: + - cloudFile + Security_Endpoint_Management_API_Command: + description: The command for the response action + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + - runscript + - cancel + - memory-dump + minLength: 1 + type: string + Security_Endpoint_Management_API_Commands: + description: A list of response action command names. example: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: __agent__type__here_ - command: __command__name__here__ - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - type: object - properties: - data: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - Security_Endpoint_Management_API_ResponseActionDetails: + - isolate + - unisolate + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + maxItems: 50 + type: array + Security_Endpoint_Management_API_Comment: + description: Optional comment + example: This is a comment + type: string + Security_Endpoint_Management_API_DownloadUri: type: object properties: - agents: - description: The agent IDs for the hosts that the response action was sent to - items: - format: uuid - type: string - type: array - agentState: - additionalProperties: - format: uuid - type: object - properties: - completedAt: - description: The date and time the response action was completed for the agent ID - type: string - isCompleted: - description: Whether the response action is completed for the agent ID - type: boolean - wasSuccessful: - description: Whether the response action was successful for the agent ID - type: boolean - description: The state of the response action for each agent ID that it was sent to - type: object - agentType: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - command: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' - completedAt: - description: The response action completion time - format: date-time - type: string - createdBy: - description: The user who created the response action - type: string - hosts: - additionalProperties: - format: uuid - type: object - properties: - name: - description: The host name - type: string - description: An object containing the host names associated with the agent IDs the response action was sent to - type: object - id: - description: The response action ID - format: uuid - type: string - isComplete: - description: Whether the response action is complete - type: boolean - isExpired: - description: Whether the response action is expired - type: boolean - outputs: - additionalProperties: - description: The agent id - format: uuid - properties: - content: - description: The response action output content for the agent ID. Exact format depends on the response action command. - oneOf: - - type: object - - type: string - type: - enum: - - json - - text - type: string - required: - - type - - content - title: Agent ID - type: object - description: | - The outputs of the response action for each agent ID that it was sent to. Content different depending on the - response action command and will only be present for agents that have responded to the response action - type: object - parameters: - description: The parameters of the response action. Content different depending on the response action command - type: object - startedAt: - description: The response action start time - format: date-time - type: string - status: - description: The response action status + downloadUri: + description: > + The server relative URI to download the file associated with the + output of the response action. + + URI does **not** include the space prefix + example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download + format: uri-reference type: string - wasSuccessful: - description: Whether the response action was successful - type: boolean - required: - - command - Security_Endpoint_Management_API_RunningProcesses: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' - type: object - Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: - description: Processes output for `agentType` of `endpoint` + Security_Endpoint_Management_API_EndDate: + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' + type: string + Security_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings). Max of 250. + example: + - endpoint-id-1 + - endpoint-id-2 + items: + minLength: 1 + type: string + maxItems: 250 + minItems: 1 + type: array + Security_Endpoint_Management_API_EndpointMetadataResponse: + example: + host_status: healthy + last_checkin: '2023-07-04T15:48:57.360Z' + metadata: + '@timestamp': '2023-07-04T15:48:57.3609346Z' + agent: + build: + original: >- + version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 7.16.0 + data_stream: + dataset: endpoint.metadata + namespace: default + type: metrics + ecs: + version: 1.11.0 + elastic: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + Endpoint: + capabilities: + - isolation + configuration: + isolation: false + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + version: '3' + state: + isolation: false + status: enrolled + event: + action: endpoint_metadata + agent_id_status: verified + category: + - host + created: '2023-07-04T15:48:57.3609346Z' + dataset: endpoint.metadata + id: MNtRc++KoKHXXwlj+++++OhZ + ingested: '2023-07-04T15:48:58Z' + kind: metric + module: endpoint + sequence: 43757 + type: + - info + host: + architecture: x86_64 + hostname: WinDev2104Eval + id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 + ip: + - 10.0.2.15 + - fe80::21a6:63d3:d70e:e3ad + - 127.0.0.1 + - '::1' + mac: + - 08:00:27:b1:1d:5a + name: WinDev2104Eval + os: + Ext: + variant: Windows 10 Enterprise Evaluation + family: windows + full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) + kernel: 20H2 (10.0.19042.906) + name: Windows + platform: windows + type: windows + version: 20H2 (10.0.19042.906) + message: Endpoint metadata + policy_info: + agent: + applied: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + configured: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + endpoint: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + revision: 2 type: object - properties: - code: - type: string - entries: - items: - type: object - properties: - command: - type: string - entity_id: - type: string - pid: - type: number - user: - type: string - type: array - Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - - description: Processes output for `agentType` of `sentinel_one` - type: object - properties: - code: - type: string - Security_Endpoint_Management_API_Runscript: + properties: {} + Security_Endpoint_Management_API_Execute: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -109010,56 +37222,49 @@ components: properties: content: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_DownloadUri - type: object properties: code: type: string + cwd: + type: string + output_file_id: + type: string + output_file_stderr_truncated: + type: boolean + output_file_stdout_truncated: + type: boolean + shell_code: + type: number stderr: type: string + stderr_truncated: + type: boolean stdout: type: string + stdout_truncated: + type: boolean type: object parameters: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' - Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: - type: object - properties: - cloudFile: - type: string - commandLine: - type: string - hostPath: - type: string - raw: - type: string - timeout: - type: number - Security_Endpoint_Management_API_RunscriptParamsMicrosoft: - type: object - properties: - args: - type: string - scriptName: - type: string - Security_Endpoint_Management_API_RunscriptParamsSentinelOne: - type: object - properties: - scriptId: - type: string - scriptInput: - type: string - Security_Endpoint_Management_API_RunScriptRouteRequestBody: + type: object + properties: + command: + type: string + timeout: + type: number + Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -109070,7 +37275,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -109083,7 +37290,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -109091,19 +37299,130 @@ components: - type: object properties: parameters: - description: | - One of the following set of parameters must be provided - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' + type: object + properties: + command: + description: The shell command to execute on the endpoint. + minLength: 1 + type: string + timeout: + description: >- + The maximum timeout value in seconds before the command is + terminated. + minimum: 1 + type: integer + required: + - command required: - parameters - Security_Endpoint_Management_API_Scan: + Security_Endpoint_Management_API_GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: + agentTypes: + description: The list of agent types the query was filtered by. + items: + type: string + type: array + commands: + description: The list of commands the query was filtered by. + items: + type: string + type: array + data: + description: The list of response actions. + items: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + type: array + elasticAgentIds: + description: The list of elastic agent IDs the query was filtered by. + items: + type: string + type: array + endDate: + description: The end date filter applied to the query. + type: string + page: + description: The current page number. + type: integer + pageSize: + description: The number of items per page. + type: integer + startDate: + description: The start date filter applied to the query. + type: string + statuses: + description: The list of statuses the query was filtered by. + items: + type: string + type: array + total: + description: The total number of response actions matching the query. + type: integer + userIds: + description: The list of user IDs the query was filtered by. + items: + type: string + type: array + Security_Endpoint_Management_API_GetFile: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -109111,24 +37430,47 @@ components: type: object properties: content: - type: object - properties: - code: - type: string + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - type: object + properties: + code: + type: string + contents: + items: + type: object + properties: + file_name: + type: string + path: + type: string + sha256: + type: string + size: + type: number + type: + type: string + type: array + zip_size: + type: number type: object parameters: type: object properties: path: type: string - Security_Endpoint_Management_API_ScanRouteRequestBody: + Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -109139,7 +37481,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -109152,7 +37496,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -109163,66 +37508,101 @@ components: type: object properties: path: - description: The folder or file's full path (including the file name). - example: /usr/my-file.txt + description: The full file path to retrieve from the endpoint. type: string required: - path required: - parameters - Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: Parameters for Run Script response action against SentinelOne agent type. - example: - agent_type: sentinel_one + Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: >- + If this action is associated with any alerts, they can be specified + here. The action will be logged in any cases associated with the + specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - - endpoint-id-1 + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + Security_Endpoint_Management_API_HostPathScriptParameters: + type: object properties: - scriptId: - description: The script ID from SentinelOne scripts library that will be executed. + commandLine: + description: Command line arguments. minLength: 1 type: string - scriptInput: - description: The input parameter arguments for the script that was selected. + hostPath: + description: Absolute or relative path of script on host machine. minLength: 1 type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer required: - - scriptId - title: SentinelOne Run Script Parameters - type: object - Security_Endpoint_Management_API_SortDirection: - description: Determines the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Endpoint_Management_API_SortField: - description: Determines which field is used to sort the results. - enum: - - enrolled_at - - metadata.host.hostname - - host_status - - metadata.Endpoint.policy.applied.name - - metadata.Endpoint.policy.applied.status - - metadata.host.os.name - - metadata.host.ip - - metadata.agent.version - - last_checkin - example: enrolled_at - type: string - Security_Endpoint_Management_API_StartDate: - description: A start date in ISO 8601 format or Date Math format. - example: '2023-10-31T00:00:00.000Z' - type: string - Security_Endpoint_Management_API_SuccessResponse: - description: A generic successful response. + - hostPath + Security_Endpoint_Management_API_HostStatuses: + description: A set of agent health statuses to filter by. + example: + - healthy + - updating + items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string + maxItems: 20 + type: array + Security_Endpoint_Management_API_Isolate: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - description: Details of an isolate action response. + type: object + Security_Endpoint_Management_API_IsolateRouteResponse: type: object - Security_Endpoint_Management_API_SuspendProcess: + properties: + action: + description: The action ID (legacy field, same as `data.id`). + type: string + data: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -109247,6 +37627,14 @@ components: type: string entity_id: type: string + - type: object + properties: + code: + type: string + command: + type: string + process_name: + type: string type: object parameters: oneOf: @@ -109262,14 +37650,24 @@ components: description: The entity ID of the process to terminate. minLength: 1 type: string - Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: + - type: object + properties: + process_name: + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. + type: string + Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -109280,7 +37678,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -109293,7 +37693,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -109305,2811 +37706,2832 @@ components: - type: object properties: pid: - description: The process ID (PID) of the process to suspend. - example: 123 - minimum: 1 - type: integer - - type: object - properties: - entity_id: - description: The entity ID of the process to suspend. - example: abc123 - minLength: 1 - type: string - required: - - parameters - Security_Endpoint_Management_API_Type: - description: Type of response action - enum: - - automated - - manual - type: string - Security_Endpoint_Management_API_Types: - description: List of types of response actions - example: - - automated - - manual - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' - maxLength: 2 - minLength: 1 - type: array - Security_Endpoint_Management_API_Unisolate: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - description: Details of an unisolate action response. - type: object - Security_Endpoint_Management_API_UnisolateRouteResponse: - type: object - properties: - action: - description: The action ID (legacy field, same as `data.id`). - type: string - data: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - Security_Endpoint_Management_API_Upload: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - type: object - properties: - code: - type: string - disk_free_space: - type: number - path: - type: string - type: object - parameters: - description: | - The parameters for upload returned on the details are derived via the API from the file that - was uploaded at the time that the response action was submitted - type: object - properties: - file_id: - type: string - file_name: - type: string - file_sha256: - type: string - file_size: - type: number - Security_Endpoint_Management_API_UploadRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - file: - description: The binary content of the file. - example: RWxhc3RpYw== - format: binary - type: string - parameters: - type: object - properties: - overwrite: - default: false - description: Overwrite the file on the host if it already exists. - example: false - type: boolean - required: - - parameters - - file - Security_Endpoint_Management_API_UserIds: - description: A list of user IDs. Max of 50. - example: - - user-id-1 - - user-id-2 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Endpoint_Management_API_WithOutputs: - description: A list of action IDs that should include the complete output of the action. Max of 50. - example: - - action-id-1 - - action-id-2 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Entity_Analytics_API_Asset: - additionalProperties: false - description: Asset metadata associated with the entity. - type: object - properties: - business_unit: - description: Business unit the asset belongs to. - type: string - criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - description: The criticality level assigned to this asset. - nullable: true - environment: - description: Deployment environment (for example, production, staging). - type: string - id: - description: Unique identifier for the asset. - type: string - model: - description: Model name or number. - type: string - name: - description: Human-readable asset name. - type: string - owner: - description: The owner of the asset. - type: string - serial_number: - description: Serial number of the asset. - type: string - vendor: - description: Vendor or manufacturer. - type: string - Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: - type: object - properties: - index: - type: integer - message: - type: string - required: - - message - - index - Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: - type: object - properties: - failed: - type: integer - successful: - type: integer - total: - type: integer - required: - - successful - - failed - - total - Security_Entity_Analytics_API_AssetCriticalityLevel: - description: The criticality level of the asset. - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - - unassigned - type: string - Security_Entity_Analytics_API_AssetCriticalityRecord: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - - type: object - properties: - '@timestamp': - description: The time the record was created or updated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - required: - - '@timestamp' - example: - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - required: - - asset - entity: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - required: - - criticality - id: - type: string - required: - - id - host: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - required: - - criticality - name: - type: string - required: - - name - service: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - required: - - criticality - name: - type: string - required: - - name - user: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - required: - - criticality - name: - type: string - required: - - name - required: - - asset - Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: - type: object - properties: - id_field: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: The field representing the ID. - example: host.name - id_value: - description: The ID value of the asset. - type: string - required: - - id_value - - id_field - Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: - type: object - properties: - cleanup_successful: - example: false - type: boolean - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - required: - - cleanup_successful - - errors - Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: - type: object - properties: - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - risk_engine_saved_object_configured: - example: false - type: boolean - required: - - risk_engine_saved_object_configured - - errors - Security_Entity_Analytics_API_CreateAssetCriticalityRecord: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - - type: object - properties: - criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string + - type: object + properties: + process_name: + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. + example: Elastic + minLength: 1 + type: string required: - - criticality_level - Security_Entity_Analytics_API_DateRange: - description: Defines the lookback period for filtering source data by timestamp. - type: object - properties: - end: - description: End of the lookback period (date math or ISO string, e.g. "now") - type: string - start: - description: Start of the lookback period (date math or ISO string, e.g. "now-10d") - type: string - required: - - start - - end - Security_Entity_Analytics_API_EngineComponentResource: - description: The type of Elasticsearch or Kibana resource backing an engine component. - enum: - - entity_engine - - entity_definition - - index - - data_stream - - component_template - - index_template - - ingest_pipeline - - enrich_policy - - task - - transform - - ilm_policy + - parameters + Security_Endpoint_Management_API_Kuery: + description: A KQL string. + example: 'united.endpoint.host.os.name : ''Windows''' type: string - Security_Entity_Analytics_API_EngineComponentStatus: - description: Status of an individual Elasticsearch or Kibana resource backing an engine. - type: object + Security_Endpoint_Management_API_MDERunScriptParameters: + description: >- + Parameters for Run Script response action against Microsoft Defender + Endpoint agent type. + example: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - endpoint-id-1 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 properties: - errors: - description: Errors reported by this component, if any. - items: - type: object - properties: - message: - description: Detailed error message. - type: string - title: - description: Short error title. - type: string - type: array - health: - description: The health status of the component. - enum: - - green - - yellow - - red - - unavailable - - unknown + args: + description: Optional command line arguments for the script. + minLength: 1 type: string - id: - description: Unique identifier for the component. + scriptName: + description: The name of the script to execute from the cloud storage. + minLength: 1 type: string - installed: - description: Whether the component is currently installed. - type: boolean - metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' - resource: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - - id - - installed - - resource - Security_Entity_Analytics_API_EngineDataviewUpdateResult: - description: The result of applying data view index changes to a single engine. + - scriptName + title: Microsoft Defender Endpoint Run Script Parameters type: object - properties: - changes: - description: The changes applied to the engine. - type: object + Security_Endpoint_Management_API_MemoryDump: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - type: object properties: - indexPatterns: - description: The updated list of index patterns now used by the engine. + outputs: + additionalProperties: + type: object + properties: + content: + properties: + code: + type: string + disk_free_space: + description: >- + The free space on the host machine in bytes after the + memory dump is written to disk + type: number + file_size: + description: The size of the memory dump compressed file in bytes + type: string + path: + description: >- + The path to the memory dump compressed file on the + host machine + type: string + title: Memory dump output + type: object + type: object + parameters: + oneOf: + - properties: + type: + description: Kernel-level memory dump + enum: + - kernel + type: string + required: + - type + title: Kernel memory dump + type: object + - properties: + pid: + description: The process ID (PID) + type: number + type: + description: Process-level memory dump using a process ID + enum: + - process + type: string + required: + - type + - pid + title: Process memory dump with PID + type: object + - properties: + entity_id: + description: The process entity ID + type: string + type: + description: Process-level memory dump using an entity ID + enum: + - process + type: string + required: + - type + - entity_id + title: Process memory dump with entity ID + type: object + required: + - parameters + Security_Endpoint_Management_API_MemoryDumpRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - type: - description: The entity type of the engine that was updated. - type: string - required: - - type - Security_Entity_Analytics_API_EngineDescriptor: - description: Describes a single entity engine, including its configuration and current status. - type: object - properties: - delay: - default: 1m - description: The delay before the transform processes new data, allowing late-arriving documents to be included. - example: 1m - pattern: '[smdh]$' - type: string - docsPerSecond: - description: Throttle value for the number of documents processed per second. Use -1 for no throttle. - type: integer - error: - description: Present when the engine status is `error`. Describes the failure. - type: object + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object properties: - action: - description: The lifecycle action that caused the error. - enum: - - init - type: string - message: - description: A human-readable error message. - type: string + parameters: + oneOf: + - description: Dump the entire kernel memory. + type: object + properties: + type: + enum: + - kernel + type: string + required: + - type + - description: Dump the entire memory of a process using the PID. + type: object + properties: + pid: + type: number + type: + enum: + - process + type: string + required: + - type + - pid + - description: Dump the entire memory of a process using the entity ID. + type: object + properties: + entity_id: + type: string + type: + enum: + - process + type: string + required: + - type + - entity_id required: - - message - - action - fieldHistoryLength: - description: The number of historical values retained per field. - example: 10 - type: integer - filter: - description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. - example: 'host.name: "my-host"' - type: string - frequency: - default: 1m - description: How often the transform runs. - example: 1m - pattern: '[smdh]$' - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - lookbackPeriod: - default: 24h - description: How far back the transform looks when calculating aggregations. - example: 24h - pattern: '[smdh]$' - type: string - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - example: 180s - pattern: '[smdh]$' - type: string - timestampField: - description: The field used as the timestamp for source documents. - example: '@timestamp' - type: string - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - required: - - type - - indexPattern - - status - - fieldHistoryLength - Security_Entity_Analytics_API_EngineMetadata: - additionalProperties: false - description: Internal metadata attached to an entity by the engine that produced it. + - parameters + Security_Endpoint_Management_API_MetadataListResponse: + example: + data: + - host_status: healthy + last_checkin: '2023-07-04T15:47:57.432Z' + metadata: + '@timestamp': '2023-07-04T15:47:57.432173535Z' + agent: + build: + original: >- + version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + id: 285297c6-3bff-4b83-9a07-f3e749801123 + type: endpoint + version: 7.16.0 + data_stream: + dataset: endpoint.metadata + namespace: default + type: metrics + ecs: + version: 1.11.0 + elastic: + agent: + id: 285297c6-3bff-4b83-9a07-f3e749801123 + Endpoint: + capabilities: + - isolation + configuration: + isolation: false + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + version: '3' + state: + isolation: false + status: enrolled + event: + action: endpoint_metadata + agent_id_status: verified + category: + - host + created: '2023-07-04T15:47:57.432173535Z' + dataset: endpoint.metadata + id: MNtSXK/SkhEBnmgt++++++7S + ingested: '2023-07-04T15:47:58Z' + kind: metric + module: endpoint + sequence: 400 + type: + - info + host: + architecture: x86_64 + hostname: david-Xubuntu + id: 0cfead88e2024bd8a27476352b5ab264 + ip: + - 127.0.0.1 + - '::1' + - 10.0.2.15 + - fe80::2ac7:8e15:b957:2fa1 + mac: + - 08:00:27:e6:78:8b + name: david-Xubuntu + os: + Ext: + variant: Ubuntu + family: ubuntu + full: Ubuntu 20.04.2 + kernel: >- + 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 + UTC 2021 + name: Linux + platform: ubuntu + type: linux + version: 20.04.2 + message: Endpoint metadata + policy_info: + agent: + applied: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 0 + configured: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + endpoint: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + revision: 2 + - host_status: healthy + last_checkin: '2023-07-04T15:44:31.491Z' + metadata: + '@timestamp': '2023-07-04T15:44:31.4917849Z' + agent: + build: + original: >- + version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 7.16.0 + data_stream: + dataset: endpoint.metadata + namespace: default + type: metrics + ecs: + version: 1.11.0 + elastic: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + Endpoint: + capabilities: + - isolation + configuration: + isolation: false + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + version: '3' + state: + isolation: false + status: enrolled + event: + action: endpoint_metadata + agent_id_status: verified + category: + - host + created: '2023-07-04T15:44:31.4917849Z' + dataset: endpoint.metadata + id: MNtRc++KoKHXXwlj+++++/N9 + ingested: '2023-07-04T15:44:33Z' + kind: metric + module: endpoint + sequence: 5159 + type: + - info + host: + architecture: x86_64 + hostname: WinDev2104Eval + id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 + ip: + - 10.0.2.15 + - fe80::21a6:63d3:d70e:e3ad + - 127.0.0.1 + - '::1' + mac: + - 08:00:27:b1:1d:5a + name: WinDev2104Eval + os: + Ext: + variant: Windows 10 Enterprise Evaluation + family: windows + full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) + kernel: 20H2 (10.0.19042.906) + name: Windows + platform: windows + type: windows + version: 20H2 (10.0.19042.906) + message: Endpoint metadata + policy_info: + agent: + applied: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 0 + configured: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + endpoint: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + revision: 2 + page: 0 + pageSize: 10 + sortDirection: desc + sortField: enrolled_at + total: 2 + type: object + properties: {} + Security_Endpoint_Management_API_Page: + default: 1 + description: Page number + example: 1 + minimum: 1 + type: integer + Security_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + example: 10 + maximum: 100 + minimum: 1 + type: integer + Security_Endpoint_Management_API_Parameters: + description: Parameters object + type: object + Security_Endpoint_Management_API_PendingActionDataType: + description: Number of pending actions of this type. + type: integer + Security_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending execute actions. + get-file: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending get-file actions. + isolate: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending isolate actions. + kill-process: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending kill-process actions. + running-processes: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending running-processes (get processes) actions. + scan: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending scan actions. + suspend-process: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending suspend-process actions. + unisolate: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending unisolate (release) actions. + upload: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + description: Number of pending upload actions. + - additionalProperties: true + type: object + Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: - Type: - description: The engine type that produced this entity record. + note: + description: >- + A note associated with the protection updates for the given package + policy. type: string - required: - - Type - Security_Entity_Analytics_API_EngineStatus: - description: The current operational status of an entity engine. - enum: - - installing - - started - - stopped - - updating - - error - type: string - Security_Entity_Analytics_API_EntitiesContainer: - description: A collection of entities to upsert in bulk. - type: object - properties: - entities: - description: The entities to create or update. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer' - type: array - required: - - entities - Security_Entity_Analytics_API_Entity: - description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. - oneOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' - Security_Entity_Analytics_API_EntityAnalyticsPrivileges: + Security_Endpoint_Management_API_RawScriptParameters: type: object properties: - has_all_required: - type: boolean - has_read_permissions: - type: boolean - has_write_permissions: - type: boolean - privileges: - type: object - properties: - elasticsearch: - type: object - properties: - cluster: - additionalProperties: - type: boolean - type: object - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - kibana: - additionalProperties: - type: boolean - type: object - required: - - elasticsearch + commandLine: + description: Command line arguments. + minLength: 1 + type: string + raw: + description: Raw script content. + minLength: 1 + type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer required: - - has_all_required - - privileges - Security_Entity_Analytics_API_EntityContainer: - description: A wrapper that pairs an entity type with the entity record to upsert. + - raw + Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: __agent__type__here_ + command: __command__name__here__ + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false type: object properties: - record: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: The entity record to create or update. - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - description: The entity type of the record. - required: - - type - - record - Security_Entity_Analytics_API_EntityField: - additionalProperties: false - description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. + data: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: - attributes: - additionalProperties: false - description: Boolean flags describing characteristics of the entity. - type: object - properties: - asset: - description: Whether the entity is classified as an asset. - type: boolean - managed: - description: Whether the entity is managed (for example, via a directory service). - type: boolean - mfa_enabled: - description: Whether multi-factor authentication is enabled for the entity. - type: boolean - privileged: - description: Whether the entity has elevated privileges. - type: boolean - behaviors: - additionalProperties: false - description: Boolean flags indicating observed behavioral signals. + agents: + description: The agent IDs for the hosts that the response action was sent to + items: + format: uuid + type: string + type: array + agentState: + additionalProperties: + format: uuid + type: object + properties: + completedAt: + description: >- + The date and time the response action was completed for the + agent ID + type: string + isCompleted: + description: Whether the response action is completed for the agent ID + type: boolean + wasSuccessful: + description: Whether the response action was successful for the agent ID + type: boolean + description: >- + The state of the response action for each agent ID that it was sent + to type: object - properties: - brute_force_victim: - description: Whether the entity has been targeted by brute-force attacks. - type: boolean - new_country_login: - description: Whether the entity has logged in from a new country. - type: boolean - used_usb_device: - description: Whether the entity has used a USB device. - type: boolean - EngineMetadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' - id: - description: Unique identifier for this entity. - example: arn:aws:iam::123456789012:user/jane.doe + agentType: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + command: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + completedAt: + description: The response action completion time + format: date-time type: string - lifecycle: - additionalProperties: false - description: Timestamps tracking the entity lifecycle. - type: object - properties: - first_seen: - description: When the entity was first observed. - format: date-time - type: string - last_activity: - description: When the entity last generated activity. - format: date-time - type: string - last_seen: - description: When the entity was last observed. - format: date-time - type: string - name: - description: Human-readable name of the entity. - example: jane.doe + createdBy: + description: The user who created the response action type: string - relationships: - additionalProperties: false - description: Connections between this entity and other entities. - type: object - properties: - accessed_frequently_by: - description: Entity IDs that frequently access this entity. - items: - type: string - type: array - accesses_frequently: - description: Entity IDs this entity accesses frequently. - items: - type: string - type: array - accesses_infrequently: - description: Entity IDs this entity accesses infrequently. - items: - type: string - type: array - communicates_with: - description: Entity IDs this entity communicates with. - items: - type: string - type: array - dependent_of: - description: Entity IDs that depend on this entity. - items: - type: string - type: array - depends_on: - description: Entity IDs this entity depends on. - items: - type: string - type: array - owned_by: - description: Entity IDs that own this entity. - items: - type: string - type: array - owns: - description: Entity IDs owned by this entity. - items: - type: string - type: array - supervised_by: - description: Entity IDs that supervise this entity. - items: - type: string - type: array - supervises: - description: Entity IDs supervised by this entity. - items: + hosts: + additionalProperties: + format: uuid + type: object + properties: + name: + description: The host name type: string - type: array - risk: - additionalProperties: false - description: Risk scoring information for the entity. + description: >- + An object containing the host names associated with the agent IDs + the response action was sent to type: object - properties: - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - source: - description: The source that produced this entity record. + id: + description: The response action ID + format: uuid type: string - sub_type: - description: Optional sub-type classification for the entity. + isComplete: + description: Whether the response action is complete + type: boolean + isExpired: + description: Whether the response action is expired + type: boolean + outputs: + additionalProperties: + description: The agent id + format: uuid + properties: + content: + description: >- + The response action output content for the agent ID. Exact + format depends on the response action command. + oneOf: + - type: object + - type: string + type: + enum: + - json + - text + type: string + required: + - type + - content + title: Agent ID + type: object + description: > + The outputs of the response action for each agent ID that it was + sent to. Content different depending on the + + response action command and will only be present for agents that + have responded to the response action + type: object + parameters: + description: >- + The parameters of the response action. Content different depending + on the response action command + type: object + startedAt: + description: The response action start time + format: date-time type: string - type: - description: The entity type. - example: user + status: + description: The response action status type: string + wasSuccessful: + description: Whether the response action was successful + type: boolean required: - - id - Security_Entity_Analytics_API_EntityRiskLevels: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - Security_Entity_Analytics_API_EntityRiskScoreRecord: + - command + Security_Endpoint_Management_API_RunningProcesses: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - type: object + properties: + outputs: + additionalProperties: + type: object + properties: + content: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne + type: object + Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: + description: Processes output for `agentType` of `endpoint` type: object properties: - '@timestamp': - description: The time at which the risk score was calculated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - calculation_run_id: - description: Unique identifier for the scoring run that produced this document. - type: string - category_1_count: - description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). - type: integer - category_1_score: - description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. - format: double - type: number - category_2_count: - type: integer - category_2_score: - format: double - type: number - criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - criticality_modifier: - format: double - type: number - id_field: - description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. - example: host.name - type: string - id_value: - description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. - example: example.host + code: type: string - inputs: - description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' - type: array - modifiers: - description: A list of modifiers that were applied to the risk score calculation. + entries: items: type: object properties: - contribution: - format: double - type: number - metadata: - additionalProperties: true - type: object - modifier_value: - format: double - type: number - subtype: - type: string - type: + command: type: string - required: - - type - - contribution - type: array - notes: - items: - type: string - type: array - related_entities: - items: - type: object - properties: entity_id: type: string - relationship_type: + pid: + type: number + user: type: string type: array - score_type: - description: Distinguishes base, propagated, and resolution scores. - enum: - - base - - propagated - - resolution - type: string - required: - - '@timestamp' - - id_field - - id_value - - calculated_level - - calculated_score - - calculated_score_norm - - category_1_score - - category_1_count - - inputs - - notes - Security_Entity_Analytics_API_EntitySourceType: - enum: - - index - - entity_analytics_integration - - store - type: string - Security_Entity_Analytics_API_EntityType: - description: The type of entity. - enum: - - user - - host - - service - - generic - type: string - Security_Entity_Analytics_API_Filter: - type: object - properties: - kuery: - oneOf: - - type: string - - type: object - Security_Entity_Analytics_API_GenericEntity: - additionalProperties: false - description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. + Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - description: Processes output for `agentType` of `sentinel_one` + type: object + properties: + code: + type: string + Security_Endpoint_Management_API_Runscript: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - type: object + properties: + outputs: + additionalProperties: + type: object + properties: + content: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - type: object + properties: + code: + type: string + stderr: + type: string + stdout: + type: string + type: object + parameters: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne + Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + cloudFile: + type: string + commandLine: + type: string + hostPath: + type: string + raw: + type: string + timeout: + type: number + Security_Endpoint_Management_API_RunscriptParamsMicrosoft: + type: object + properties: + args: type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - required: - - entity - Security_Entity_Analytics_API_HostEntity: - additionalProperties: false - description: An entity record representing a host, stored in the Entity Store latest index. + scriptName: + type: string + Security_Endpoint_Management_API_RunscriptParamsSentinelOne: type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + scriptId: type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time - type: string - host: - additionalProperties: false - description: Elastic Common Schema (ECS) host fields collected on the entity. - type: object + scriptInput: + type: string + Security_Endpoint_Management_API_RunScriptRouteRequestBody: + allOf: + - type: object properties: - architecture: - description: Observed CPU architectures. - items: - type: string - type: array - domain: - description: Observed host domains. - items: - type: string - type: array - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - hostname: - description: Observed hostnames. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - id: - description: Observed host IDs. + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. + example: + - case-id-1 + - case-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - ip: - description: Observed IP addresses. + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + description: | + One of the following set of parameters must be provided + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters + required: + - parameters + Security_Endpoint_Management_API_Scan: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - type: object + properties: + outputs: + additionalProperties: + type: object + properties: + content: + type: object + properties: + code: + type: string + type: object + parameters: + type: object + properties: + path: + type: string + Security_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - mac: - description: Observed MAC addresses. + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. + example: + - case-id-1 + - case-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - name: - description: Primary host name. - type: string - os: - additionalProperties: false - description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: type: object properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - oneOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - oneOf: - - type: string - - items: - type: string - type: array - version: + path: + description: The folder or file's full path (including the file name). + example: /usr/my-file.txt type: string - risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' - type: - description: Observed host types. - items: - type: string - type: array + required: + - path required: - - name + - parameters + Security_Endpoint_Management_API_SentinelOneRunScriptParameters: + description: >- + Parameters for Run Script response action against SentinelOne agent + type. + example: + agent_type: sentinel_one + endpoint_ids: + - endpoint-id-1 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + properties: + scriptId: + description: >- + The script ID from SentinelOne scripts library that will be + executed. + minLength: 1 + type: string + scriptInput: + description: The input parameter arguments for the script that was selected. + minLength: 1 + type: string required: - - entity - Security_Entity_Analytics_API_IdField: + - scriptId + title: SentinelOne Run Script Parameters + type: object + Security_Endpoint_Management_API_SortDirection: + description: Determines the sort order. enum: - - host.name - - user.name - - service.name - - entity.id + - asc + - desc + example: desc type: string - Security_Entity_Analytics_API_IndexPattern: - description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. - example: logs-* + Security_Endpoint_Management_API_SortField: + description: Determines which field is used to sort the results. + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + example: enrolled_at type: string - Security_Entity_Analytics_API_InspectQuery: - description: Debug information about the Elasticsearch query executed. - type: object - properties: - dsl: - description: Elasticsearch query DSL that was executed. - items: - type: string - type: array - response: - description: Raw Elasticsearch responses. - items: - type: string - type: array - required: - - dsl - - response - Security_Entity_Analytics_API_Integrations: - type: object - properties: - syncData: - description: integrations latest full sync and update syncData - type: object - properties: - lastFullSync: - description: Timestamp of the last full sync from integrations - format: date-time - type: string - lastUpdateProcessed: - description: Timestamp of the last update processed from integrations - format: date-time - type: string - syncMarkerIndex: - description: Index to read latest sync markers from - type: string - Security_Entity_Analytics_API_Interval: - description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, - example: 1h - pattern: ^[1-9]\d*[smh]$ + Security_Endpoint_Management_API_StartDate: + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string - Security_Entity_Analytics_API_Matcher: + Security_Endpoint_Management_API_SuccessResponse: + description: A generic successful response. type: object - properties: - fields: - items: - type: string - type: array - values: - description: | - Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. - oneOf: - - items: - type: string - type: array - - items: - type: boolean - type: array - required: - - fields - - values - Security_Entity_Analytics_API_Metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' - Security_Entity_Analytics_API_MonitoredUserDoc: + Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: - '@timestamp': - format: date-time - type: string - event: - type: object - properties: - '@timestamp': - format: date-time - type: string - ingested: - format: date-time - type: string - user: + outputs: + additionalProperties: + type: object + properties: + content: + oneOf: + - type: object + properties: + code: + type: string + command: + type: string + pid: + type: number + - type: object + properties: + code: + type: string + command: + type: string + entity_id: + type: string type: object - properties: - entity: - type: object + parameters: + oneOf: + - type: object properties: - attributes: - type: object - properties: - Privileged: - description: Indicates if the user is privileged. - type: boolean - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoredUserUpdateDoc: - type: object - properties: - entity_analytics_monitoring: - type: object - properties: - labels: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' - type: array - id: - type: string - labels: - type: object + pid: + description: The process ID (PID) of the process to terminate. + minimum: 1 + type: number + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + minLength: 1 + type: string + Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: + allOf: + - type: object properties: - source_ids: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - source_integrations: + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. + example: + - case-id-1 + - case-id-2 items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - sources: - items: - enum: - - csv - - index_sync - - api - type: array - user: - type: object + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object properties: - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoringEngineDescriptor: + parameters: + oneOf: + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string + required: + - parameters + Security_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Endpoint_Management_API_Types: + description: List of types of response actions + example: + - automated + - manual + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Endpoint_Management_API_Unisolate: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - description: Details of an unisolate action response. + type: object + Security_Endpoint_Management_API_UnisolateRouteResponse: type: object properties: - error: - type: object + action: + description: The action ID (legacy field, same as `data.id`). + type: string + data: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + Security_Endpoint_Management_API_Upload: + allOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - type: object properties: - message: - description: Error message typically only present if the engine is in error state - type: string - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' - required: - - status - Security_Entity_Analytics_API_MonitoringEntitySource: + outputs: + additionalProperties: + type: object + properties: + content: + type: object + properties: + code: + type: string + disk_free_space: + type: number + path: + type: string + type: object + parameters: + description: > + The parameters for upload returned on the details are derived + via the API from the file that + + was uploaded at the time that the response action was submitted + type: object + properties: + file_id: + type: string + file_name: + type: string + file_sha256: + type: string + file_size: + type: number + Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: - id: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + file: + description: The binary content of the file. + example: RWxhc3RpYw== + format: binary type: string + parameters: + type: object + properties: + overwrite: + default: false + description: Overwrite the file on the host if it already exists. + example: false + type: boolean required: - - type - - name - - id - - managed - Security_Entity_Analytics_API_MonitoringEntitySourceProperties: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - - type: object - properties: - managed: - type: boolean - Security_Entity_Analytics_API_MonitoringLabel: - type: object - properties: - field: - type: string - source: + - parameters + - file + Security_Endpoint_Management_API_UserIds: + description: A list of user IDs. Max of 50. + example: + - user-id-1 + - user-id-2 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 type: string - value: + Security_Endpoint_Management_API_WithOutputs: + description: >- + A list of action IDs that should include the complete output of the + action. Max of 50. + example: + - action-id-1 + - action-id-2 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 type: string - required: - - field - - value - - source - Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: - description: The status of the Privilege Monitoring Engine - enum: - - started - - error - - disabled - - not_installed - type: string - Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: + Security_Entity_Analytics_API_Asset: + additionalProperties: false + description: Asset metadata associated with the entity. type: object properties: - index: - nullable: true - type: integer - message: + business_unit: + description: Business unit the asset belongs to. type: string - username: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + description: The criticality level assigned to this asset. nullable: true + environment: + description: Deployment environment (for example, production, staging). type: string - required: - - message - - index - - username - Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: - type: object - properties: - failedOperations: - type: integer - successfulOperations: - type: integer - totalOperations: - type: integer - uploaded: - type: integer - required: - - successfulOperations - - uploaded - - failedOperations - - totalOperations - Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: - type: object - properties: - full_error: - type: string - message: - type: string - required: - - message - - full_error - Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: - type: object - properties: - success: - type: boolean - Security_Entity_Analytics_API_RiskScoreInput: - description: A generic representation of a document contributing to a Risk Score. - type: object - properties: - category: - description: The risk category of the risk input document. - example: category_1 - type: string - contribution_score: - format: double - type: number - description: - description: A human-readable description of the risk input document. - example: 'Generated from Detection Engine Rule: Malware Prevention Alert' + id: + description: Unique identifier for the asset. type: string - entity_id: - description: The EUID of the entity within the graph that generated this alert. + model: + description: Model name or number. type: string - id: - description: The unique identifier (`_id`) of the original source document - example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + name: + description: Human-readable asset name. type: string - index: - description: The unique index (`_index`) of the original source document - example: .internal.alerts-security.alerts-default-000001 + owner: + description: The owner of the asset. type: string - risk_score: - description: The weighted risk score of the risk input document. - format: double - maximum: 100 - minimum: 0 - type: number - timestamp: - description: The @timestamp of the risk input document. - example: '2017-07-21T17:32:28Z' + serial_number: + description: Serial number of the asset. type: string - required: - - id - - index - - description - - category - Security_Entity_Analytics_API_ServiceEntity: - additionalProperties: false - description: An entity record representing a service, stored in the Entity Store latest index. - type: object - properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + vendor: + description: Vendor or manufacturer. type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time - type: string - service: - additionalProperties: false - description: Elastic Common Schema (ECS) service fields collected on the entity. - type: object - properties: - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - name: - description: Primary service name. - type: string - risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' - required: - - name - required: - - entity - Security_Entity_Analytics_API_StoreStatus: - description: The overall operational status of the Entity Store. - enum: - - not_installed - - installing - - running - - stopped - - error - type: string - Security_Entity_Analytics_API_TaskManagerUnavailableResponse: - description: Task manager is unavailable + Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: type: object properties: + index: + type: integer message: type: string - status_code: - minimum: 400 - type: integer required: - - status_code - message - Security_Entity_Analytics_API_TransformStatsMetadata: - description: Statistics from the underlying Elasticsearch transform. + - index + Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: type: object properties: - delete_time_in_ms: - description: Total time spent deleting documents, in milliseconds. - type: integer - documents_deleted: - description: Total number of documents deleted from the destination index. - type: integer - documents_indexed: - description: Total number of documents written to the destination index. - type: integer - documents_processed: - description: Total number of source documents processed. - type: integer - exponential_avg_checkpoint_duration_ms: - description: Exponential moving average of checkpoint duration, in milliseconds. - type: integer - exponential_avg_documents_indexed: - description: Exponential moving average of documents indexed per checkpoint. - type: integer - exponential_avg_documents_processed: - description: Exponential moving average of documents processed per checkpoint. - type: integer - index_failures: - description: Total number of failed index operations. - type: integer - index_time_in_ms: - description: Total time spent indexing documents, in milliseconds. - type: integer - index_total: - description: Total number of index operations. - type: integer - pages_processed: - description: Number of composite aggregation pages processed. - type: integer - processing_time_in_ms: - description: Total time spent processing results, in milliseconds. - type: integer - processing_total: - description: Total number of processing operations. - type: integer - search_failures: - description: Total number of failed search operations. - type: integer - search_time_in_ms: - description: Total time spent on search queries, in milliseconds. + failed: type: integer - search_total: - description: Total number of search operations. + successful: type: integer - trigger_count: - description: Number of times the transform has been triggered. + total: type: integer required: - - pages_processed - - documents_processed - - documents_indexed - - trigger_count - - index_time_in_ms - - index_total - - index_failures - - search_time_in_ms - - search_total - - search_failures - - processing_time_in_ms - - processing_total - - exponential_avg_checkpoint_duration_ms - - exponential_avg_documents_indexed - - exponential_avg_documents_processed - Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: - type: object - properties: - enabled: - type: boolean - filter: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' - identifierField: - description: Field used to query the entity store for index-type sources - type: string - indexPattern: - type: string - integrationName: - type: string - integrations: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' - matchers: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' - type: array - name: - type: string - queryRule: - description: KQL query used to filter data from the provided index patterns - type: string - range: - $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' - Security_Entity_Analytics_API_UserEntity: - additionalProperties: false - description: An entity record representing a user, stored in the Entity Store latest index. - type: object - properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time - type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object + - successful + - failed + - total + Security_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: + description: >- + The criticality level of the asset for bulk upload. The value + `unassigned` is used to indicate that the criticality level is not + assigned and is only used for bulk upload. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + - unassigned + type: string + Security_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - type: object properties: - ingested: - description: When the event was ingested into Elasticsearch. + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' format: date-time type: string - user: - additionalProperties: false - description: Elastic Common Schema (ECS) user fields collected on the entity. - type: object - properties: - domain: - description: Observed user domains. - items: - type: string - type: array - email: - description: Observed email addresses. - items: - type: string - type: array - full_name: - description: Observed full names of the user. - items: - type: string - type: array - hash: - description: Observed user hashes. - items: - type: string - type: array - id: - description: Observed user IDs. - items: - type: string - type: array - name: - description: Primary user name. - type: string - risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' - additionalProperties: false - roles: - description: Observed roles assigned to the user. - items: - type: string - type: array required: - - name - required: - - entity - Security_Entity_Analytics_API_UserName: + - '@timestamp' + example: + '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: type: object properties: - entity_analytics_monitoring: - description: Entity analytics monitoring configuration for the user + asset: type: object properties: - labels: - description: Array of labels associated with the user - items: - type: object - properties: - field: - description: The field name for the label - type: string - source: - description: The source where this label was created (api, csv, or index_sync) - enum: - - api - - csv - - index_sync - type: string - value: - description: The value of the label - type: string - type: array - user: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - asset + entity: type: object properties: - name: - description: The name of the user. + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + id: type: string - Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: - example: - matchedEntities: 1 - status: success - type: object - properties: - error: - description: Error message if the row failed to process - example: Invalid entity type - type: string - matchedEntities: - description: Number of entities matched for this row - example: 1 - type: integer - status: - enum: - - success - - failure - - unmatched - example: success - type: string - required: - - status - - matchedEntities - Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: - example: - euid: user:john.doe - status: success - type: object - properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success - type: string + required: + - id + host: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + name: + type: string + required: + - name + service: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + name: + type: string + required: + - name + user: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + name: + type: string + required: + - name required: - - euid - - status - Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: - example: - euid: user:john.doe - status: success + - asset + Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: type: object properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success + id_field: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. type: string required: - - euid - - status - Security_Entity_Analytics_API_WatchlistObject: - example: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + - id_value + - id_field + Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: type: object properties: - createdAt: - description: Timestamp indicating when the watchlist was created - format: date-time - type: string - description: - description: Description of the watchlist - type: string - entityCount: - description: Number of entities in the watchlist - type: number - entitySourceIds: - description: List of entity source IDs associated with the watchlist - items: - type: string - type: array - id: - description: The unique ID of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system + cleanup_successful: + example: false type: boolean - name: - description: The name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - type: number - updatedAt: - description: Timestamp indicating when the watchlist was last updated - format: date-time - type: string - required: - - name - - riskModifier - - managed - Security_Exceptions_API_BlocklistHashOrPathEntry: - type: object - properties: - field: - description: File hash or path field - enum: - - file.hash.md5 - - file.hash.sha1 - - file.hash.sha256 - - file.path - - file.path.caseless - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Must be match_any for blocklists - enum: - - match_any - type: string - value: - description: Array of hash values or file paths + errors: items: - type: string - minItems: 1 + type: object + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error type: array required: - - field - - type - - value - - operator - Security_Exceptions_API_BlocklistLinuxProperties: - description: Blocklist list item properties (Linux, code signature not supported). + - cleanup_successful + - errors + Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: type: object properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - items: - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists - type: string - os_types: - description: Linux-only + errors: items: - enum: - - linux - type: string - maxItems: 1 - minItems: 1 + type: object + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + risk_engine_saved_object_configured: + example: false + type: boolean required: - - list_id - Security_Exceptions_API_BlocklistMacProperties: - description: Blocklist list item properties (macOS, code signature not supported). + - risk_engine_saved_object_configured + - errors + Security_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Entity_Analytics_API_DateRange: + description: Defines the lookback period for filtering source data by timestamp. type: object properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - items: - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists + end: + description: End of the lookback period (date math or ISO string, e.g. "now") + type: string + start: + description: >- + Start of the lookback period (date math or ISO string, e.g. + "now-10d") type: string - os_types: - description: macOS-only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: + - start + - end + Security_Entity_Analytics_API_EngineComponentResource: + description: >- + The type of Elasticsearch or Kibana resource backing an engine + component. + enum: + - entity_engine + - entity_definition + - index + - data_stream + - component_template + - index_template + - ingest_pipeline + - enrich_policy + - task + - transform + - ilm_policy + type: string + Security_Entity_Analytics_API_EngineComponentStatus: + description: >- + Status of an individual Elasticsearch or Kibana resource backing an + engine. type: object properties: - entries: - description: Nested subject_name entries + errors: + description: Errors reported by this component, if any. items: type: object properties: - field: - description: Certificate subject name - enum: - - subject_name - type: string - operator: - description: Must be the value "included" - enum: - - included + message: + description: Detailed error message. type: string - type: - description: Match type for subject name - enum: - - match - - match_any + title: + description: Short error title. type: string - value: - oneOf: - - description: Single subject name (used with match) - type: string - - description: Array of subject names (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 type: array - field: - description: Windows code signature field - enum: - - file.Ext.code_signature - type: string - type: - description: Must be nested for Windows code signature + health: + description: The health status of the component. enum: - - nested + - green + - yellow + - red + - unavailable + - unknown type: string - required: - - field - - type - - entries - Security_Exceptions_API_BlocklistWindowsProperties: - description: Blocklist list item properties (Windows, supports code signature). - type: object - properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - * Code signature entry: only 1 allowed - items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists + id: + description: Unique identifier for the component. type: string - os_types: - description: Windows-only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + installed: + description: Whether the component is currently installed. + type: boolean + metadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + resource: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource required: - - list_id - Security_Exceptions_API_CreateExceptionListItemBase: + - id + - installed + - resource + Security_Entity_Analytics_API_EngineDataviewUpdateResult: + description: The result of applying data view index changes to a single engine. type: object properties: - comments: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' - expire_time: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single + changes: + description: The changes applied to the engine. + type: object + properties: + indexPatterns: + description: The updated list of index patterns now used by the engine. + items: + type: string + type: array type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + description: The entity type of the engine that was updated. + type: string required: - type - - name - - description - Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' - Security_Exceptions_API_CreateExceptionListItemBlocklistMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' - Security_Exceptions_API_CreateExceptionListItemComment: + Security_Entity_Analytics_API_EngineDescriptor: + description: >- + Describes a single entity engine, including its configuration and + current status. type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' - type: array - Security_Exceptions_API_CreateExceptionListItemEndpointList: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_CreateExceptionListItemEventFilters: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_CreateExceptionListItemGeneric: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - example: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + delay: + default: 1m + description: >- + The delay before the transform processes new data, allowing + late-arriving documents to be included. + example: 1m + pattern: '[smdh]$' + type: string + docsPerSecond: + description: >- + Throttle value for the number of documents processed per second. Use + -1 for no throttle. + type: integer + error: + description: Present when the engine status is `error`. Describes the failure. type: object properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] + action: + description: The lifecycle action that caused the error. + enum: + - init + type: string + message: + description: A human-readable error message. + type: string required: - - list_id - - entries - Security_Exceptions_API_CreateExceptionListItemHostIsolation: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' - Security_Exceptions_API_CreateRuleExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' - type: array - Security_Exceptions_API_CreateRuleExceptionListItemProps: - type: object - properties: - comments: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - expire_time: - format: date-time + - message + - action + fieldHistoryLength: + description: The number of historical values retained per field. + example: 10 + type: integer + filter: + description: >- + An optional Kibana Query Language (KQL) filter applied to source + documents before aggregation. + example: 'host.name: "my-host"' + type: string + frequency: + default: 1m + description: How often the transform runs. + example: 1m + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 24h + description: How far back the transform looks when calculating aggregations. + example: 24h + pattern: '[smdh]$' + type: string + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + example: 180s + pattern: '[smdh]$' + type: string + timestampField: + description: The field used as the timestamp for source documents. + example: '@timestamp' type: string - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' required: - type - - name - - description - - entries - Security_Exceptions_API_EndpointArtifactTags: - default: [] - description: | - Tags for categorization. Special tags for scope control: - * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) - * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) - items: - type: string - type: array - Security_Exceptions_API_EndpointListProperties: - description: Elastic Endpoint exception list item properties. + - indexPattern + - status + - fieldHistoryLength + Security_Entity_Analytics_API_EngineMetadata: + additionalProperties: false + description: Internal metadata attached to an entity by the engine that produced it. type: object properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - description: | - Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - - **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. - list_id: - enum: - - endpoint_list - example: endpoint_list + Type: + description: The engine type that produced this entity record. type: string - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_EventFiltersProperties: - description: Event filters list item properties. + - Type + Security_Entity_Analytics_API_EngineStatus: + description: The current operational status of an entity engine. + enum: + - installing + - started + - stopped + - updating + - error + type: string + Security_Entity_Analytics_API_EntitiesContainer: + description: A collection of entities to upsert in bulk. type: object properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - description: | - Exception entries for the event filter. - - **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) - - **Minimum requirement:** At least 1 entry required - list_id: - enum: - - endpoint_event_filters - example: endpoint_event_filters - type: string - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + entities: + description: The entities to create or update. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer' + type: array required: - - list_id - Security_Exceptions_API_ExceptionList: + - entities + Security_Entity_Analytics_API_Entity: + description: >- + An entity record from the Entity Store. The `entity` namespace is a + root-level field in the latest index, unlike source logs where it is + nested under `host`, `user`, or `service`. + oneOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' + Security_Entity_Analytics_API_EntityAnalyticsPrivileges: type: object properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - immutable: + has_all_required: type: boolean - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - type: string + has_read_permissions: + type: boolean + has_write_permissions: + type: boolean + privileges: + type: object + properties: + elasticsearch: + type: object + properties: + cluster: + additionalProperties: + type: boolean + type: object + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + kibana: + additionalProperties: + type: boolean + type: object + required: + - elasticsearch + required: + - has_all_required + - privileges + Security_Entity_Analytics_API_EntityContainer: + description: A wrapper that pairs an entity type with the entity record to upsert. + type: object + properties: + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: The entity record to create or update. type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + description: The entity type of the record. required: - - id - - list_id - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListDescription: - description: Describes the exception list. - example: This list tracks allowlisted values. - type: string - Security_Exceptions_API_ExceptionListHumanId: - description: | - The exception list's human-readable string identifier. - - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) - example: simple_list - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListId: - description: Exception list's identifier. - example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItem: + - record + Security_Entity_Analytics_API_EntityField: + additionalProperties: false + description: >- + Core entity fields shared across all entity types. The `entity` + namespace is a root-level field in the Entity Store latest index. type: object properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + attributes: + additionalProperties: false + description: Boolean flags describing characteristics of the entity. + type: object + properties: + asset: + description: Whether the entity is classified as an asset. + type: boolean + managed: + description: >- + Whether the entity is managed (for example, via a directory + service). + type: boolean + mfa_enabled: + description: Whether multi-factor authentication is enabled for the entity. + type: boolean + privileged: + description: Whether the entity has elevated privileges. + type: boolean + behaviors: + additionalProperties: false + description: Boolean flags indicating observed behavioral signals. + type: object + properties: + brute_force_victim: + description: Whether the entity has been targeted by brute-force attacks. + type: boolean + new_country_login: + description: Whether the entity has logged in from a new country. + type: boolean + used_usb_device: + description: Whether the entity has used a USB device. + type: boolean + EngineMetadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' + id: + description: Unique identifier for this entity. + example: arn:aws:iam::123456789012:user/jane.doe type: string - comments: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' - created_at: - description: Autogenerated date of object creation. - format: date-time + lifecycle: + additionalProperties: false + description: Timestamps tracking the entity lifecycle. + type: object + properties: + first_seen: + description: When the entity was first observed. + format: date-time + type: string + last_activity: + description: When the entity last generated activity. + format: date-time + type: string + last_seen: + description: When the entity was last observed. + format: date-time + type: string + name: + description: Human-readable name of the entity. + example: jane.doe type: string - created_by: - description: Autogenerated value - user that created object. + relationships: + additionalProperties: false + description: Connections between this entity and other entities. + type: object + properties: + accessed_frequently_by: + description: Entity IDs that frequently access this entity. + items: + type: string + type: array + accesses_frequently: + description: Entity IDs this entity accesses frequently. + items: + type: string + type: array + accesses_infrequently: + description: Entity IDs this entity accesses infrequently. + items: + type: string + type: array + communicates_with: + description: Entity IDs this entity communicates with. + items: + type: string + type: array + dependent_of: + description: Entity IDs that depend on this entity. + items: + type: string + type: array + depends_on: + description: Entity IDs this entity depends on. + items: + type: string + type: array + owned_by: + description: Entity IDs that own this entity. + items: + type: string + type: array + owns: + description: Entity IDs owned by this entity. + items: + type: string + type: array + supervised_by: + description: Entity IDs that supervise this entity. + items: + type: string + type: array + supervises: + description: Entity IDs supervised by this entity. + items: + type: string + type: array + risk: + additionalProperties: false + description: Risk scoring information for the entity. + type: object + properties: + calculated_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + source: + description: The source that produced this entity record. type: string - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - expire_time: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. + sub_type: + description: Optional sub-type classification for the entity. type: string type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. + description: The entity type. + example: user type: string required: - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListItemComment: + Security_Entity_Analytics_API_EntityRiskLevels: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + Security_Entity_Analytics_API_EntityRiskScoreRecord: type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - created_at: - description: Autogenerated date of object creation. + '@timestamp': + description: The time at which the risk score was calculated. + example: '2017-07-21T17:32:28Z' format: date-time type: string - created_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - updated_at: - description: Autogenerated date of last object update. - format: date-time + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + calculation_run_id: + description: Unique identifier for the scoring run that produced this document. + type: string + category_1_count: + description: >- + The number of risk input documents that contributed to the Category + 1 score (`category_1_score`). + type: integer + category_1_score: + description: >- + The contribution of Category 1 to the overall risk score + (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: + type: integer + category_2_score: + format: double + type: number + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + criticality_modifier: + format: double + type: number + id_field: + description: >- + The identifier field defining this risk score. Coupled with + `id_value`, uniquely identifies the entity being scored. + example: host.name + type: string + id_value: + description: >- + The identifier value defining this risk score. Coupled with + `id_field`, uniquely identifies the entity being scored. + example: example.host + type: string + inputs: + description: >- + A list of the highest-risk documents contributing to this risk + score. Useful for investigative purposes. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' + type: array + modifiers: + description: A list of modifiers that were applied to the risk score calculation. + items: + type: object + properties: + contribution: + format: double + type: number + metadata: + additionalProperties: true + type: object + modifier_value: + format: double + type: number + subtype: + type: string + type: + type: string + required: + - type + - contribution + type: array + notes: + items: + type: string + type: array + related_entities: + items: + type: object + properties: + entity_id: + type: string + relationship_type: + type: string + type: array + score_type: + description: Distinguishes base, propagated, and resolution scores. + enum: + - base + - propagated + - resolution type: string - updated_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - id - - comment - - created_at - - created_by - Security_Exceptions_API_ExceptionListItemCommentArray: - description: | - Array of comment fields: - - - comment (string): Comments about the exception item. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' - type: array - Security_Exceptions_API_ExceptionListItemDescription: - description: Describes the exception list. + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + Security_Entity_Analytics_API_EntitySourceType: + enum: + - index + - entity_analytics_integration + - store type: string - Security_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' - discriminator: - propertyName: type - Security_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Exceptions_API_ExceptionListItemEntryExists: + Security_Entity_Analytics_API_EntityType: + description: The type of entity. + enum: + - user + - host + - service + - generic + type: string + Security_Entity_Analytics_API_Filter: type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - exists + kuery: + oneOf: + - type: string + - type: object + Security_Entity_Analytics_API_GenericEntity: + additionalProperties: false + description: >- + A generic entity record. Maps only the `entity` and `asset` namespaces. + Add additional field mappings here as needed. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' required: - - type - - field - - operator - Security_Exceptions_API_ExceptionListItemEntryList: + - entity + Security_Entity_Analytics_API_HostEntity: + additionalProperties: false + description: >- + An entity record representing a host, stored in the Entity Store latest + index. type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - list: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object + properties: + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + host: + additionalProperties: false + description: Elastic Common Schema (ECS) host fields collected on the entity. type: object properties: + architecture: + description: Observed CPU architectures. + items: + type: string + type: array + domain: + description: Observed host domains. + items: + type: string + type: array + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + hostname: + description: Observed hostnames. + items: + type: string + type: array id: - $ref: '#/components/schemas/Security_Exceptions_API_ListId' + description: Observed host IDs. + items: + type: string + type: array + ip: + description: Observed IP addresses. + items: + type: string + type: array + mac: + description: Observed MAC addresses. + items: + type: string + type: array + name: + description: Primary host name. + type: string + os: + additionalProperties: false + description: >- + Elastic Common Schema (ECS) host.os fields collected on the + entity latest index. + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + oneOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + oneOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord type: - $ref: '#/components/schemas/Security_Exceptions_API_ListType' + description: Observed host types. + items: + type: string + type: array required: - - id - - type - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - name required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchAny: + - entity + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + - service.name + - entity.id + type: string + Security_Entity_Analytics_API_IndexPattern: + description: >- + An additional Elasticsearch index pattern to include as a source for + entity data. Merged with the default data view indices when the engine + runs. + example: logs-* + type: string + Security_Entity_Analytics_API_InspectQuery: + description: Debug information about the Elasticsearch query executed. type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - match_any - type: string - value: + dsl: + description: Elasticsearch query DSL that was executed. items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - minItems: 1 + type: string + type: array + response: + description: Raw Elasticsearch responses. + items: + type: string type: array required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + - dsl + - response + Security_Entity_Analytics_API_Integrations: type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - wildcard + syncData: + description: integrations latest full sync and update syncData + type: object + properties: + lastFullSync: + description: Timestamp of the last full sync from integrations + format: date-time + type: string + lastUpdateProcessed: + description: Timestamp of the last update processed from integrations + format: date-time + type: string + syncMarkerIndex: + description: Index to read latest sync markers from type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryNested: + Security_Entity_Analytics_API_Interval: + description: >- + Interval in which enrich policy runs. For example, `"1h"` means the rule + runs every hour. Must be less than or equal to half the duration of the + lookback period, + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + Security_Entity_Analytics_API_Matcher: type: object properties: - entries: + fields: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' - minItems: 1 + type: string type: array - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string + values: + description: > + Matcher values. Must be either an array of strings (e.g. group or + role names) or an array of booleans (e.g. integration-derived flags + like privileged_group_member). Mixed types are intentionally not + supported for simplicity and predictability. + oneOf: + - items: + type: string + type: array + - items: + type: boolean + type: array required: - - type - - field - - entries - Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - Security_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Exceptions_API_ExceptionListItemExpireTime: - description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. - format: date-time - type: string - Security_Exceptions_API_ExceptionListItemHumanId: - description: Human readable string identifier, e.g. `trusted-linux-processes` - example: simple_list_item - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemId: - description: Exception's identifier. - example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListItemName: - description: Exception list name. - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListItemTags: - items: - description: String array containing words and phrases to help categorize exception items. - format: nonempty - minLength: 1 - type: string - type: array - Security_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Exceptions_API_ExceptionListMeta: - additionalProperties: true - description: Placeholder for metadata about the list container. + - fields + - values + Security_Entity_Analytics_API_Metadata: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata + Security_Entity_Analytics_API_MonitoredUserDoc: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + - type: object + properties: + '@timestamp': + format: date-time + type: string + event: + type: object + properties: + '@timestamp': + format: date-time + type: string + ingested: + format: date-time + type: string + user: + type: object + properties: + entity: + type: object + properties: + attributes: + type: object + properties: + Privileged: + description: Indicates if the user is privileged. + type: boolean + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoredUserUpdateDoc: type: object - Security_Exceptions_API_ExceptionListName: - description: The name of the exception list. - example: My exception list - type: string - Security_Exceptions_API_ExceptionListOsType: - description: Use this field to specify the operating system. - enum: - - linux - - macos - - windows - type: string - Security_Exceptions_API_ExceptionListOsTypeArray: - description: Use this field to specify the operating system. Only enter one value. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListsImportBulkError: + properties: + entity_analytics_monitoring: + type: object + properties: + labels: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel + type: array + id: + type: string + labels: + type: object + properties: + source_ids: + items: + type: string + type: array + source_integrations: + items: + type: string + type: array + sources: + items: + enum: + - csv + - index_sync + - api + type: array + user: + type: object + properties: + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoringEngineDescriptor: type: object properties: error: type: object properties: message: + description: >- + Error message typically only present if the engine is in error + state type: string - status_code: - type: integer - required: - - status_code - - message - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus required: - - error - Security_Exceptions_API_ExceptionListsImportBulkErrorArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' - type: array - Security_Exceptions_API_ExceptionListTags: - description: String array containing words and phrases to help categorize exception containers. - items: - type: string - type: array - Security_Exceptions_API_ExceptionListType: - description: The type of exception list to be created. Different list types may denote where they can be utilized. - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Exceptions_API_ExceptionListVersion: - description: The document version, automatically increasd on updates. - minimum: 1 - type: integer - Security_Exceptions_API_ExceptionNamespaceType: - description: | - Determines whether the exception container is available in all Kibana spaces or just the space - in which it is created, where: - - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. - enum: - - agnostic - - single - type: string - Security_Exceptions_API_FindExceptionListItemsFilter: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_FindExceptionListsFilter: - example: exception-list.attributes.name:%Detection%20List - type: string - Security_Exceptions_API_HostIsolationProperties: - description: Host isolation exceptions list item properties. + - status + Security_Entity_Analytics_API_MonitoringEntitySource: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties + - type: object + properties: + id: + type: string + required: + - type + - name + - id + - managed + Security_Entity_Analytics_API_MonitoringEntitySourceProperties: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties + - type: object + properties: + managed: + type: boolean + Security_Entity_Analytics_API_MonitoringLabel: type: object properties: - entries: - description: Exactly one entry allowed for host isolation exceptions - items: - type: object - properties: - field: - description: Must be destination.ip - enum: - - destination.ip - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Must be match - enum: - - match - type: string - value: - description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") - type: string - required: - - field - - type - - value - - operator - maxItems: 1 - minItems: 1 - type: array - list_id: - enum: - - endpoint_host_isolation_exceptions - example: endpoint_host_isolation_exceptions + field: + type: string + source: + type: string + value: type: string - os_types: - description: Must include all three operating systems (windows, linux, macos) - items: - enum: - - windows - - linux - - macos - type: string - maxItems: 3 - minItems: 3 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ListType: - description: | - Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - - - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + - field + - value + - source + Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: + description: The status of the Privilege Monitoring Engine enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 + - started + - error + - disabled + - not_installed type: string - Security_Exceptions_API_PlatformErrorResponse: + Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: type: object properties: - error: - type: string + index: + nullable: true + type: integer message: type: string - statusCode: + username: + nullable: true + type: string + required: + - message + - index + - username + Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: + type: object + properties: + failedOperations: + type: integer + successfulOperations: + type: integer + totalOperations: + type: integer + uploaded: type: integer required: - - statusCode - - error + - successfulOperations + - uploaded + - failedOperations + - totalOperations + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + type: object + properties: + full_error: + type: string + message: + type: string + required: - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: + - full_error + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: + type: object + properties: + success: + type: boolean + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. + type: object + properties: + category: + description: The risk category of the risk input document. + example: category_1 + type: string + contribution_score: + format: double + type: number + description: + description: A human-readable description of the risk input document. + example: 'Generated from Detection Engine Rule: Malware Prevention Alert' + type: string + entity_id: + description: The EUID of the entity within the graph that generated this alert. + type: string + id: + description: The unique identifier (`_id`) of the original source document + example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + type: string + index: + description: The unique index (`_index`) of the original source document + example: .internal.alerts-security.alerts-default-000001 + type: string + risk_score: + description: The weighted risk score of the risk input document. + format: double + maximum: 100 + minimum: 0 + type: number + timestamp: + description: The @timestamp of the risk input document. + example: '2017-07-21T17:32:28Z' + type: string + required: + - id + - index + - description + - category + Security_Entity_Analytics_API_ServiceEntity: + additionalProperties: false + description: >- + An entity record representing a service, stored in the Entity Store + latest index. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object + properties: + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + service: + additionalProperties: false + description: Elastic Common Schema (ECS) service fields collected on the entity. + type: object + properties: + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + name: + description: Primary service name. + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + required: + - name + required: + - entity + Security_Entity_Analytics_API_StoreStatus: + description: The overall operational status of the Entity Store. + enum: + - not_installed + - installing + - running + - stopped + - error + type: string + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable type: object properties: message: type: string status_code: + minimum: 400 type: integer required: - status_code - message - Security_Exceptions_API_TrustedAppHashEntry: + Security_Entity_Analytics_API_TransformStatsMetadata: + description: Statistics from the underlying Elasticsearch transform. type: object properties: - field: - description: Process hash field - enum: - - process.hash.md5 - - process.hash.sha1 - - process.hash.sha256 + delete_time_in_ms: + description: Total time spent deleting documents, in milliseconds. + type: integer + documents_deleted: + description: Total number of documents deleted from the destination index. + type: integer + documents_indexed: + description: Total number of documents written to the destination index. + type: integer + documents_processed: + description: Total number of source documents processed. + type: integer + exponential_avg_checkpoint_duration_ms: + description: Exponential moving average of checkpoint duration, in milliseconds. + type: integer + exponential_avg_documents_indexed: + description: Exponential moving average of documents indexed per checkpoint. + type: integer + exponential_avg_documents_processed: + description: Exponential moving average of documents processed per checkpoint. + type: integer + index_failures: + description: Total number of failed index operations. + type: integer + index_time_in_ms: + description: Total time spent indexing documents, in milliseconds. + type: integer + index_total: + description: Total number of index operations. + type: integer + pages_processed: + description: Number of composite aggregation pages processed. + type: integer + processing_time_in_ms: + description: Total time spent processing results, in milliseconds. + type: integer + processing_total: + description: Total number of processing operations. + type: integer + search_failures: + description: Total number of failed search operations. + type: integer + search_time_in_ms: + description: Total time spent on search queries, in milliseconds. + type: integer + search_total: + description: Total number of search operations. + type: integer + trigger_count: + description: Number of times the transform has been triggered. + type: integer + required: + - pages_processed + - documents_processed + - documents_indexed + - trigger_count + - index_time_in_ms + - index_total + - index_failures + - search_time_in_ms + - search_total + - search_failures + - processing_time_in_ms + - processing_total + - exponential_avg_checkpoint_duration_ms + - exponential_avg_documents_indexed + - exponential_avg_documents_processed + Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources type: string - operator: - enum: - - included + indexPattern: type: string - type: - description: Hash entries only support match type - enum: - - match + integrationName: type: string - value: - description: Hash value (MD5, SHA1, or SHA256) + integrations: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + Security_Entity_Analytics_API_UserEntity: + additionalProperties: false + description: >- + An entity record representing a user, stored in the Entity Store latest + index. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object + properties: + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + user: + additionalProperties: false + description: Elastic Common Schema (ECS) user fields collected on the entity. + type: object + properties: + domain: + description: Observed user domains. + items: + type: string + type: array + email: + description: Observed email addresses. + items: + type: string + type: array + full_name: + description: Observed full names of the user. + items: + type: string + type: array + hash: + description: Observed user hashes. + items: + type: string + type: array + id: + description: Observed user IDs. + items: + type: string + type: array + name: + description: Primary user name. + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + additionalProperties: false + roles: + description: Observed roles assigned to the user. + items: + type: string + type: array + required: + - name required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + - entity + Security_Entity_Analytics_API_UserName: type: object properties: - entries: - description: Must include exactly 2 entries - one for subject_name and one for trusted - items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object + entity_analytics_monitoring: + description: Entity analytics monitoring configuration for the user + type: object + properties: + labels: + description: Array of labels associated with the user + items: + type: object properties: field: - enum: - - trusted - type: string - operator: - enum: - - included + description: The field name for the label type: string - type: + source: + description: >- + The source where this label was created (api, csv, or + index_sync) enum: - - match + - api + - csv + - index_sync type: string value: - description: Must be the string 'true' - enum: - - 'true' + description: The value of the label type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: macOS code signature field + type: array + user: + type: object + properties: + name: + description: The name of the user. + type: string + Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: + example: + matchedEntities: 1 + status: success + type: object + properties: + error: + description: Error message if the row failed to process + example: Invalid entity type + type: string + matchedEntities: + description: Number of entities matched for this row + example: 1 + type: integer + status: enum: - - process.code_signature + - success + - failure + - unmatched + example: success + type: string + required: + - status + - matchedEntities + Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: + example: + euid: user:john.doe + status: success + type: object + properties: + error: + description: Error message if the entity failed to process + example: Invalid entity type + type: string + euid: + description: The EUID of the entity + example: user:john.doe + type: string + status: + enum: + - success + - failure + - not_found + example: success + type: string + required: + - euid + - status + Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: + example: + euid: user:john.doe + status: success + type: object + properties: + error: + description: Error message if the entity failed to process + example: Invalid entity type + type: string + euid: + description: The EUID of the entity + example: user:john.doe type: string - type: + status: enum: - - nested + - success + - failure + - not_found + example: success type: string required: - - field - - type - - entries - Security_Exceptions_API_TrustedAppPathEntry: + - euid + - status + Security_Entity_Analytics_API_WatchlistObject: + example: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + type: object + properties: + createdAt: + description: Timestamp indicating when the watchlist was created + format: date-time + type: string + description: + description: Description of the watchlist + type: string + entityCount: + description: Number of entities in the watchlist + type: number + entitySourceIds: + description: List of entity source IDs associated with the watchlist + items: + type: string + type: array + id: + description: The unique ID of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: The name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + type: number + updatedAt: + description: Timestamp indicating when the watchlist was last updated + format: date-time + type: string + required: + - name + - riskModifier + - managed + Security_Exceptions_API_BlocklistHashOrPathEntry: type: object properties: field: - description: Process executable path field + description: File hash or path field enum: - - process.executable.caseless + - file.hash.md5 + - file.hash.sha1 + - file.hash.sha256 + - file.path + - file.path.caseless type: string operator: + description: Must be the value "included" enum: - included type: string type: - description: Path supports both match and wildcard types + description: Must be match_any for blocklists enum: - - match - - wildcard + - match_any type: string value: - description: Executable path - type: string + description: Array of hash values or file paths + items: + type: string + minItems: 1 + type: array required: - field - type - value - operator - Security_Exceptions_API_TrustedAppsLinuxProperties: - description: Trusted applications list item properties (Linux). + Security_Exceptions_API_BlocklistLinuxProperties: + description: Blocklist list item properties (Linux, code signature not supported). type: object properties: entries: - description: Process hash or executable path entries (code signature not supported on Linux) + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry minItems: 1 type: array list_id: enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + - endpoint_blocklists + example: endpoint_blocklists type: string os_types: - description: Must be Linux only + description: Linux-only items: enum: - linux @@ -112121,26 +40543,27 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_TrustedAppsMacProperties: - description: Trusted applications list item properties (macOS). + Security_Exceptions_API_BlocklistMacProperties: + description: Blocklist list item properties (macOS, code signature not supported). type: object properties: entries: - description: Process hash, executable path, or code signature entries + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' + $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry minItems: 1 type: array list_id: enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + - endpoint_blocklists + example: endpoint_blocklists type: string os_types: - description: Must be macOS only + description: macOS-only items: enum: - macos @@ -112152,125 +40575,18 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_TrustedAppsWindowsProperties: - description: Trusted applications list item properties (Windows). - type: object - properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Windows only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: - type: object - properties: - entries: - description: Must include exactly 2 entries - one for subject_name and one for trusted - items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: Windows code signature field - enum: - - process.Ext.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedDevicesMacProperties: - description: Trusted devices list item properties (macOS-only, username not supported). + Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: type: object properties: entries: - description: Exception entries for the trusted device (duplicate field entries are not allowed) + description: Nested subject_name entries items: type: object properties: field: - description: Device field to match against + description: Certificate subject name enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name + - subject_name type: string operator: description: Must be the value "included" @@ -112278,17 +40594,16 @@ components: - included type: string type: - description: Entry match type + description: Match type for subject name enum: - match - - wildcard - match_any type: string value: oneOf: - - description: Single value (used with match or wildcard) + - description: Single subject name (used with match) type: string - - description: Array of values (used with match_any) + - description: Array of subject names (used with match_any) items: type: string minItems: 1 @@ -112300,147 +40615,45 @@ components: - operator minItems: 1 type: array - list_id: + field: + description: Windows code signature field enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + - file.Ext.code_signature type: string - os_types: - description: macOS-only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: Trusted devices list item properties (Windows + macOS, username not supported). - type: object - properties: - entries: - description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) - items: - type: object - properties: - field: - description: Device field to match against (username not available for multi-OS) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: + type: + description: Must be nested for Windows code signature enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + - nested type: string - os_types: - description: Must include both Windows and macOS (username field not allowed) - items: - enum: - - windows - - macos - type: string - maxItems: 2 - minItems: 2 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: Trusted devices list item properties (Windows-only, allows username field). + - field + - type + - entries + Security_Exceptions_API_BlocklistWindowsProperties: + description: Blocklist list item properties (Windows, supports code signature). type: object properties: entries: - description: Exception entries for the trusted device (duplicate field entries are not allowed) + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + * Code signature entry: only 1 allowed items: - type: object - properties: - field: - description: Device field to match against (user.name is Windows-only) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - - user.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry minItems: 1 type: array list_id: enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + - endpoint_blocklists + example: endpoint_blocklists type: string os_types: - description: Must be Windows-only to allow username field + description: Windows-only items: enum: - windows @@ -112452,25 +40665,22 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_UpdateExceptionListItemBase: + Security_Exceptions_API_CreateExceptionListItemBase: type: object properties: - _version: - description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. - type: string comments: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription expire_time: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - description: Either `id` or `item_id` must be specified + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -112484,322 +40694,839 @@ components: - type - name - description - Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: + Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' - Security_Exceptions_API_UpdateExceptionListItemComment: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + Security_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Exceptions_API_CreateExceptionListItemEndpointList: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_CreateExceptionListItemEventFilters: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_CreateExceptionListItemGeneric: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - example: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + default: [] + required: + - list_id + - entries + Security_Exceptions_API_CreateExceptionListItemHostIsolation: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + Security_Exceptions_API_CreateRuleExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + Security_Exceptions_API_EndpointArtifactTags: + default: [] + description: > + Tags for categorization. Special tags for scope control: + + * `"policy:all"` - Global artifact (applies to all Elastic Defend + policies) + + * `"policy:"` - Private artifact (applies to specific Elastic + Defend policy only, where `` is the Elastic Defend + integration policy ID) + items: + type: string + type: array + Security_Exceptions_API_EndpointListProperties: + description: Elastic Endpoint exception list item properties. + type: object + properties: + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + description: > + Exception entries for endpoint security exceptions (used to prevent + detection rule alerts). + + + **Fully flexible:** Supports any field name for maximum + compatibility with detection rules. No field restrictions are + enforced. + list_id: + enum: + - endpoint_list + example: endpoint_list + type: string + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_EventFiltersProperties: + description: Event filters list item properties. type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + description: > + Exception entries for the event filter. + + + **Flexible field support:** Any event field name is allowed (e.g., + `process.name`, `file.path`, `event.action`, `dns.question.name`, + etc.) + + + **Minimum requirement:** At least 1 entry required + list_id: + enum: + - endpoint_event_filters + example: endpoint_event_filters + type: string + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' - type: array - Security_Exceptions_API_UpdateExceptionListItemEndpointList: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_UpdateExceptionListItemEventFilters: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_UpdateExceptionListItemGeneric: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - example: - comments: [] - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - item_id: simple_list_item - name: Updated name - namespace_type: single - tags: [] - type: simple - type: object - properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - required: - - entries - Security_Exceptions_API_UpdateExceptionListItemHostIsolation: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Lists_API_FindListItemsCursor: - description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListItemsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_FindListsCursor: - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_List: + - list_id + Security_Exceptions_API_ExceptionList: type: object properties: _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: '2025-01-08T04:47:34.273Z' - format: date-time + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. type: string created_at: description: Autogenerated date of object creation. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. - example: elastic type: string description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription id: - $ref: '#/components/schemas/Security_Lists_API_ListId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: type: boolean + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: - $ref: '#/components/schemas/Security_Lists_API_ListName' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. type: string type: - $ref: '#/components/schemas/Security_Lists_API_ListType' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. - example: elastic type: string version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - id + - list_id - type - name - description - immutable + - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by - Security_Lists_API_ListDescription: - description: Describes the value list. + Security_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + example: This list tracks allowlisted values. + type: string + Security_Exceptions_API_ExceptionListHumanId: + description: > + The exception list's human-readable string identifier. + + + For endpoint artifacts, use one of the following values: + + + * `endpoint_list`: [Elastic Endpoint exception + list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + + * `endpoint_trusted_apps`: [Trusted applications + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + + * `endpoint_trusted_devices`: [Trusted devices + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + + * `endpoint_event_filters`: [Event filters + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + + * `endpoint_blocklists`: [Blocklists + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + example: simple_list format: nonempty minLength: 1 type: string - Security_Lists_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd + Security_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string - Security_Lists_API_ListItem: + Security_Exceptions_API_ExceptionListItem: type: object properties: _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: '2025-01-08T04:47:34.273Z' - format: date-time + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray created_at: description: Autogenerated date of object creation. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. - example: elastic type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. type: string type: - $ref: '#/components/schemas/Security_Lists_API_ListType' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. - example: elastic type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - - type + - item_id - list_id - - value + - type + - name + - description + - entries + - namespace_type + - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by - Security_Lists_API_ListItemId: - description: Value list item's identifier. - example: 54b01cfb-058d-44b9-838c-282be16c91cd + Security_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' + type: array + Security_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + Security_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Exceptions_API_ExceptionListItemExpireTime: + description: >- + The exception item’s expiration date, in ISO format. This field is only + available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + example: simple_list_item format: nonempty minLength: 1 type: string - Security_Lists_API_ListItemMetadata: + Security_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemMeta: additionalProperties: true - description: Placeholder for metadata about the value list item. type: object - Security_Lists_API_ListItemPrivileges: + Security_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + description: >- + String array containing words and phrases to help categorize exception + items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Exceptions_API_ExceptionListName: + description: The name of the exception list. + example: My exception list + type: string + Security_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean + error: type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + required: + - error + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Exceptions_API_ExceptionListTags: + description: >- + String array containing words and phrases to help categorize exception + containers. + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + description: >- + The type of exception list to be created. Different list types may + denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + + + For endpoint artifacts, the `namespace_type` must always be `agnostic`. + Space awareness for endpoint artifacts is enforced based on Elastic + Defend policy assignments. + enum: + - agnostic + - single + type: string + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + example: exception-list.attributes.name:%Detection%20List + type: string + Security_Exceptions_API_HostIsolationProperties: + description: Host isolation exceptions list item properties. + type: object + properties: + entries: + description: Exactly one entry allowed for host isolation exceptions + items: type: object - type: object - username: + properties: + field: + description: Must be destination.ip + enum: + - destination.ip + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match + enum: + - match + type: string + value: + description: >- + Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or + "10.0.0.0/8") + type: string + required: + - field + - type + - value + - operator + maxItems: 1 + minItems: 1 + type: array + list_id: + enum: + - endpoint_host_isolation_exceptions + example: endpoint_host_isolation_exceptions type: string + os_types: + description: Must include all three operating systems (windows, linux, macos) + items: + enum: + - windows + - linux + - macos + type: string + maxItems: 3 + minItems: 3 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - description: The value used to evaluate exceptions. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list. - type: object - Security_Lists_API_ListName: - description: Value list's name. - example: List of bad IPs + - list_id + Security_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string - Security_Lists_API_ListPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: - type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - description: | - Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + Security_Exceptions_API_ListType: + description: > + Specifies the Elasticsearch data type of excludes the list container + holds. Some common examples: + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR + notation) enum: - binary - boolean @@ -112825,17 +41552,12 @@ components: - short - text type: string - Security_Lists_API_ListVersion: - description: The document version number. - example: 1 - minimum: 1 - type: integer - Security_Lists_API_ListVersionId: - description: | - The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. - example: WzIsMV0= + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 type: string - Security_Lists_API_PlatformErrorResponse: + Security_Exceptions_API_PlatformErrorResponse: type: object properties: error: @@ -112848,7 +41570,9 @@ components: - statusCode - error - message - Security_Lists_API_SiemErrorResponse: + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: type: object properties: message: @@ -112858,1058 +41582,1017 @@ components: required: - status_code - message - Security_Osquery_API_ArrayQueries: - description: An array of queries to run. - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: + Security_Exceptions_API_TrustedAppHashEntry: type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_CopyPacksResponse: - description: The response for copying a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + field: + description: Process hash field + enum: + - process.hash.md5 + - process.hash.sha1 + - process.hash.sha256 + type: string + operator: + enum: + - included + type: string + type: + description: Hash entries only support match type + enum: + - match + type: string + value: + description: Hash value (MD5, SHA1, or SHA256) + type: string + required: + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: type: object properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' - items: - type: object + entries: + description: >- + Must include exactly 2 entries - one for subject_name and one for + trusted + items: + oneOf: + - type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - id: + field: + enum: + - subject_name type: string - interval: - type: integer - platform: + operator: + enum: + - included type: string - query: + type: + enum: + - match type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: + value: + description: Certificate subject name type: string - type: array - saved_object_id: - description: The saved object ID of the copied pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object + required: + - field + - type + - value + - operator + - type: object properties: - key: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match type: string value: - type: number - type: array - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: macOS code signature field + enum: + - process.code_signature + type: string + type: + enum: + - nested + type: string required: - - data - Security_Osquery_API_CopySavedQueryResponse: - description: The response for copying a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + - field + - type + - entries + Security_Exceptions_API_TrustedAppPathEntry: type: object properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - required: - - saved_object_id - - id + field: + description: Process executable path field + enum: + - process.executable.caseless + type: string + operator: + enum: + - included + type: string + type: + description: Path supports both match and wildcard types + enum: + - match + - wildcard + type: string + value: + description: Executable path + type: string required: - - data - Security_Osquery_API_CreateLiveQueryRequestBody: - example: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppsLinuxProperties: + description: Trusted applications list item properties (Linux). type: object properties: - agent_all: - description: When `true`, the query runs on all agents. - type: boolean - agent_ids: - description: A list of agent IDs to run the query on. + entries: + description: >- + Process hash or executable path entries (code signature not + supported on Linux) + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Linux only items: + enum: + - linux type: string + maxItems: 1 + minItems: 1 type: array - agent_platforms: - description: A list of agent platforms to run the query on. + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsMacProperties: + description: Trusted applications list item properties (macOS). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be macOS only items: + enum: + - macos type: string + maxItems: 1 + minItems: 1 type: array - agent_policy_ids: - description: A list of agent policy IDs to run the query on. + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsWindowsProperties: + description: Trusted applications list item properties (Windows). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Windows only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: >- + Must include exactly 2 entries - one for subject_name and one for + trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: Windows code signature field + enum: + - process.Ext.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedDevicesMacProperties: + description: >- + Trusted devices list item properties (macOS-only, username not + supported). + type: object + properties: + entries: + description: >- + Exception entries for the trusted device (duplicate field entries + are not allowed) items: - type: string + type: object + properties: + field: + description: Device field to match against + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 type: array - alert_ids: - description: A list of alert IDs associated with the live query. + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: macOS-only items: + enum: + - macos type: string + maxItems: 1 + minItems: 1 type: array - case_ids: - description: A list of case IDs associated with the live query. + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsMacProperties: + description: >- + Trusted devices list item properties (Windows + macOS, username not + supported). + type: object + properties: + entries: + description: >- + Exception entries for the trusted device (duplicate field entries + are not allowed, username not available when targeting both OS) items: - type: string + type: object + properties: + field: + description: >- + Device field to match against (username not available for + multi-OS) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - event_ids: - description: A list of event IDs associated with the live query. + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must include both Windows and macOS (username field not allowed) items: + enum: + - windows + - macos type: string + maxItems: 2 + minItems: 2 type: array - metadata: - description: Custom metadata object associated with the live query. - nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - Security_Osquery_API_CreateLiveQueryResponse: - description: The response for creating a live query. - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agent_ids: [] - agent_platforms: [] - agent_policy_ids: [] - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - metadata: - execution_context: - name: osquery - url: /app/osquery/live_queries/new - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsProperties: + description: >- + Trusted devices list item properties (Windows-only, allows username + field). type: object properties: - data: - type: object - properties: - '@timestamp': - description: The timestamp when the action was created. - format: date-time - type: string - action_id: - description: The ID of the action. - type: string - agent_all: - description: Whether the query targets all agents. - type: boolean - agent_ids: - description: The agent IDs targeted by the action. - items: - type: string - type: array - agent_platforms: - description: The agent platforms targeted. - items: + entries: + description: >- + Exception entries for the trusted device (duplicate field entries + are not allowed) + items: + type: object + properties: + field: + description: Device field to match against (user.name is Windows-only) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + - user.name type: string - type: array - agent_policy_ids: - description: The agent policy IDs targeted. - items: + operator: + description: Must be the value "included" + enum: + - included type: string - type: array - agents: - description: The resolved list of agent IDs. - items: + type: + description: Entry match type + enum: + - match + - wildcard + - match_any type: string - type: array - expiration: - description: The expiration date of the action. - format: date-time - type: string - input_type: - description: The input type. - type: string - metadata: - description: Custom metadata associated with the action. - type: object - pack_id: - description: The pack ID if the query was run from a pack. - type: string - queries: - description: The queries in this action. - items: - type: object - properties: - action_id: + value: + oneOf: + - description: Single value (used with match or wildcard) type: string - agents: + - description: Array of values (used with match_any) items: type: string + minItems: 1 type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - type: string - platform: - type: string - query: - type: string - saved_query_id: - type: string - timeout: - type: integer - version: - type: string - type: array - type: - description: The action type. - type: string - user_id: - description: The user who created the action. - type: string - required: - - action_id - required: - - data - Security_Osquery_API_CreatePacksRequestBody: - example: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - - fleet-server-policy - queries: - my_query: - ecs_mapping: - client.port: - field: port - tags: - value: - - tag1 - - tag2 - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - shards: - fleet-server-policy: 58 - my_policy_id: 35 - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreatePacksResponse: - description: The response for creating a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - type: object - properties: - data: - type: object - properties: - created_at: - description: The date and time the pack was created. - format: date-time - type: string - created_by: - description: The user who created the pack. - nullable: true - type: string - created_by_profile_uid: - description: The profile UID of the user who created the pack. - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number - type: array - updated_at: - description: The date and time the pack was last updated. - format: date-time - type: string - updated_by: - description: The user who last updated the pack. - nullable: true - type: string - updated_by_profile_uid: - description: The profile UID of the user who last updated the pack. - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must be Windows-only to allow username field + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - data - Security_Osquery_API_CreateSavedQueryRequestBody: - example: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - version: 2.8.0 + - list_id + Security_Exceptions_API_UpdateExceptionListItemBase: type: object properties: + _version: + description: >- + The version ID, normally returned by the API when the item is + retrieved. Use it to ensure updates are made against the latest + version. + type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + expire_time: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_CreateSavedQueryResponse: - description: The response for creating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - description: An interval, in seconds, on which to run the query. May be returned as number or string. - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - description: Whether the saved query is prebuilt. - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - description: The saved object ID of the saved query. - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - description: The query timeout in seconds. - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - - data - Security_Osquery_API_DefaultSuccessResponse: - example: {} - type: object - properties: {} - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields - example: - host.uptime: - field: total_seconds + - type + - name + - description + Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + Security_Exceptions_API_UpdateExceptionListItemComment: type: object - Security_Osquery_API_ECSMappingArray: - description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment type: array - Security_Osquery_API_ECSMappingArrayItem: - description: ECS mapping item in saved-object storage format (key-value pair). + Security_Exceptions_API_UpdateExceptionListItemEndpointList: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_UpdateExceptionListItemEventFilters: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_UpdateExceptionListItemGeneric: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - example: + comments: [] + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + item_id: simple_list_item + name: Updated name + namespace_type: single + tags: [] + type: simple + type: object + properties: + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + required: + - entries + Security_Exceptions_API_UpdateExceptionListItemHostIsolation: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + description: >- + Returns the items that come after the last item returned in the previous + call (use the `cursor` value returned in the previous call). This + parameter uses the `tie_breaker_id` field to ensure all items are sorted + and returned correctly. + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_FindListsCursor: + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_List: type: object properties: - key: - description: The ECS field name. + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: 2025-01-08T04:47:34.273Z + format: date-time type: string - value: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - Security_Osquery_API_ECSMappingArrayOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - nullable: true - Security_Osquery_API_ECSMappingItem: + created_at: + description: Autogenerated date of object creation. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + tie_breaker_id: + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + description: Describes the value list. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItem: type: object properties: - field: - description: The ECS field to map to. - example: host.uptime + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + created_at: + description: Autogenerated date of object creation. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + tie_breaker_id: + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic type: string value: - description: The value to map to the ECS field. - example: total_seconds - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - description: Enables the pack. - example: true - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryDetailsResponse: - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 0 - ecs_mapping: - host.uptime: - field: total_seconds - failed: 1 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - status: completed - successful: 0 - status: completed - user_id: elastic + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + description: Value list item's identifier. + example: 54b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: type: object properties: - data: + application: + additionalProperties: + type: boolean type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - pack_name: - type: string - prebuilt_pack: + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: type: boolean - queries: - description: The queries with their execution status. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - docs: - description: Number of result documents. - type: integer - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - failed: - description: Number of failed queries. - type: integer - id: - type: string - pending: - description: Number of pending agents. - type: integer - query: - type: string - responded: - description: Total responded agents. - type: integer - saved_query_id: - type: string - status: - description: Status of this individual query. - enum: - - completed - - running - type: string - successful: - description: Number of successful agents. - type: integer - type: array - status: - description: Global status of the live query (completed, running). - enum: - - completed - - running - type: string - tags: - items: - type: string - type: array - user_id: - type: string - user_profile_uid: - type: string - Security_Osquery_API_FindLiveQueryResponse: - example: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - result_counts: - error_agents: 0 - responded_agents: 1 - successful_agents: 1 - total_rows: 42 - user_id: elastic - total: 1 - type: object - properties: - data: + type: object type: object - properties: - items: - description: An array of live query action items. - items: - type: object - properties: - _source: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - queries: - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - type: string - query: - type: string - saved_query_id: - type: string - type: array - result_counts: - description: Result count statistics (present when withResultCounts is true). - type: object - properties: - error_agents: - type: integer - responded_agents: - type: integer - successful_agents: - type: integer - total_rows: - type: integer - user_id: - type: string - type: array - total: - description: The total number of live queries. - type: integer - Security_Osquery_API_FindPackResponse: - description: The details of a single query pack. - example: - data: - created_at: '2022-07-25T19:41:10.263Z' - created_by: elastic - description: '' - enabled: true - name: test_pack - namespaces: - - default - policy_ids: [] - queries: - uptime: - ecs_mapping: - message: - field: days - interval: 3600 - query: select * from uptime - read_only: false - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - shards: {} - type: osquery-pack - updated_at: '2022-07-25T20:12:01.455Z' - updated_by: elastic - version: 1 + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + example: List of bad IPs + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: type: object properties: - data: - description: The pack details. + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - namespaces: - description: The namespaces the pack belongs to. - items: - type: string - type: array - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - read_only: - description: Whether the pack is read-only (true for prebuilt packs). + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - type: - description: The saved object type. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name + type: object + type: object + username: + type: string required: - - data - Security_Osquery_API_FindPacksResponse: - description: A paginated list of query packs. - example: - data: - - created_at: '2023-10-31T00:00:00Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: My pack description - enabled: true - name: My Pack - policy_ids: [] - queries: - - ecs_mapping: - - key: host.uptime - value: - field: total_seconds - id: uptime - interval: 3600 - query: select * from uptime; - read_only: false - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2023-10-31T00:00:00Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - page: 1 - per_page: 10 - total: 1 + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + description: > + Specifies the Elasticsearch data type of excludes the list container + holds. Some common examples: + + + - `keyword`: Many ECS fields are Elasticsearch keywords + + - `ip`: IP addresses + + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR + notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Lists_API_ListVersion: + description: The document version number. + example: 1 + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: > + The version id, normally returned by the API when the document is + retrieved. Use it ensure updates are done against the latest version. + example: WzIsMV0= + type: string + Security_Lists_API_PlatformErrorResponse: type: object properties: - data: - description: An array of pack objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' - items: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. + error: + type: string + message: + type: string + statusCode: type: integer - total: - description: The total number of packs. + required: + - statusCode + - error + - message + Security_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: type: integer required: - - page - - per_page - - total - - data - Security_Osquery_API_FindSavedQueryDetailResponse: - description: The details of a single saved query. + - status_code + - message + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_CopyPacksResponse: + description: The response for copying a pack. example: data: - created_at: '2022-07-26T09:28:08.597Z' + created_at: '2025-02-26T13:37:30.452Z' created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - updated_at: '2022-07-26T09:28:08.597Z' + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic - version: 2.8.0 type: object properties: data: @@ -113924,651 +42607,356 @@ components: created_by_profile_uid: type: string description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_FindSavedQueryResponse: - description: A paginated list of saved queries. - example: - data: - - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: 2.8.0 - page: 1 - per_page: 100 - total: 11 - type: object - properties: - data: - description: An array of saved query objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id - type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of saved queries. - type: integer - required: - - page - - per_page - - total - - data - Security_Osquery_API_GetLiveQueryResultsResponse: - description: The response for getting live query results. - example: - data: - edges: - - _id: doc1 - _source: {} - - _id: doc2 - _source: {} - total: 2 - type: object - properties: - data: - type: object - properties: - edges: - description: The result rows from the query execution. + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + description: >- + Pack queries in saved-object storage format (array). Note: the + read endpoint returns object format. items: type: object properties: - _id: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + id: type: string - _source: - description: The Elasticsearch document source containing query results. - type: object - type: array - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - type: object - properties: - aggregations: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - type: object - properties: - data: - description: The query results data wrapper. - type: object - properties: - edges: - description: The paginated list of query result rows. + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + saved_object_id: + description: The saved object ID of the copied pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. items: type: object + properties: + key: + type: string + value: + type: number type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: + required: + - saved_object_id + - name + required: + - data + Security_Osquery_API_CopySavedQueryResponse: + description: The response for copying a saved query. example: data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic type: object properties: data: - description: The list of unified history rows for the current page. - items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' - type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. - type: string - required: - - data - - hasMore - Security_Osquery_API_Interval: - description: An interval, in seconds, on which to run the query. - example: '60' - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - description: The kuery to filter the results by. - example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' - nullable: true - type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object + type: object properties: - actionId: - description: The Fleet action ID for the live query. + created_at: + format: date-time type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: The saved query ID, if the live query was based on a saved query. + created_by: + nullable: true type: string - source: - description: Whether this was a manually run live query or triggered by a rule. - enum: - - Live - - Rule + created_by_profile_uid: type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' timeout: - description: The query timeout in seconds. type: integer - userId: - description: The ID of the user who ran the query. + updated_at: + format: date-time type: string - userProfileUid: - description: The user profile UID of the user who ran the query. + updated_by: + nullable: true + type: string + updated_by_profile_uid: type: string required: - - sourceType - - source - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - description: An object of queries. - type: object - Security_Osquery_API_ObjectQueriesItem: + - saved_object_id + - id + required: + - data + Security_Osquery_API_CreateLiveQueryRequestBody: + example: + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; type: object properties: + agent_all: + description: When `true`, the query runs on all agents. + type: boolean + agent_ids: + description: A list of agent IDs to run the query on. + items: + type: string + type: array + agent_platforms: + description: A list of agent platforms to run the query on. + items: + type: string + type: array + agent_policy_ids: + description: A list of agent policy IDs to run the query on. + items: + type: string + type: array + alert_ids: + description: A list of alert IDs associated with the live query. + items: + type: string + type: array + case_ids: + description: A list of case IDs associated with the live query. + items: + type: string + type: array ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + event_ids: + description: A list of event IDs associated with the live query. + items: + type: string + type: array + metadata: + description: Custom metadata object associated with the live query. + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_PackDescription: - description: The pack description. - example: Pack description - type: string - Security_Osquery_API_PackDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - nullable: true - Security_Osquery_API_PackId: - description: The ID of the pack. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - description: The pack name. - example: my_pack - type: string - Security_Osquery_API_PageOrUndefined: - description: The page number to return. The default is 1. - example: 1 - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - description: The number of results to return per page. The default is 20. - example: 20 - nullable: true - type: integer - Security_Osquery_API_Platform: - description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. - example: linux,darwin - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - description: A list of agents policy IDs. + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + Security_Osquery_API_CreateLiveQueryResponse: + description: The response for creating a live query. example: - - policyId1 - - policyId2 - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - description: The SQL query you want to run. - example: select * from uptime; - type: string - Security_Osquery_API_QueryId: - description: The ID of the query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - description: Indicates whether the query is removed. - example: false - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryDescription: - description: The saved query description. - example: Saved query description - type: string - Security_Osquery_API_SavedQueryDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - nullable: true - Security_Osquery_API_SavedQueryId: - description: The ID of a saved query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agent_ids: [] + agent_platforms: [] + agent_policy_ids: [] + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + metadata: + execution_context: + name: osquery + url: /app/osquery/live_queries/new + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic type: object properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object + data: + type: object properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled + '@timestamp': + description: The timestamp when the action was created. + format: date-time type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled + action_id: + description: The ID of the action. type: string - required: - - sourceType - - source - Security_Osquery_API_Shards: - additionalProperties: - type: number - description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. - example: - policy_id: 50 - type: object - Security_Osquery_API_Snapshot: - description: Indicates whether the query is a snapshot. - example: true - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - description: Specifies the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Osquery_API_SortOrUndefined: - default: createdAt - description: The field that is used to sort the results. - example: createdAt - nullable: true - type: string - Security_Osquery_API_UnifiedHistoryRow: - discriminator: - mapping: - live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - propertyName: sourceType - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. - type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer + agent_all: + description: Whether the query targets all agents. + type: boolean + agent_ids: + description: The agent IDs targeted by the action. + items: + type: string + type: array + agent_platforms: + description: The agent platforms targeted. + items: + type: string + type: array + agent_policy_ids: + description: The agent policy IDs targeted. + items: + type: string + type: array + agents: + description: The resolved list of agent IDs. + items: + type: string + type: array + expiration: + description: The expiration date of the action. + format: date-time + type: string + input_type: + description: The input type. + type: string + metadata: + description: Custom metadata associated with the action. + type: object + pack_id: + description: The pack ID if the query was run from a pack. + type: string + queries: + description: The queries in this action. + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + id: + type: string + platform: + type: string + query: + type: string + saved_query_id: + type: string + timeout: + type: integer + version: + type: string + type: array + type: + description: The action type. + type: string + user_id: + description: The user who created the action. + type: string + required: + - action_id required: - - id - - timestamp - - queryText - - agentCount - Security_Osquery_API_UpdatePacksRequestBody: + - data + Security_Osquery_API_CreatePacksRequestBody: example: - name: updated_my_pack_name + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + - fleet-server-policy + queries: + my_query: + ecs_mapping: + client.port: + field: port + tags: + value: + - tag1 + - tag2 + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + shards: + fleet-server-policy: 58 + my_policy_id: 35 type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdatePacksResponse: - description: The response for updating a pack. + Security_Osquery_API_CreatePacksResponse: + description: The response for creating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true - name: updated_my_pack_name + name: my_pack policy_ids: - my_policy_id queries: @@ -114585,7 +42973,7 @@ components: shards: 47638692-7c4c-4053-aa3e-7186f28df349: 35 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:40:16.297Z' + updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 1 type: object @@ -114594,4319 +42982,4173 @@ components: type: object properties: created_at: + description: The date and time the pack was created. format: date-time type: string created_by: + description: The user who created the pack. nullable: true type: string created_by_profile_uid: + description: The profile UID of the user who created the pack. type: string description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: description: The saved object ID of the pack. type: string shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - Security_Osquery_API_UpdateSavedQueryRequestBody: - example: - id: updated_my_saved_query_name - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_UpdateSavedQueryResponse: - description: The response for updating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - id: updated_my_saved_query_name - interval: '60' - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: WzQzMTcsMV0= - type: object - properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_Version: - description: Uses the Osquery versions greater than or equal to the specified version string. - example: 1.0.0 - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: | - How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - - type: object - properties: - eventId: - description: | - Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - nullable: true - type: string - note: - description: The text of the note - example: This is an example text - nullable: true - type: string - timelineId: - description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - timelineId: - description: The `savedObjectId` of the timeline that this pinned event is associated with - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: - type: object - properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true - type: string - placeholder: - nullable: true - type: string - searchable: - nullable: true - type: boolean - type: - nullable: true - type: string - Security_Timeline_API_DataProviderQueryMatch: - type: object - properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' - type: object - properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true - type: object - properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true - type: string - formattedValue: - nullable: true - type: string - index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true - type: string - value: - nullable: true - type: string - missing: - nullable: true - type: string - query: - nullable: true - type: string - range: - nullable: true - type: string - script: - nullable: true - type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). - type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - description: The list of failed Timeline imports - items: - type: object - properties: - error: - description: The error containing the reason why the timeline could not be imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - type: string - type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 - type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 - type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: + description: Shard configuration as an array of key-value pairs. items: - type: string - nullable: true + type: object + properties: + key: + type: string + value: + type: number type: array - savedObjectId: - nullable: true + updated_at: + description: The date and time the pack was last updated. + format: date-time type: string - version: + updated_by: + description: The user who last updated the pack. nullable: true type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e + updated_by_profile_uid: + description: The profile UID of the user who last updated the pack. type: string version: - description: The version of the note - example: WzQ2LDFd - type: string + description: The pack version number. + type: integer required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + - saved_object_id + - name + required: + - data + Security_Osquery_API_CreateSavedQueryRequestBody: + example: + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + version: 2.8.0 type: object properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true - type: string - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_CreateSavedQueryResponse: + description: The response for creating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: + data: + type: object properties: - unpinned: - description: Indicates whether the event was successfully unpinned + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + description: >- + An interval, in seconds, on which to run the query. May be + returned as number or string. + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: + description: Whether the saved query is prebuilt. type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: + description: The saved object ID of the saved query. type: string - version: - description: The version of this pinned event - example: WzQ2LDFe + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + description: The query timeout in seconds. + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: type: string + version: + description: The saved query version. + oneOf: + - type: integer + - type: string required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + - saved_object_id + - id + required: + - data + Security_Osquery_API_DefaultSuccessResponse: + example: {} + type: object + properties: {} + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: >- + Map osquery results columns or static values to Elastic Common Schema + (ECS) fields + example: + host.uptime: + field: total_seconds + type: object + Security_Osquery_API_ECSMappingArray: + description: >- + ECS mapping in saved-object storage format (array of key-value pairs). + The find and copy pack endpoints return this format. The read endpoint + returns object format (ECSMapping). + items: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + type: array + Security_Osquery_API_ECSMappingArrayItem: + description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: - created: - description: The time the pinned event was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true - type: string - updated: - description: The last time the pinned event was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + key: + description: The ECS field name. type: string - Security_Timeline_API_QueryMatchResult: + value: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + Security_Osquery_API_ECSMappingArrayOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + nullable: true + Security_Osquery_API_ECSMappingItem: type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string field: - nullable: true - type: string - operator: - nullable: true + description: The ECS field to map to. + example: host.uptime type: string value: + description: The value to map to the ECS field. + example: total_seconds oneOf: - - nullable: true - type: string + - type: string - items: type: string - nullable: true type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' - alias_target_id: - type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' - required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: - type: object - properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true - type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true - type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true - type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true - type: object - properties: - eventCategoryField: - nullable: true - type: string - query: - nullable: true - type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true - type: string - timestampField: - nullable: true - type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true - type: string - excludedRowRendererIds: - description: A list of row renderers that should not be used when in `Event renderers` mode - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - description: A list of filters that should be applied to the query - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - description: A list of index names to use in the query (e.g. when the default data view has been modified) - example: - - .logs* - items: - type: string - nullable: true - type: array - kqlMode: - description: |- - Indicates whether the KQL bar filters the query results or searches for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true - type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. For Timelines, the value is `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true - type: string - updated: - description: The last time the Timeline was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true - type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd - type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + description: Enables the pack. + example: true + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryDetailsResponse: example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 0 + ecs_mapping: + host.uptime: + field: total_seconds + failed: 1 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + status: completed + successful: 0 + status: completed + user_id: elastic type: object properties: - filterQuery: - nullable: true + data: type: object properties: - kuery: - nullable: true - type: object - properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true + '@timestamp': + format: date-time type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' - - type: object - properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: A list of all the ids of notes that are associated to this Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e + action_id: + type: string + agents: items: type: string - nullable: true type: array - notes: - description: A list of all the notes that are associated to this Timeline. + expiration: + format: date-time + type: string + pack_id: + type: string + pack_name: + type: string + prebuilt_pack: + type: boolean + queries: + description: The queries with their execution status. items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + docs: + description: Number of result documents. + type: integer + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + failed: + description: Number of failed queries. + type: integer + id: + type: string + pending: + description: Number of pending agents. + type: integer + query: + type: string + responded: + description: Total responded agents. + type: integer + saved_query_id: + type: string + status: + description: Status of this individual query. + enum: + - completed + - running + type: string + successful: + description: Number of successful agents. + type: integer type: array - pinnedEventIds: - description: A list of all the ids of pinned events that are associated to this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f + status: + description: Global status of the live query (completed, running). + enum: + - completed + - running + type: string + tags: items: type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: A list of all the pinned events that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object + user_id: + type: string + user_profile_uid: + type: string + Security_Osquery_API_FindLiveQueryResponse: + example: + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + result_counts: + error_agents: 0 + responded_agents: 1 + successful_agents: 1 + total_rows: 42 + user_id: elastic + total: 1 + type: object + properties: + data: + type: object properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: + items: + description: An array of live query action items. items: - type: string - nullable: true + type: object + properties: + _source: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + queries: + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + id: + type: string + query: + type: string + saved_query_id: + type: string + type: array + result_counts: + description: >- + Result count statistics (present when withResultCounts + is true). + type: object + properties: + error_agents: + type: integer + responded_agents: + type: integer + successful_agents: + type: integer + total_rows: + type: integer + user_id: + type: string type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' + total: + description: The total number of live queries. + type: integer + Security_Osquery_API_FindPackResponse: + description: The details of a single query pack. + example: + data: + created_at: '2022-07-25T19:41:10.263Z' + created_by: elastic + description: '' + enabled: true + name: test_pack + namespaces: + - default + policy_ids: [] + queries: + uptime: + ecs_mapping: + message: + field: days + interval: 3600 + query: select * from uptime + read_only: false + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + shards: {} + type: osquery-pack + updated_at: '2022-07-25T20:12:01.455Z' + updated_by: elastic + version: 1 + type: object + properties: + data: + description: The pack details. + type: object + properties: + created_at: + format: date-time + type: string + created_by: nullable: true - type: array - pinnedEventIds: + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + namespaces: + description: The namespaces the pack belongs to. items: type: string - nullable: true type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: + description: The saved object type. + type: string + updated_at: + format: date-time + type: string + updated_by: nullable: true - type: array - savedObjectId: type: string - version: + updated_by_profile_uid: type: string + version: + description: The pack version number. + type: integer required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - SLOs_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - type: string - statusCode: - example: 401 - type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden - type: object - properties: - error: - example: Forbidden - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" - type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found - type: object - properties: - error: - example: Not Found - type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - type: string - statusCode: - example: 404 - type: number + - saved_object_id + - name required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + - data + Security_Osquery_API_FindPacksResponse: + description: A paginated list of query packs. + example: + data: + - created_at: '2023-10-31T00:00:00Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: My pack description + enabled: true + name: My Pack + policy_ids: [] + queries: + - ecs_mapping: + - key: host.uptime + value: + field: total_seconds + id: uptime + interval: 3600 + query: select * from uptime; + read_only: false + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2023-10-31T00:00:00Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + page: 1 + per_page: 10 + total: 1 type: object properties: - error: - example: Conflict - type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - type: string - statusCode: - example: 409 - type: number - required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references + data: + description: An array of pack objects. items: type: object properties: - id: - description: Dashboard saved-object id + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + description: >- + Pack queries in saved-object storage format (array). Note: the + read endpoint returns object format. + items: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: type: string + version: + description: The pack version number. + type: integer required: - - id - type: array - title: Artifacts - type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_bulk_delete_request: - description: | - The bulk delete SLO request takes a list of SLOs Definition id to delete. - properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string + - saved_object_id + - name type: array + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of packs. + type: integer required: - - list - title: Bulk delete SLO request + - page + - per_page + - total + - data + Security_Osquery_API_FindSavedQueryDetailResponse: + description: The details of a single saved query. + example: + data: + created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + version: 2.8.0 type: object - SLOs_bulk_delete_response: - description: | - The bulk delete SLO response returns a taskId that can be used to poll for its status properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - title: Bulk delete SLO response + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id + required: + - data + Security_Osquery_API_FindSavedQueryResponse: + description: A paginated list of saved queries. + example: + data: + - created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + version: 2.8.0 + page: 1 + per_page: 100 + total: 11 type: object - SLOs_bulk_delete_status_response: - description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found - type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true - type: boolean - results: - description: The results of the bulk deletion operation, including the success status and any errors for each SLO + data: + description: An array of saved query objects. items: type: object properties: - error: - description: The error message if the deletion operation failed for this SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + created_at: + format: date-time type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + created_by: + nullable: true type: string - success: - description: The result of the deletion operation for this SLO - example: true + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id type: array - title: The status of the bulk deletion - type: object - SLOs_bulk_purge_rollup_request: - description: | - The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: Specifies whether documents will be purged based on a specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: Specifies whether documents will be purged based on a specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string - type: object + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of saved queries. + type: integer required: - - list - - purgePolicy - title: Bulk Purge Rollup data request - type: object - SLOs_bulk_purge_rollup_response: - description: | - The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. - properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - title: Bulk Purge Rollup data response + - page + - per_page + - total + - data + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + example: + data: + edges: + - _id: doc1 + _source: {} + - _id: doc2 + _source: {} + total: 2 type: object - SLOs_create_slo_request: - description: | - The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars - example: my-super-slo-id - type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response + data: + type: object + properties: + edges: + description: The result rows from the query execution. + items: + type: object + properties: + _id: + type: string + _source: + description: >- + The Elasticsearch document source containing query + results. + type: object + type: array + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 type: object properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - id - SLOs_delete_slo_instances_request: - description: | - The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id + aggregations: + $ref: >- + #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. items: type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId type: array - required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. - example: true - type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number - required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: + data: + description: The query results data wrapper. type: object - title: Filter + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: - nullable: true - type: string - controlledBy: - type: string - disabled: - type: boolean - field: - type: string - group: - type: string - index: - type: string - isMultiIndex: - type: boolean - key: - type: string - negate: + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. type: boolean - params: - type: object - type: - type: string - value: + nextPage: + description: >- + A base64-encoded cursor to fetch the next page. Absent when there + are no more results. type: string - title: FilterMeta - type: object - SLOs_find_slo_definitions_response: - description: | - A paginated response of SLO definitions matching the query. - oneOf: + required: + - data + - hasMore + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + example: '60' + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' + nullable: true + type: string + Security_Osquery_API_LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - type: object properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: string type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: + agentPlatforms: + description: List of targeted agent platforms. items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: string type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id + agentPolicyIds: + description: List of targeted agent policy IDs. items: type: string type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response - type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response - type: object - SLOs_group_by: - description: optional group by field or fields to use to generate an SLO per distinct value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: >- + The saved query ID, if the live query was based on a saved + query. type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* + source: + description: >- + Whether this was a manually run live query or triggered by a + rule. + enum: + - Live + - Rule type: string - service: - description: The APM service name - example: o11y-app + sourceType: + description: Identifies this as a live query history row. + enum: + - live type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. type: string - transactionType: - description: The APM transaction type or "*" - example: request + userProfileUid: + description: The user profile UID of the user who ran the query. type: string required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - sourceType + - source + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. + type: object + Security_Osquery_API_ObjectQueriesItem: type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_PackDescription: + description: The pack description. + example: Pack description + type: string + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + Security_Osquery_API_PackId: + description: The ID of the pack. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + description: The pack name. + example: my_pack + type: string + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + example: 1 + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + example: 20 + nullable: true + type: integer + Security_Osquery_API_Platform: + description: >- + Restricts the query to a specified platform. The default is all + platforms. To specify multiple platforms, use commas. For example, + `linux,darwin`. + example: linux,darwin + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + example: + - policyId1 + - policyId2 + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + example: select * from uptime; + type: string + Security_Osquery_API_QueryId: + description: The ID of the query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + example: false + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + example: Saved query description + type: string + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query within the pack. + type: string + queryText: + description: The SQL query that was executed. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. type: string - service: - description: The APM service name - example: o11y-app + scheduleId: + description: The schedule ID for the scheduled query. type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled type: string - transactionType: - description: The APM transaction type or "*" - example: request + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled type: string required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + - sourceType + - source + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: >- + An object with shard configuration for policies included in the pack. + For each policy, set the shard configuration to a percentage (1–100) of + target hosts. + example: + policy_id: 50 + type: object + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + example: true + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + example: desc + type: string + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + example: createdAt + nullable: true + type: string + Security_Osquery_API_UnifiedHistoryRow: + discriminator: + mapping: + live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + propertyName: sourceType + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: + type: object + properties: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. + type: string + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - id + - timestamp + - queryText + - agentCount + Security_Osquery_API_UpdatePacksRequestBody: + example: + name: updated_my_pack_name type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdatePacksResponse: + description: The response for updating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: updated_my_pack_name + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:40:16.297Z' + updated_by: elastic + version: 1 + type: object + properties: + data: type: object properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 + created_at: + format: date-time type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* + created_by: + nullable: true type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp + created_by_profile_uid: type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom - type: string - required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 + description: + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + updated_at: + format: date-time type: string - good: - description: | - An object defining the "good" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "good" metric. - example: A - type: string - metrics: - description: List of metrics with their name, aggregation type, and field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* + updated_by: + nullable: true type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp + updated_by_profile_uid: type: string - total: - description: | - An object defining the "total" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "total" metric. - example: A - type: string - metrics: - description: List of metrics with their name, aggregation type, and field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type + version: + description: The pack version number. + type: integer + Security_Osquery_API_UpdateSavedQueryRequestBody: + example: + id: updated_my_saved_query_name type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_UpdateSavedQueryResponse: + description: The response for updating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + id: updated_my_saved_query_name + interval: '60' + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:40:16.297Z' + updated_by: elastic + version: WzQzMTcsMV0= + type: object + properties: + data: type: object properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 + created_at: + format: date-time type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + created_by: + nullable: true type: string - good: - description: | - An object defining the "good" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' - type: string - from: - description: The starting value of the range. Only required for "range" aggregations. - example: 0 - type: number - to: - description: The ending value of the range. Only required for "range" aggregations. - example: 100 - type: number - required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* + created_by_profile_uid: type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: type: string - total: - description: | - An object defining the "total" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' - type: string - from: - description: The starting value of the range. Only required for "range" aggregations. - example: 0 - type: number - to: - description: The ending value of the range. Only required for "range" aggregations. - example: 100 - type: number - required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom - type: string - required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + type: integer + updated_at: + format: date-time type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + updated_by: + nullable: true type: string - index: - description: The index or index pattern to use - example: my-service-* + updated_by_profile_uid: type: string - metric: - description: | - An object defining the metrics, equation, and threshold to determine if it's a good slice or not - type: object - properties: - comparator: - description: The comparator to use to compare the equation to the threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: List of metrics with their name, aggregation type, and field. - items: - anyOf: - - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' - discriminator: - mapping: - avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' - last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - propertyName: aggregation - type: array - threshold: - description: The threshold used to determine if the metric is a good slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp + version: + description: The saved query version. type: string required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice - type: string + - saved_object_id + - id required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string + - data + Security_Osquery_API_Version: + description: >- + Uses the Osquery versions greater than or equal to the specified version + string. + example: 1.0.0 + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_AssociatedFilterType: + description: > + How the note is associated with a Timeline saved object and/or an event + (`eventId`). `all`: no association-based restriction from this + parameter. `document_only`: document-linked notes (non-empty `eventId`) + without timeline association in the API's internal sense; post-filtering + drops notes without a usable `eventId`. `saved_object_only`: timeline + notes with no linked event (`eventId` empty or absent); post-filtering + keeps timeline-only notes. `document_and_saved_object`: notes on a + timeline and linked to an event; post-filtering enforces a real + `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter + than missing `eventId` in some cases). + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan + type: string + Security_Timeline_API_BareNote: + allOf: + - $ref: >- + #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata - type: object properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: + eventId: + description: > + Elasticsearch document `_id` for the event or alert this note + refers to. Same value as the `documentIds` query parameter when + fetching notes via GET /api/note. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + nullable: true type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' - type: string + note: + description: The text of the note + example: This is an example text + nullable: true + type: string + timelineId: + description: >- + The `savedObjectId` of the Timeline this note belongs to (not + the note's own ID). + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: >- + #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata - type: object properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + timelineId: + description: >- + The `savedObjectId` of the timeline that this pinned event is + associated with + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: + type: object + properties: + aggregatable: + nullable: true + type: boolean + category: + nullable: true + type: string + columnHeaderType: + nullable: true + type: string + description: + nullable: true + type: string + example: + nullable: true + type: string + id: + nullable: true type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective - type: object - properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: the target objective for each slice when using a timeslices budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} - example: 5m + indexes: + items: + type: string + nullable: true + type: array + name: + nullable: true type: string - required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. - properties: - frequency: - default: 1m - description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. - example: 5m + placeholder: + nullable: true type: string - preventInitialBackfill: - default: false - description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. - example: true + searchable: + nullable: true type: boolean - syncDelay: - default: 1m - description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. - example: 5m - type: string - syncField: - description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. - example: event.ingested + type: + nullable: true type: string - title: Settings - type: object - SLOs_slo_definition_response: - title: SLO definition response + Security_Timeline_API_DataProviderQueryMatch: type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true type: string - description: - description: The description of the SLO. - example: My SLO description + kqlQuery: + nullable: true type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array enabled: - description: Indicate if the SLO is enabled - example: true + nullable: true + type: boolean + excluded: + nullable: true type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + nullable: true + type: string + kqlQuery: + nullable: true type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: - description: The name of the SLO. - example: My Service SLO + nullable: true type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: type: string type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: type: string - version: - description: The internal SLO version - example: 2 + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt + - savedObjectId - version - SLOs_slo_with_summary_response: - title: SLO response + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. + example: + favoriteDate: 1741337636741 + userName: elastic type: object properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + favoriteDate: + nullable: true + type: number + fullName: + nullable: true type: string - description: - description: The description of the SLO. - example: My SLO description + userName: + nullable: true type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + Security_Timeline_API_FilterTimelineResult: + example: + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' + type: object + properties: + exists: + nullable: true type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + match_all: + nullable: true type: string - name: - description: The name of the SLO. - example: My Service SLO + meta: + nullable: true + type: object + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: + type: object + properties: + notes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_Note' type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' - type: string - version: - description: The internal SLO version - example: 2 + totalCount: + description: >- + Number of notes returned (may be adjusted after the query when + `associatedFilter` applies post-filtering). type: number required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: + type: object properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 + errors: + description: The list of failed Timeline imports + items: + type: object + properties: + error: + description: >- + The error containing the reason why the timeline could not be + imported + type: object + properties: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON + type: string + status_code: + description: The HTTP status code of the error + example: 400 + type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e + type: string + version: + description: The version of the note + example: WzQ2LDFd + type: string + required: + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: - duration: - description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' - example: 30d + created: + description: >- + The time the pinned event was created, using a 13-digit Epoch + timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true type: string - type: - description: Indicates weither the time window is a rolling or a calendar aligned time window. - enum: - - rolling - - calendarAligned - example: rolling + updated: + description: >- + The last time the pinned event was updated, using a 13-digit Epoch + timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true type: string - required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + Security_Timeline_API_QueryMatchResult: type: object properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum + displayField: + nullable: true type: string - field: - description: The field of the metric. - example: processor.processed + displayValue: + nullable: true type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + field: + nullable: true type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + operator: + nullable: true type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: type: object properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + alias_purpose: + $ref: >- + #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose + alias_target_id: type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + - timeline + - outcome + Security_Timeline_API_ResponseNote: type: object properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - percentile: - description: The percentile value. - example: 95 - type: number + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: | - The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. - properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: type: string type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request - type: object - Task_manager_health_Serverless_APIs_configuration: - description: | - This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. - type: object - Task_manager_health_Serverless_APIs_health_response_serverless: - title: Task health response properties + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: type: object properties: - id: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true type: string - last_update: + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: >- + id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: >- + d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true type: string - stats: + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true type: object properties: - configuration: - $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_configuration' - workload: - $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_workload' - status: - type: string - timestamp: - type: string - Task_manager_health_Serverless_APIs_workload: - description: | - This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. - type: object - bedrock_config: - title: Connector request properties for an Amazon Bedrock connector - description: Defines properties for connectors when type is `.bedrock`. - type: object - required: - - apiUrl - properties: - apiUrl: - type: string - description: The Amazon Bedrock request URL. - region: - type: string - description: | - Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). - defaultModel: - type: string - description: | - The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. - default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 - crowdstrike_config: - title: Connector request config properties for a Crowdstrike connector - required: - - url - description: Defines config properties for connectors when type is `.crowdstrike`. - type: object - properties: - url: - description: | - The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true type: string - d3security_config: - title: Connector request properties for a D3 Security connector - description: Defines properties for connectors when type is `.d3security`. - type: object - required: - - url - properties: - url: + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' + nullable: true + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all + nullable: true type: string - description: | - The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - email_config: - title: Connector request properties for an email connector - description: Defines properties for connectors when type is `.email`. - required: - - from - type: object - properties: - clientId: - description: | - The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + excludedRowRendererIds: + description: >- + A list of row renderers that should not be used when in `Event + renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + description: >- + A list of index names to use in the query (e.g. when the default + data view has been modified) + example: + - .logs* + items: + type: string + nullable: true + type: array + kqlMode: + description: >- + Indicates whether the KQL bar filters the query results or searches + for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search + nullable: true type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e nullable: true - from: - description: | - The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string - hasAuth: - description: | - Specifies whether a user and password are required inside the secrets configuration. - default: true - type: boolean - host: - description: | - The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true type: string - oauthTokenUrl: + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: >- + A unique ID (UUID) for Timeline templates. For Timelines, the value + is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true type: string + templateTimelineVersion: + description: >- + Timeline template version number. For Timelines, the value is + `null`. + example: 12 + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation nullable: true - port: - description: | - The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. - type: integer - secure: - description: | - Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. - type: boolean - service: - description: | - The name of the email service. type: string - enum: - - elastic_cloud - - exchange_server - - gmail - - other - - outlook365 - - ses - tenantId: - description: | - The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + updated: + description: >- + The last time the Timeline was updated, using a 13-digit Epoch + timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the Timeline + example: casetester + nullable: true type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + version: + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string + required: + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. + example: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: >- + {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + type: object + properties: + filterQuery: nullable: true - gemini_config: - title: Connector request properties for an Google Gemini connector - description: Defines properties for connectors when type is `.gemini`. + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid + example: + columnId: '@timestamp' + sortDirection: desc type: object - required: - - apiUrl - - gcpRegion - - gcpProjectID properties: - apiUrl: - type: string - description: The Google Gemini request URL. - defaultModel: + columnId: + nullable: true type: string - description: The generative artificial intelligence model for Google Gemini to use. - default: gemini-2.5-pro - gcpRegion: + columnType: + nullable: true type: string - description: The GCP region where the Vertex AI endpoint enabled. - gcpProjectID: + sortDirection: + nullable: true type: string - description: The Google ProjectID that has Vertex AI endpoint enabled. - resilient_config: - title: Connector request properties for a IBM Resilient connector - required: - - apiUrl - - orgId - description: Defines properties for connectors when type is `.resilient`. + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: >- + #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId + - type: object + properties: + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + description: >- + A list of all the ids of notes that are associated to this + Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e + items: + type: string + nullable: true + type: array + notes: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + description: >- + A list of all the ids of pinned events that are associated to + this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + description: >- + A list of all the pinned events that are associated to this + Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + SLOs_400_response: + title: Bad request type: object properties: - apiUrl: - description: The IBM Resilient instance URL. + error: + example: Bad Request type: string - orgId: - description: The IBM Resilient organization ID. + message: + example: 'Invalid value ''foo'' supplied to: [...]' type: string - index_config: - title: Connector request properties for an index connector + statusCode: + example: 400 + type: number required: - - index - description: Defines properties for connectors when type is `.index`. + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized type: object properties: - executionTimeField: - description: A field that indicates when the document was indexed. - default: null + error: + example: Unauthorized type: string - nullable: true - index: - description: The Elasticsearch index to be written to. + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string - refresh: - description: | - The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. - default: false - type: boolean - jira_config: - title: Connector request properties for a Jira connector + statusCode: + example: 401 + type: number required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.jira`. + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden type: object properties: - apiUrl: - description: The Jira instance URL. + error: + example: Forbidden type: string - projectKey: - description: The Jira project key. + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" type: string - defender_config: - title: Connector request properties for a Microsoft Defender for Endpoint connector + statusCode: + example: 403 + type: number required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. + - statusCode + - error + - message + SLOs_404_response: + title: Not found type: object properties: - apiUrl: - type: string - description: | - The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. - clientId: - type: string - description: The application (client) identifier for your app in the Azure portal. - oAuthScope: - type: string - description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. - oAuthServerUrl: + error: + example: Not Found type: string - description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. - tenantId: - description: The tenant identifier for your app in the Azure portal. + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string - genai_azure_config: - title: Connector request properties for an OpenAI connector that uses Azure OpenAI - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. - type: object + statusCode: + example: 404 + type: number required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - Azure OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - genai_openai_config: - title: Connector request properties for an OpenAI connector - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. + - statusCode + - error + - message + SLOs_409_response: + title: Conflict type: object - required: - - apiProvider - - apiUrl properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - OpenAI - apiUrl: + error: + example: Conflict type: string - description: The OpenAI API endpoint. - defaultModel: + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string - description: The default model to use for requests. - opsgenie_config: - title: Connector request properties for an Opsgenie connector + statusCode: + example: 409 + type: number required: - - apiUrl - description: Defines properties for connectors when type is `.opsgenie`. - type: object - properties: - apiUrl: - description: | - The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - type: string - pagerduty_config: - title: Connector request properties for a PagerDuty connector - description: Defines properties for connectors when type is `.pagerduty`. - type: object + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO properties: - apiUrl: - description: The PagerDuty event URL. - type: string - nullable: true - example: https://events.pagerduty.com/v2/enqueue - sentinelone_config: - title: Connector request properties for a SentinelOne connector - required: - - url - description: Defines properties for connectors when type is `.sentinelone`. + dashboards: + description: Array of dashboard references + items: + type: object + properties: + id: + description: Dashboard saved-object id + type: string + required: + - id + type: array + title: Artifacts type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: > + The bulk delete SLO request takes a list of SLOs Definition id to + delete. properties: - url: - description: | - The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - type: string - servicenow_config: - title: Connector request properties for a ServiceNow ITSM connector + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. + - list + title: Bulk delete SLO request type: object + SLOs_bulk_delete_response: + description: > + The bulk delete SLO response returns a taskId that can be used to poll + for its status properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: | - The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. - type: string - isOAuth: - description: | - The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). - default: false - type: boolean - jwtKeyId: - description: | - The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: | - The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string - usesTableApi: - description: | - Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. - default: true - type: boolean - servicenow_itom_config: - title: Connector request properties for a ServiceNow ITOM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow-itom`. + title: Bulk delete SLO response type: object + SLOs_bulk_delete_status_response: + description: >- + Indicates if the bulk deletion is completed, with the detailed results + of the operation. properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: | - The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + error: + description: The error message if the bulk deletion operation failed + example: Task not found type: string - isOAuth: - description: | - The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). - default: false + isDone: + description: Indicates if the bulk deletion operation is completed + example: true type: boolean - jwtKeyId: - description: | - The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: | - The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. - type: string - slack_api_config: - title: Connector request properties for a Slack connector - description: Defines properties for connectors when type is `.slack_api`. - type: object - properties: - allowedChannels: - type: array - description: A list of valid Slack channels. + results: + description: >- + The results of the bulk deletion operation, including the success + status and any errors for each SLO items: type: object - required: - - id - - name - maxItems: 25 properties: - id: + error: + description: >- + The error message if the deletion operation failed for this + SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found type: string - description: The Slack channel ID. - example: C123ABC456 - minLength: 1 - name: + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string - description: The Slack channel name. - minLength: 1 - swimlane_config: - title: Connector request properties for a Swimlane connector - required: - - apiUrl - - appId - - connectorType - description: Defines properties for connectors when type is `.swimlane`. + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean + type: array + title: The status of the bulk deletion type: object + SLOs_bulk_purge_rollup_request: + description: > + The bulk purge rollup data request takes a list of SLO ids and a purge + policy, then deletes the rollup data according to the purge policy. This + API can be used to remove the staled data of an instance SLO that no + longer get updated. properties: - apiUrl: - description: The Swimlane instance URL. - type: string - appId: - description: The Swimlane application ID. - type: string - connectorType: - description: The type of connector. Valid values are `all`, `alerts`, and `cases`. - type: string - enum: - - all - - alerts - - cases - mappings: - title: Connector mappings properties for a Swimlane connector - description: The field mapping. - type: object - properties: - alertIdConfig: - title: Alert identifier mapping - description: Mapping for the alert ID. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseIdConfig: - title: Case identifier mapping - description: Mapping for the case ID. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseNameConfig: - title: Case name mapping - description: Mapping for the case name. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - commentsConfig: - title: Case comment mapping - description: Mapping for the case comments. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - descriptionConfig: - title: Case description mapping - description: Mapping for the case description. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - ruleNameConfig: - title: Rule name mapping - description: Mapping for the name of the alert's rule. - type: object - required: - - fieldType - - id - - key - - name + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: + age: + description: >- + The duration to determine which documents to purge, + formatted as {duration}{unit}. This value should be greater + than or equal to the time window of every SLO provided. + example: 7d type: string - description: The key for the field in Swimlane. - name: + purgeType: + description: >- + Specifies whether documents will be purged based on a + specific age or on a timestamp + enum: + - fixed-age type: string - description: The name of the field in Swimlane. - severityConfig: - title: Severity mapping - description: Mapping for the severity. - type: object - required: - - fieldType - - id - - key - - name + - type: object properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: + purgeType: + description: >- + Specifies whether documents will be purged based on a + specific age or on a timestamp + enum: + - fixed-time type: string - description: The key for the field in Swimlane. - name: + timestamp: + description: >- + The timestamp to determine which documents to purge, + formatted in ISO. This value should be older than the + applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' type: string - description: The name of the field in Swimlane. - thehive_config: - title: Connector request properties for a TheHive connector - description: Defines configuration properties for connectors when type is `.thehive`. - type: object + type: object required: - - url - properties: - organisation: - type: string - description: | - The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. - url: - type: string - description: | - The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - tines_config: - title: Connector request properties for a Tines connector - description: Defines properties for connectors when type is `.tines`. + - list + - purgePolicy + title: Bulk Purge Rollup data request type: object - required: - - url + SLOs_bulk_purge_rollup_response: + description: > + The bulk purge rollup data response returns a task id from the + elasticsearch deleteByQuery response. properties: - url: - description: | - The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - torq_config: - title: Connector request properties for a Torq connector - description: Defines properties for connectors when type is `.torq`. + title: Bulk Purge Rollup data response type: object - required: - - webhookIntegrationUrl + SLOs_create_slo_request: + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. properties: - webhookIntegrationUrl: - description: The endpoint URL of the Elastic Security integration in Torq. + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - auth_type: - title: Authentication type - type: string - nullable: true - enum: - - webhook-authentication-basic - - webhook-authentication-ssl - description: | - The type of authentication to use: basic, SSL, or none. - ca: - title: Certificate authority - type: string - description: | - A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. - cert_type: - title: Certificate type - type: string - description: | - If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. - enum: - - ssl-crt-key - - ssl-pfx - has_auth: - title: Has authentication - type: boolean - description: If true, a username and password for login type authentication must be provided. - default: true - verification_mode: - title: Verification mode - type: string - enum: - - certificate - - full - - none - default: full - description: | - Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. - webhook_config: - title: Connector request properties for a Webhook connector - description: Defines properties for connectors when type is `.webhook`. - type: object - properties: - authType: - $ref: '#/components/schemas/auth_type' - ca: - $ref: '#/components/schemas/ca' - certType: - $ref: '#/components/schemas/cert_type' - hasAuth: - $ref: '#/components/schemas/has_auth' - headers: - type: object - nullable: true - description: A set of key-value pairs sent as headers with the request. - method: + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars + example: my-super-slo-id type: string - default: post - enum: - - post - - put - description: | - The HTTP request method, either `post` or `put`. - url: + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. type: string - description: | - The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - verificationMode: - $ref: '#/components/schemas/verification_mode' - cases_webhook_config: - title: Connector request properties for Webhook - Case Management connector + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' required: - - createIncidentJson - - createIncidentResponseKey - - createIncidentUrl - - getIncidentResponseExternalTitleKey - - getIncidentUrl - - updateIncidentJson - - updateIncidentUrl - - viewIncidentUrl - description: Defines properties for connectors when type is `.cases-webhook`. + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request type: object - properties: - authType: - $ref: '#/components/schemas/auth_type' - ca: - $ref: '#/components/schemas/ca' - certType: - $ref: '#/components/schemas/cert_type' - createCommentJson: - type: string - description: | - A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. - example: '{"body": {{{case.comment}}}}' - createCommentMethod: - type: string - description: | - The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - createCommentUrl: - type: string - description: | - The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.id}}}/comment - createIncidentJson: - type: string - description: | - A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. - example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' - createIncidentMethod: - type: string - description: | - The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. - enum: - - patch - - post - - put - default: post - createIncidentResponseKey: - type: string - description: The JSON key in the create external case response that contains the case ID. - createIncidentUrl: - type: string - description: | - The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - getIncidentResponseExternalTitleKey: - type: string - description: The JSON key in get external case response that contains the case title. - getIncidentUrl: - type: string - description: | - The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. - example: https://example.com/issue/{{{external.system.id}}} - hasAuth: - $ref: '#/components/schemas/has_auth' - headers: - type: string - description: | - A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. - updateIncidentJson: - type: string - description: | - The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. - example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' - updateIncidentMethod: - type: string - description: | - The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - updateIncidentUrl: - type: string - description: | - The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.ID}}} - verificationMode: - $ref: '#/components/schemas/verification_mode' - viewIncidentUrl: - type: string - description: | - The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. - example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} - xmatters_config: - title: Connector request properties for an xMatters connector - description: Defines properties for connectors when type is `.xmatters`. + SLOs_create_slo_response: + title: Create SLO response type: object properties: - configUrl: - description: | - The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - nullable: true - usesBasic: - description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). - type: boolean - default: true - bedrock_secrets: - title: Connector secrets properties for an Amazon Bedrock connector - description: Defines secrets for connectors when type is `.bedrock`. - type: object required: - - accessKey - - secret + - id + SLOs_delete_slo_instances_request: + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. properties: - accessKey: - type: string - description: The AWS access key for authentication. - secret: - type: string - description: The AWS secret for authentication. - crowdstrike_secrets: - title: Connector secrets properties for a Crowdstrike connector - description: Defines secrets for connectors when type is `.crowdstrike`. - type: object + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array required: - - clientId - - clientSecret + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object properties: - clientId: - description: The CrowdStrike API client identifier. - type: string - clientSecret: - description: The CrowdStrike API client secret to authenticate the `clientId`. - type: string - d3security_secrets: - title: Connector secrets properties for a D3 Security connector - description: Defines secrets for connectors when type is `.d3security`. + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number required: - - token - type: object + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter properties: - token: - type: string - description: The D3 Security token. - email_secrets: - title: Connector secrets properties for an email connector - description: Defines secrets for connectors when type is `.email`. + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter type: object + SLOs_filter_meta: + description: Defines properties for a filter properties: - clientSecret: + alias: + nullable: true type: string - description: | - The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. - password: + controlledBy: type: string - description: | - The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. - user: + disabled: + type: boolean + field: type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. - gemini_secrets: - title: Connector secrets properties for a Google Gemini connector - description: Defines secrets for connectors when type is `.gemini`. - type: object - required: - - credentialsJson - properties: - credentialsJson: + group: type: string - description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. - resilient_secrets: - title: Connector secrets properties for IBM Resilient connector - required: - - apiKeyId - - apiKeySecret - description: Defines secrets for connectors when type is `.resilient`. - type: object - properties: - apiKeyId: + index: type: string - description: The authentication key ID for HTTP Basic authentication. - apiKeySecret: + isMultiIndex: + type: boolean + key: type: string - description: The authentication key secret for HTTP Basic authentication. - jira_secrets: - title: Connector secrets properties for a Jira connector - required: - - apiToken - - email - description: Defines secrets for connectors when type is `.jira`. - type: object - properties: - apiToken: - description: The Jira API authentication token for HTTP basic authentication. + negate: + type: boolean + params: + type: object + type: type: string - email: - description: The account email for HTTP Basic authentication. + value: type: string - teams_secrets: - title: Connector secrets properties for a Microsoft Teams connector - description: Defines secrets for connectors when type is `.teams`. + title: FilterMeta type: object - required: - - webhookUrl - properties: - webhookUrl: - type: string - description: | - The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - genai_secrets: - title: Connector secrets properties for an OpenAI connector + SLOs_find_slo_definitions_response: description: | - Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + A paginated response of SLO definitions matching the query. + oneOf: + - type: object + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id + items: + type: string + type: array + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - apiKey: - type: string - description: | - The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. - certificateData: - type: string - description: | - Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. - minLength: 1 - privateKeyData: - type: string - description: | - Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. - minLength: 1 - caData: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: type: string - description: | - Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. - minLength: 1 - opsgenie_secrets: - title: Connector secrets properties for an Opsgenie connector - required: - - apiKey - description: Defines secrets for connectors when type is `.opsgenie`. + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response type: object - properties: - apiKey: - description: The Opsgenie API authentication key for HTTP Basic authentication. - type: string - pagerduty_secrets: - title: Connector secrets properties for a PagerDuty connector - description: Defines secrets for connectors when type is `.pagerduty`. + SLOs_group_by: + description: >- + optional group by field or fields to use to generate an SLO per distinct + value + example: + - - service.name + - service.name + - - service.name + - service.environment + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type type: object - required: - - routingKey properties: - routingKey: - description: | - A 32 character PagerDuty Integration Key for an integration on a service. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - sentinelone_secrets: - title: Connector secrets properties for a SentinelOne connector - description: Defines secrets for connectors when type is `.sentinelone`. - type: object required: - - token + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object properties: - token: - description: The A SentinelOne API token. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - servicenow_secrets: - title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors - description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - clientSecret: - type: string - description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. - password: - type: string - description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. - privateKey: - type: string - description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. - privateKeyPassword: - type: string - description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. - username: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom type: string - description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. - slack_api_secrets: - title: Connector secrets properties for a Web API Slack connector - description: Defines secrets for connectors when type is `.slack`. required: - - token + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type type: object properties: - token: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom type: string - description: Slack bot user OAuth token. - swimlane_secrets: - title: Connector secrets properties for a Swimlane connector - description: Defines secrets for connectors when type is `.swimlane`. + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type type: object properties: - apiToken: - description: Swimlane API authentication token. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom type: string - thehive_secrets: - title: Connector secrets properties for a TheHive connector - description: Defines secrets for connectors when type is `.thehive`. required: - - apiKey - type: object - properties: - apiKey: - type: string - description: The API key for authentication in TheHive. - tines_secrets: - title: Connector secrets properties for a Tines connector - description: Defines secrets for connectors when type is `.tines`. + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object - required: - - email - - token properties: - email: - description: The email used to sign in to Tines. - type: string - token: - description: The Tines API token. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not + type: object + properties: + comparator: + description: >- + The comparator to use to compare the equation to the + threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + anyOf: + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + discriminator: + mapping: + avg: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + cardinality: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + doc_count: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + last_value: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + max: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + min: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + percentile: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + std_deviation: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + sum: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + propertyName: aggregation + type: array + threshold: + description: >- + The threshold used to determine if the metric is a good + slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - torq_secrets: - title: Connector secrets properties for a Torq connector - description: Defines secrets for connectors when type is `.torq`. - type: object required: - - token - properties: - token: - description: The secret of the webhook authentication header. - type: string - crt: - title: Certificate - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. - key: - title: Certificate key - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. - pfx: - title: Personal information exchange - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. - webhook_secrets: - title: Connector secrets properties for a Webhook connector - description: Defines secrets for connectors when type is `.webhook`. - type: object - properties: - crt: - $ref: '#/components/schemas/crt' - key: - $ref: '#/components/schemas/key' - pfx: - $ref: '#/components/schemas/pfx' - password: - type: string - description: | - The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - user: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - cases_webhook_secrets: - title: Connector secrets properties for Webhook - Case Management connector - type: object - properties: - crt: - $ref: '#/components/schemas/crt' - key: - $ref: '#/components/schemas/key' - pfx: - $ref: '#/components/schemas/pfx' - password: + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - description: | - The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. - user: + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - xmatters_secrets: - title: Connector secrets properties for an xMatters connector - description: Defines secrets for connectors when type is `.xmatters`. + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - password: - description: | - A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. - type: string - secretsUrl: - description: | - The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. - type: string - user: - description: | - A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: >- + the target objective for each slice when using a timeslices + budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} + example: 5m type: string - genai_openai_other_config: - title: Connector request properties for an OpenAI connector with Other provider - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. - type: object required: - - apiProvider - - apiUrl - - defaultModel + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - Other - apiUrl: - type: string - description: The OpenAI-compatible API endpoint. - defaultModel: - type: string - description: The default model to use for requests. - certificateData: - type: string - description: PEM-encoded certificate content. - minLength: 1 - privateKeyData: + frequency: + default: 1m + description: >- + The interval between checks for changes in the source data. The + minimum value is 1m and the maximum is 59m. The default value is 1 + minute. + example: 5m type: string - description: PEM-encoded private key content. - minLength: 1 - caData: + preventInitialBackfill: + default: false + description: >- + Start aggregating data from the time the SLO is created, instead of + backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: >- + The time delay in minutes between the current time and the latest + source data time. Increasing the value will delay any alerting. The + default value is 1 minute. The minimum value is 1m and the maximum + is 359m. It should always be greater then source index refresh + interval. + example: 5m type: string - description: PEM-encoded CA certificate content. - minLength: 1 - verificationMode: + syncField: + description: >- + The date field that is used to identify new documents in the source. + It is strongly recommended to use a field that contains the ingest + timestamp. If you use a different field, you might need to set the + delay such that it accounts for data transmission delays. When + unspecified, we use the indicator timestamp field. + example: event.ingested type: string - description: SSL verification mode for PKI authentication. - enum: - - full - - certificate - - none - default: full - headers: - type: object - description: Custom headers to include in requests. - additionalProperties: - type: string - defender_secrets: - title: Connector secrets properties for a Microsoft Defender for Endpoint connector - required: - - clientSecret - description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + title: Settings type: object - properties: - clientSecret: - description: The client secret for your app in the Azure portal. - type: string - run_acknowledge_resolve_pagerduty: - title: PagerDuty connector parameters - description: Test an action that acknowledges or resolves a PagerDuty alert. + SLOs_slo_definition_response: + title: SLO definition response type: object - required: - - dedupKey - - eventAction properties: - dedupKey: - description: The deduplication key for the PagerDuty alert. + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - maxLength: 255 - eventAction: - description: The type of event. + description: + description: The description of the SLO. + example: My SLO description type: string - enum: - - acknowledge - - resolve - run_documents: - title: Index connector parameters - description: Test an action that indexes a document into Elasticsearch. - type: object - required: - - documents - properties: - documents: - type: array - description: The documents in JSON format for index connectors. - items: - type: object - additionalProperties: true - run_message_email: - title: Email connector parameters - description: | - Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. - type: object - required: - - message - - subject - properties: - bcc: - type: array - items: - type: string - description: | - A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format - cc: - type: array - items: - type: string - description: | - A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format - message: + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - description: The email message text. Markdown format is supported. - subject: + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO type: string - description: The subject line of the email. - to: - type: array - description: | - A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: type: string - run_message_serverlog: - title: Server log connector parameters - description: Test an action that writes an entry to the Kibana server log. - type: object - required: - - message - properties: - level: - type: string - description: The log level of the message for server log connectors. - enum: - - debug - - error - - fatal - - info - - trace - - warn - default: info - message: - type: string - description: The message for server log connectors. - run_message_slack: - title: Slack connector parameters - description: | - Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. - type: object - required: - - message - properties: - message: - type: string - description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. - run_trigger_pagerduty: - title: PagerDuty connector parameters - description: Test an action that triggers a PagerDuty alert. - type: object - required: - - eventAction - properties: - class: - description: The class or type of the event. - type: string - example: cpu load - component: - description: The component of the source machine that is responsible for the event. - type: string - example: eth0 - customDetails: - description: Additional details to add to the event. - type: object - dedupKey: - description: | - All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. - type: string - maxLength: 255 - eventAction: - description: The type of event. - type: string - enum: - - trigger - group: - description: The logical grouping of components of a service. - type: string - example: app-stack - links: - description: A list of links to add to the event. type: array - items: - type: object - properties: - href: - description: The URL for the link. - type: string - text: - description: A plain text description of the purpose of the link. - type: string - severity: - description: The severity of the event on the affected system. - type: string - enum: - - critical - - error - - info - - warning - default: info - source: - description: | - The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. - type: string - summary: - description: A summery of the event. - type: string - maxLength: 1024 - timestamp: - description: An ISO-8601 timestamp that indicates when the event was detected or generated. + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - format: date-time - run_addevent: - title: The addEvent subaction - type: object + version: + description: The internal SLO version + example: 2 + type: number required: - - subAction - description: The `addEvent` subaction for ServiceNow ITOM connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - addEvent - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - additional_info: - type: string - description: Additional information about the event. - description: - type: string - description: The details about the event. - event_class: - type: string - description: A specific instance of the source. - message_key: - type: string - description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. - metric_name: - type: string - description: The name of the metric. - node: - type: string - description: The host that the event was triggered for. - resource: - type: string - description: The name of the resource. - severity: - type: string - description: The severity of the event. - source: - type: string - description: The name of the event source type. - time_of_event: - type: string - description: The time of the event. - type: - type: string - description: The type of event. - run_closealert: - title: The closeAlert subaction + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object - required: - - subAction - - subActionParams - description: The `closeAlert` subaction for Opsgenie connectors. properties: - subAction: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - description: The action to test. - enum: - - closeAlert - subActionParams: - type: object - required: - - alias - properties: - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. - note: - type: string - description: Additional information for the alert. - source: - type: string - description: The display name for the source of the alert. - user: - type: string - description: The display name for the owner. - run_closeincident: - title: The closeIncident subaction - type: object - required: - - subAction - - subActionParams - description: The `closeIncident` subaction for ServiceNow ITSM connectors. - properties: - subAction: + description: + description: The description of the SLO. + example: My SLO description type: string - description: The action to test. - enum: - - closeIncident - subActionParams: - type: object - required: - - incident - properties: - incident: - type: object - anyOf: - - required: - - correlation_id - - required: - - externalId - properties: - correlation_id: - type: string - nullable: true - description: | - An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. - maxLength: 100 - default: '{{rule.id}}:{{alert.id}}' - externalId: - type: string - nullable: true - description: The unique identifier (`incidentId`) for the incident in ServiceNow. - run_createalert: - title: The createAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `createAlert` subaction for Opsgenie and TheHive connectors. - properties: - subAction: + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - description: The action to test. - enum: - - createAlert - subActionParams: - type: object - properties: - actions: - type: array - description: The custom actions available to the alert in Opsgenie connectors. - items: - type: string - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. - description: - type: string - description: A description that provides detailed information about the alert. - details: - type: object - description: The custom properties of the alert in Opsgenie connectors. - additionalProperties: true - example: - key1: value1 - key2: value2 - entity: - type: string - description: The domain of the alert in Opsgenie connectors. For example, the application or server name. - message: - type: string - description: The alert message in Opsgenie connectors. - note: - type: string - description: Additional information for the alert in Opsgenie connectors. - priority: - type: string - description: The priority level for the alert in Opsgenie connectors. - enum: - - P1 - - P2 - - P3 - - P4 - - P5 - responders: - type: array - description: | - The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. - items: - type: object - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: The type of responders, in this case `escalation`. - enum: - - escalation - - schedule - - team - - user - username: - type: string - description: A valid email address for the user. - severity: - type: integer - minimum: 1 - maximum: 4 - description: | - The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). - source: - type: string - description: The display name for the source of the alert in Opsgenie and TheHive connectors. - sourceRef: - type: string - description: A source reference for the alert in TheHive connectors. - tags: - type: array - description: The tags for the alert in Opsgenie and TheHive connectors. - items: - type: string - title: - type: string - description: | - A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. - tlp: - type: integer - minimum: 0 - maximum: 4 - default: 2 - description: | - The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). - type: - type: string - description: The type of alert in TheHive connectors. - user: - type: string - description: The display name for the owner. - visibleTo: - type: array - description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. - items: - type: object - required: - - type - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: Valid values are `team` and `user`. - enum: - - team - - user - username: - type: string - description: The user name. This property is required only when the `type` is `user`. - run_fieldsbyissuetype: - title: The fieldsByIssueType subaction - type: object - required: - - subAction - - subActionParams - description: The `fieldsByIssueType` subaction for Jira connectors. - properties: - subAction: + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde type: string - description: The action to test. - enum: - - fieldsByIssueType - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue type identifier. - example: 10024 - run_getagentdetails: - title: The getAgentDetails subaction - type: object - required: - - subAction - - subActionParams - description: The `getAgentDetails` subaction for CrowdStrike connectors. - properties: - subAction: + name: + description: The name of the SLO. + example: My Service SLO type: string - description: The action to test. - enum: - - getAgentDetails - subActionParams: - type: object - description: The set of configuration properties for the action. - required: - - ids - properties: - ids: - type: array - description: An array of CrowdStrike agent identifiers. - items: - type: string - run_getagents: - title: The getAgents subaction - type: object - required: - - subAction - description: The `getAgents` subaction for SentinelOne connectors. - properties: - subAction: + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - description: The action to test. - enum: - - getAgents - run_getchoices: - title: The getChoices subaction - type: object + version: + description: The internal SLO version + example: 2 + type: number required: - - subAction - - subActionParams - description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data properties: - subAction: - type: string - description: The action to test. - enum: - - getChoices - subActionParams: - type: object - description: The set of configuration properties for the action. - required: - - fields - properties: - fields: - type: array - description: An array of fields. - items: - type: string - run_getfields: - title: The getFields subaction - type: object + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' required: - - subAction - description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getFields - run_getincident: - title: The getIncident subaction + - status + - sliValue + - errorBudget + title: Summary type: object - description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - getIncident - subActionParams: - type: object - required: - - externalId - properties: - externalId: - type: string - description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. - example: 71778 - run_issue: - title: The issue subaction + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window type: object - required: - - subAction - description: The `issue` subaction for Jira connectors. properties: - subAction: + duration: + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) + example: 30d type: string - description: The action to test. + type: + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. enum: - - issue - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue identifier. - example: 71778 - run_issues: - title: The issues subaction - type: object + - rolling + - calendarAligned + example: rolling + type: string required: - - subAction - - subActionParams - description: The `issues` subaction for Jira connectors. + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object properties: - subAction: - type: string - description: The action to test. + aggregation: + description: The aggregation type of the metric. enum: - - issues - subActionParams: - type: object - required: - - title - properties: - title: - type: string - description: The title of the Jira issue. - run_issuetypes: - title: The issueTypes subaction - type: object + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string required: - - subAction - description: The `issueTypes` subaction for Jira connectors. + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: + type: object properties: - subAction: - type: string - description: The action to test. + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" enum: - - issueTypes - run_postmessage: - title: The postMessage subaction - type: object - description: | - Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string required: - - subAction - - subActionParams + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object properties: - subAction: - type: string - description: The action to test. + aggregation: + description: >- + The aggregation type of the metric. Only valid option is + "percentile" enum: - - postMessage - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - channelIds: - type: array - maxItems: 1 - description: | - The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. - items: - type: string - channels: - type: array - deprecated: true - description: | - The name of a channel that your Slack app has access to. - maxItems: 1 - items: - type: string - text: - type: string - description: | - The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. - minLength: 1 - run_pushtoservice: - title: The pushToService subaction - type: object + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + example: 95 + type: number required: - - subAction - - subActionParams - description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. properties: - subAction: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - description: The action to test. - enum: - - pushToService - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - comments: - type: array - description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. - items: - type: object - properties: - comment: - type: string - description: A comment related to the incident. For example, describe how to troubleshoot the issue. - commentId: - type: integer - description: A unique identifier for the comment. - incident: - type: object - description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. - properties: - additional_fields: - type: string - nullable: true - maxLength: 20 - description: | - Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. - alertId: - type: string - description: The alert identifier for Swimlane connectors. - caseId: - type: string - description: The case identifier for the incident for Swimlane connectors. - caseName: - type: string - description: The case name for the incident for Swimlane connectors. - category: - type: string - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_display: - type: string - description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_id: - type: string - description: | - The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. - description: - type: string - description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. - dest_ip: - description: | - A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - externalId: - type: string - description: | - The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. - id: - type: string - description: The external case identifier for Webhook - Case Management connectors. - impact: - type: string - description: The impact of the incident for ServiceNow ITSM connectors. - issueType: - type: integer - description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. - labels: - type: array - items: - type: string - description: | - The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. - malware_hash: - description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - malware_url: - type: string - description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - otherFields: - type: object - additionalProperties: true - maxProperties: 20 - description: | - Custom field identifiers and their values for Jira connectors. - parent: - type: string - description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. - priority: - type: string - description: The priority of the incident in Jira and ServiceNow SecOps connectors. - ruleName: - type: string - description: The rule name for Swimlane connectors. - severity: - type: integer - description: | - The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). - short_description: - type: string - description: | - A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. - source_ip: - description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - status: - type: string - description: The status of the incident for Webhook - Case Management connectors. - subcategory: - type: string - description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - summary: - type: string - description: A summary of the incident for Jira connectors. - tags: - type: array - items: - type: string - description: A list of tags for TheHive and Webhook - Case Management connectors. - title: - type: string - description: | - A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. - tlp: - type: integer - minimum: 0 - maximum: 4 - default: 2 - description: | - The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). - urgency: - type: string - description: The urgency of the incident for ServiceNow ITSM connectors. - run_validchannelid: - title: The validChannelId subaction + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + Task_manager_health_Serverless_APIs_configuration: + description: > + This object summarizes the current configuration of Task Manager. This + includes dynamic configurations that change over time, such as + `poll_interval` and `max_workers`, which can adjust in reaction to + changing load on the system. + type: object + Task_manager_health_Serverless_APIs_health_response_serverless: + title: Task health response properties type: object - description: | - Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. - required: - - subAction - - subActionParams properties: - subAction: + id: type: string - description: The action to test. - enum: - - validChannelId - subActionParams: + last_update: + type: string + stats: type: object - required: - - channelId properties: - channelId: - type: string - description: The Slack channel identifier. - example: C123ABC456 + configuration: + $ref: >- + #/components/schemas/Task_manager_health_Serverless_APIs_configuration + workload: + $ref: >- + #/components/schemas/Task_manager_health_Serverless_APIs_workload + status: + type: string + timestamp: + type: string + Task_manager_health_Serverless_APIs_workload: + description: > + This object summarizes the work load across the cluster, including the + tasks in the system, their types, and current status. + type: object securitySchemes: apiKeyAuth: - description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys). + description: >- + You must create an API key and use the encoded value in the request + header. To learn about creating keys, go to [API + keys](https://www.elastic.co/docs/current/serverless/api-keys). in: header name: Authorization type: apiKey -x-topics: - - title: Kibana spaces - content: | - Spaces enable you to organize your dashboards and other saved objects into meaningful categories. - You can use the default space or create your own spaces. +security: + - apiKeyAuth: [] +tags: + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: > + Configure APM source maps. A source map allows minified files to be mapped + back to original source code--allowing you to maintain the speed advantage + of minified code, without losing the ability to quickly and easily debug + your application. + + For best results, uploading source maps should become a part of your + deployment procedure, and not something you only do when you see unhelpful + errors. That's because uploading source maps after errors happen won't + make old errors magically readable--errors must occur again for source + mapping to occur. + name: APM sourcemaps + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - description: Machine learning + name: ml + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: >- + https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: >- + Use the Attack discovery APIs to generate and manage Attack discoveries. + Attack Discovery leverages large language models (LLMs) to analyze alerts + in your environment and identify threats. Each "discovery" represents a + potential attack and describes relationships among multiple alerts to tell + you which users and hosts are involved, how alerts correspond to the MITRE + ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: > + Use the detections APIs to create and manage detection rules. Detection + rules search events and external alerts sent to Elastic Security and + generate detection alerts from any hits. Alerts are displayed on the + **Alerts** page and can be assigned and triaged, using the alert status to + mark them as open, closed, or acknowledged. + + + This API supports both key-based authentication and basic authentication. + + + To use key-based authentication, create an API key, then specify the key + in the header of your API calls. + + + To use basic authentication, provide a username and password; this + automatically creates an API key that matches the current user’s + privileges. + + + In both cases, the API key is subsequently used for authorization when the + rule runs. + + > warn + + > If the API key used for authorization has different privileges than the + key that created or most recently updated a rule, the rule behavior might + change. + + + > If the API key that created a rule is deleted, or the user that created + the rule becomes inactive, the rule will stop running. + + + To create and run rules, the user must meet specific requirements for the + Kibana space. Refer to the [Detections + requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) + for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: '' + name: Security Entity Analytics API + x-displayName: Security entity analytics + - description: > + Exceptions are associated with detection and endpoint rules, and are used + to prevent a rule from generating an alert from incoming events, even when + the rule's other criteria are met. They can help reduce the number of + false positives and prevent trusted processes and network activity from + generating unnecessary alerts. + + + Exceptions are made up of: + + + * **Exception containers**: A container for related exceptions. Generally, + a single exception container contains all the exception items relevant for + a subset of rules. For example, a container can be used to group together + network-related exceptions that are relevant for a large number of network + rules. The container can then be associated with all the relevant rules. + + * **Exception items**: The query (fields, values, and logic) used to + prevent rules from generating alerts. When an exception item's query + evaluates to `true`, the rule does not generate an alert. + + + For detection rules, you can also use lists to define rule exceptions. A + list holds multiple values of the same Elasticsearch data type, such as IP + addresses. These values are used to determine when an exception prevents + an alert from being generated. + + > info + + > You cannot use lists with endpoint rule exceptions. + + + > info + + > Only exception containers can be associated with rules. You cannot + directly associate an exception item or a list container with a rule. To + use list exceptions, create an exception item that references the relevant + list container. + + + ## Exceptions requirements + + + Before you can start working with exceptions that use value lists, you + must create the `.lists` and `.items` data streams for the relevant Kibana + space. To do this, use the [Create list data + streams](../operation/operation-createlistindex) endpoint. Once these data + streams are created, your role needs privileges to manage rules. For a + complete list of requirements, refer to [Enable and access + detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: > + Lists can be used with detection rule exceptions to define values that + prevent a rule from generating alerts. + + + Lists are made up of: + + + * **List containers**: A container for values of the same Elasticsearch + data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception + prevents an alert from being generated. + + + All list items in the same list container must be of the same data type, + and each item defines a single value. For example, an IP list container + named `internal-ip-addresses-southport` contains five items, where each + item defines one internal IP address: + + 1. `192.168.1.1` + + 2. `192.168.1.3` + + 3. `192.168.1.18` + + 4. `192.168.1.12` + + 5. `192.168.1.7` + + + To use these IP addresses as values for defining rule exceptions, use the + Security exceptions API to [create an exception list + item](../operation/operation-createexceptionlistitem) that references the + `internal-ip-addresses-southport` list. + + > info + + > Lists cannot be added directly to rules, nor do they define the + operators used to determine when exceptions are applied (`is in list`, `is + not in list`). Use an exception item to define the operator and associate + it with an [exception + container](../operation/operation-createexceptionlist). You can then add + the exception container to a rule's `exceptions_list` object. - To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. - For example: - ```bash - curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ - -H "Authorization: ApiKey ${API_KEY}" - ``` + ## Lists requirements - If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). + Before you can start using lists, you must create the `.lists` and + `.items` data streams for the relevant Kibana space. To do this, use the + [Create list data streams](../operation/operation-createlistindex) + endpoint. Once these data streams are created, your role needs privileges + to manage rules. Refer to [Enable and access + detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) + for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + - description: >- + Task manager APIs enable you to check the health of the Kibana task + manager, which is used by features such as alerting, actions, and + reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: >- + https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 4d9f56d69aad5..5c6ebb89421ae 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -2,38 +2,68 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: | - The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. + description: > + The Kibana REST APIs enable you to manage resources such as connectors, data + views, and saved objects. + The API calls are stateless. - Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the + + Each request that you make happens in isolation from other calls and must + include all of the necessary information for Kibana to fulfill the + request. - API requests return JSON output, which is a format that is machine-readable and works well for automation. + + API requests return JSON output, which is a format that is machine-readable + and works well for automation. + To interact with Kibana APIs, use the following operations: + - GET: Fetches the information. + - PATCH: Applies partial modifications to the existing information. + - POST: Adds new information. + - PUT: Updates the existing information. + - DELETE: Removes the information. - You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. + + You can prepend any Kibana API endpoint with `kbn:` and run the request in + **Dev Tools → Console**. + For example: + ``` + GET kbn:/api/data_views + ``` - For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. + For more information about the console, refer to [Run API + requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). + + + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana + version 9.0. Please move any integrations to publicly documented APIs. + ## Documentation source and versions - This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - This documentation contains work-in-progress information for future Elastic Stack releases. + This documentation is derived from the `main` branch of the + [kibana](https://github.com/elastic/kibana) repository. + + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 + International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + + + This documentation contains work-in-progress information for future Elastic + Stack releases. title: Kibana APIs version: '' x-doc-license: @@ -41,1789 +71,857 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: >- + https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: + - url: http://{kibana_host}:{port} + variables: + kibana_host: + default: localhost + port: + default: '5601' + - url: / - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 -security: - - apiKeyAuth: [] - - basicAuth: [] -tags: - - name: agent builder - description: | - Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. - Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. - **Elastic Agent Builder requires an Enterprise subscription.** - externalDocs: - description: Agent Builder docs - url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access - x-displayName: Agent Builder - - name: alerting - description: | - Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. - externalDocs: - description: Alerting documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts - x-displayName: Alerting - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: | - Configure APM agent keys to authorize requests from APM agents to the APM Server. - name: APM agent keys - - description: | - Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: | - Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. - For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. - name: APM sourcemaps - - description: | - Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. - name: cases - externalDocs: - description: Cases documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases - x-displayName: Cases - - name: connectors - description: | - Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. - externalDocs: - description: Connector documentation - url: https://www.elastic.co/docs/reference/kibana/connectors-kibana - x-displayName: Connectors - - name: Data streams - description: | - Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. - x-displayName: Data streams - - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. - name: data views - x-displayName: Data views - - name: Elastic Agent actions - description: | - Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. - x-displayName: Elastic Agent actions - - name: Elastic Agent binary download sources - description: | - Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. - x-displayName: Elastic Agent binary download sources - - name: Elastic Agent policies - description: | - Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. - x-displayName: Elastic Agent policies - - name: Elastic Agent status - description: | - Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. - x-displayName: Elastic Agent status - - name: Elastic Agents - description: | - Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. - x-displayName: Elastic Agents - - name: Elastic Package Manager (EPM) - description: | - Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. - x-displayName: Elastic Package Manager (EPM) - - name: Fleet agentless policies - - name: Fleet cloud connectors - description: | - Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. - x-displayName: Fleet cloud connectors - - name: Fleet enrollment API keys - description: | - Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. - x-displayName: Fleet enrollment API keys - - name: Fleet internals - description: | - Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. - x-displayName: Fleet internals - - name: Fleet outputs - description: | - Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. - x-displayName: Fleet outputs - - name: Fleet package policies - description: | - Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. - x-displayName: Fleet package policies - - name: Fleet proxies - description: | - Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. - x-displayName: Fleet proxies - - name: Fleet remote synced integrations - description: | - Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster: - * Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output. - * Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations. - externalDocs: - description: Automatic integrations synchronization documentation - url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization - - name: Fleet Server hosts - description: | - Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. - x-displayName: Fleet Server hosts - - name: Fleet service tokens - description: | - Enables you to create tokens for Fleet service authentication and authorization. - x-displayName: Fleet service tokens - - name: Fleet uninstall tokens - description: | - Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. - x-displayName: Fleet uninstall tokens - - description: | - Programmatically integrate with Logstash configuration management. - > warn - > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. - externalDocs: - description: Centralized pipeline management - url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management - name: logstash - x-displayName: Logstash configuration management - - name: maintenance-window - description: | - You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. - externalDocs: - description: Maintenance window documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows - x-displayName: Maintenance windows - - name: Message Signing Service - description: | - Enables you to rotate message signing key pairs for secure Fleet communication. - x-displayName: Fleet Message Signing Service - - description: | - Enables you to synchronize machine learning saved objects. - name: ml - x-displayName: Machine learning - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - name: roles - x-displayName: Roles - description: Manage the roles that grant Elasticsearch and Kibana privileges. - externalDocs: - description: Kibana role management - url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles - - name: saved objects - x-displayName: Saved objects - description: | - Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. - - To manage a specific type of saved object, use the corresponding APIs. - For example, use: - - * [Data views](../group/endpoint-data-views) - * [Spaces](../group/endpoint-spaces) - * [Short URLs](../group/endpoint-short-url) - - Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions. - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: | - Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. - - This API supports both key-based authentication and basic authentication. - - To use key-based authentication, create an API key, then specify the key in the header of your API calls. - - To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. - - In both cases, the API key is subsequently used for authorization when the rule runs. - > warn - > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. - - > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. - - To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: | - Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. - name: Security Entity Analytics API - x-displayName: Security entity analytics - - name: Security entity store - - description: | - Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. - - Exceptions are made up of: - - * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. - * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. - - For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. - > info - > You cannot use lists with endpoint rule exceptions. - - > info - > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. - - ## Exceptions requirements - - Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: | - Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. - - Lists are made up of: - - * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception prevents an alert from being generated. - - All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: - 1. `192.168.1.1` - 2. `192.168.1.3` - 3. `192.168.1.18` - 4. `192.168.1.12` - 5. `192.168.1.7` - - To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. - > info - > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. - - ## Lists requirements - - Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: Manage Kibana short URLs. - name: short url - x-displayName: Short URLs - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - x-displayName: Service level objectives - - name: spaces - x-displayName: Spaces - description: Manage your Kibana spaces. - externalDocs: - url: https://www.elastic.co/docs/deploy-manage/manage-spaces - description: Space overview - - name: streams - description: | - Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: - * **Wired** streams are managed by Kibana. They route documents to child streams based on - field conditions and support custom field mappings and processing steps. - - * **Classic** streams map to existing Elasticsearch data streams. You can add processing - steps to classic streams without changing their underlying index template. - - * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate - data from multiple streams into a single logical view without duplicating documents. - x-displayName: Streams - externalDocs: - description: Streams documentation - url: https://www.elastic.co/docs/solutions/observability/streams - - name: synthetics - x-displayName: Synthetics - description: Synthetics APIs enable you to check the status of your services and applications. - externalDocs: - description: Synthetic monitoring - url: https://www.elastic.co/docs/solutions/observability/synthetics - - name: system - x-displayName: System - description: | - Get information about the system status, resource usage, features, and installed plugins. - - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager - - description: | - The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release. - > warn - > This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL: - > * Self-managed URL pattern: `https://localhost:5601` - > * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` - name: upgrade - x-displayName: Upgrade assistant - - description: Uptime APIs enable you to view and update uptime monitoring settings. - externalDocs: - description: Uptime monitoring - url: https://www.elastic.co/docs/solutions/observability/uptime - name: uptime - x-displayName: Uptime - - name: user session - x-displayName: User session management - description: | - Enables you to invalidate user sessions for security and session management purposes. - - name: workflows - description: | - Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. - - Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. - externalDocs: - description: Workflows documentation - url: https://www.elastic.co/docs/explore-analyze/workflows - x-displayName: Workflows paths: - /api/actions/connector_types: + /api/alerting/_health: get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector_types
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You do not need any Kibana feature privileges to run this API. - operationId: get-actions-connector-types - parameters: - - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). - in: query - name: feature_id - required: false - schema: - type: string + description: > + You must have `read` privileges for the **Management > Stack Rules** + feature or for at least one of the **Analytics > Discover**, **Analytics + > Machine Learning**, **Observability**, or **Security** features. + operationId: getAlertingHealth + responses: + '200': + content: + application/json: + examples: + getAlertingHealthResponse: + $ref: '#/components/examples/Alerting_get_health_response' + schema: + type: object + properties: + alerting_framework_health: + description: > + Three substates identify the health of the alerting + framework: `decryption_health`, `execution_health`, and + `read_health`. + type: object + properties: + decryption_health: + description: The timestamp and status of the rule decryption. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + execution_health: + description: The timestamp and status of the rule run. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + read_health: + description: The timestamp and status of the rule reading events. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + has_permanent_encryption_key: + description: >- + If `false`, the encrypted saved object plugin does not + have a permanent encryption key. + example: true + type: boolean + is_sufficiently_secure: + description: If `false`, security is enabled but TLS is not. + example: true + type: boolean + description: Indicates a successful call. + '401': + content: + application/json: + examples: + healthUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_health_response' + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health + tags: + - alerting + /api/alerting/rule_types: + get: + description: > + If you have `read` privileges for one or more Kibana features, the API + response contains information about the appropriate rule types. For + example, there are rule types associated with the **Management > Stack + Rules** feature, **Analytics > Discover** and **Machine Learning** + features, **Observability** features, and **Security** features. To get + rule types associated with the **Stack Monitoring** feature, use the + `monitoring_user` built-in role. + operationId: getRuleTypes responses: '200': content: application/json: + examples: + getRuleTypesResponse: + $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: - additionalProperties: false type: object properties: - allow_multiple_system_actions: - description: Indicates whether multiple instances of the same system action connector can be used in a single rule. + action_groups: + description: > + An explicit list of groups for which the rule type can + schedule actions, each with the action group's unique ID + and human readable name. Rule actions validation uses + this configuration to ensure that groups are valid. + items: + type: object + properties: + id: + type: string + name: + type: string + type: array + action_variables: + description: > + A list of action variables that the rule type makes + available via context and state in action parameter + templates, and a short human readable description. When + you create a rule in Kibana, it uses this information to + prompt you for these variables in action parameter + editors. + type: object + properties: + context: + items: + type: object + properties: + description: + type: string + name: + type: string + useWithTripleBracesInTemplates: + type: boolean + type: array + params: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + state: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + alerts: + description: > + Details for writing alerts as data documents for this + rule type. + type: object + properties: + context: + description: | + The namespace for this rule type. + enum: + - ml.anomaly-detection + - observability.apm + - observability.logs + - observability.metrics + - observability.slo + - observability.threshold + - observability.uptime + - security + - stack + type: string + dynamic: + description: Indicates whether new fields are added dynamically. + enum: + - 'false' + - runtime + - strict + - 'true' + type: string + isSpaceAware: + description: > + Indicates whether the alerts are space-aware. If + true, space-specific alert indices are used. + type: boolean + mappings: + type: object + properties: + fieldMap: + additionalProperties: + $ref: >- + #/components/schemas/Alerting_fieldmap_properties + description: > + Mapping information for each field supported in + alerts as data documents for this rule type. For + more information about mapping parameters, refer + to the Elasticsearch documentation. + type: object + secondaryAlias: + description: > + A secondary alias. It is typically used to support + the signals alias for detection rules. + type: string + shouldWrite: + description: > + Indicates whether the rule should write out alerts + as data. + type: boolean + useEcs: + description: > + Indicates whether to include the ECS component + template for the alerts. + type: boolean + useLegacyAlerts: + default: false + description: > + Indicates whether to include the legacy component + template for the alerts. + type: boolean + authorized_consumers: + description: >- + The list of the plugins IDs that have access to the rule + type. + type: object + properties: + alerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + apm: + type: object + properties: + all: + type: boolean + read: + type: boolean + discover: + type: object + properties: + all: + type: boolean + read: + type: boolean + infrastructure: + type: object + properties: + all: + type: boolean + read: + type: boolean + logs: + type: object + properties: + all: + type: boolean + read: + type: boolean + ml: + type: object + properties: + all: + type: boolean + read: + type: boolean + monitoring: + type: object + properties: + all: + type: boolean + read: + type: boolean + siem: + type: object + properties: + all: + type: boolean + read: + type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean + stackAlerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + uptime: + type: object + properties: + all: + type: boolean + read: + type: boolean + category: + description: >- + The rule category, which is used by features such as + category-specific maintenance windows. + enum: + - management + - observability + - securitySolution + type: string + default_action_group_id: + description: The default identifier for the rule type group. + type: string + does_set_recovery_context: + description: >- + Indicates whether the rule passes context variables to + its recovery action. type: boolean - enabled: - description: Indicates whether the connector is enabled. + enabled_in_license: + description: >- + Indicates whether the rule type is enabled or disabled + based on the subscription. type: boolean - enabled_in_config: - description: Indicates whether the connector is enabled in the Kibana configuration. + has_alerts_mappings: + description: >- + Indicates whether the rule type has custom mappings for + the alert data. type: boolean - enabled_in_license: - description: Indicates whether the connector is enabled through the license. + has_fields_for_a_a_d: type: boolean id: - description: The identifier for the connector. + description: The unique identifier for the rule type. type: string - is_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_system_action_type: - description: Indicates whether the action is a system action. + is_exportable: + description: >- + Indicates whether the rule type is exportable in **Stack + Management > Saved Objects**. type: boolean minimum_license_required: - description: The minimum license required to enable the connector. - enum: - - basic - - standard - - gold - - platinum - - enterprise - - trial + description: The subscriptions required to use the rule type. + example: basic type: string name: - description: The name of the connector type. + description: The descriptive name of the rule type. type: string - source: - description: The source of the connector type definition. - enum: - - yml - - spec - - stack + producer: + description: >- + An identifier for the application that produces this + rule type. + example: stackAlerts type: string - sub_feature: - description: Indicates the sub-feature type the connector is grouped under. - enum: - - endpointSecurity + recovery_action_group: + description: >- + An action group to use when an alert goes from an active + state to an inactive one. + type: object + properties: + id: + type: string + name: + type: string + rule_task_timeout: + example: 5m type: string - supported_feature_ids: - description: The list of supported features - items: - type: string - type: array - required: - - id - - name - - enabled - - enabled_in_config - - enabled_in_license - - minimum_license_required - - supported_feature_ids - - is_system_action_type - - is_deprecated - - source type: array - examples: - getConnectorTypesServerlessResponse: - $ref: '#/components/examples/get_connector_types_generativeai_response' description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Get connector types - tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - /api/actions/connector/_oauth_callback: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector/_oauth_callback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. - operationId: get-actions-connector-oauth-callback - parameters: - - description: The authorization code returned by the OAuth provider. - in: query - name: code - required: false - schema: - type: string - - description: The state parameter for CSRF protection. - in: query - name: state - required: false - schema: - type: string - - description: Error code if the authorization failed. - in: query - name: error - required: false - schema: - type: string - - description: Human-readable error description. - in: query - name: error_description - required: false - schema: - type: string - - description: Session state from the OAuth provider (e.g., Microsoft). - in: query - name: session_state - required: false - schema: - type: string - responses: - '200': - description: Returns an HTML callback page. - '302': - description: Redirects to the return URL with authorization result query parameters. '401': - description: User is not authenticated. - summary: Handle OAuth callback + content: + application/json: + examples: + ruleTypesUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_rule_types_response' + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the rule types tags: - - connectors - x-state: Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/actions/connector/_oauth_callback_script: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ - alerting + /api/apm/agent_keys: + post: + description: > + Create a new agent key for APM. - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + The user creating an APM agent API key must have at least the + `manage_own_api_key` cluster privilege and the APM application-level + privileges that it wishes to grant. - Returns the OAuth callback script - operationId: get-actions-connector-oauth-callback-script - parameters: [] - responses: - '200': - description: Returns the OAuth callback script - summary: '' - tags: [] - x-state: Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/actions/connector/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - WARNING: When you delete a connector, it cannot be recovered. - operationId: delete-actions-connector-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Delete a connector - tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - get: - operationId: get-actions-connector-id + After it is created, you can copy the API key (Base64 encoded) and use + it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey parameters: - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true responses: '200': content: application/json: - schema: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated examples: - getConnectorResponse: - $ref: '#/components/examples/get_connector_response' - description: Indicates a successful call. + createAgentKeyResponse1: + $ref: >- + #/components/examples/APM_UI_agent_keys_object_post_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Get connector information + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + - APM agent keys + /api/apm/fleet/apm_server_schema: post: - operationId: post-actions-connector-id + deprecated: true + description: > + DEPRECATED: This endpoint is intended for internal use by Fleet + integrations to push the APM Server configuration schema. Do not use for + new integrations. It stores the provided schema object as a Kibana saved + object. If Fleet migration is not available on the current deployment, + the API returns a 404. + operationId: saveApmServerSchema parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - maxLength: 36 - minLength: 1 - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: - additionalProperties: false type: object properties: - connector_type_id: - description: The type of connector. - type: string - name: - description: The display name for the connector. - type: string - config: - additionalProperties: {} - default: {} - description: The connector configuration details. - oneOf: - - $ref: '#/components/schemas/bedrock_config' - - $ref: '#/components/schemas/crowdstrike_config' - - $ref: '#/components/schemas/d3security_config' - - $ref: '#/components/schemas/email_config' - - $ref: '#/components/schemas/gemini_config' - - $ref: '#/components/schemas/resilient_config' - - $ref: '#/components/schemas/index_config' - - $ref: '#/components/schemas/jira_config' - - $ref: '#/components/schemas/genai_azure_config' - - $ref: '#/components/schemas/genai_openai_config' - - $ref: '#/components/schemas/genai_openai_other_config' - - $ref: '#/components/schemas/opsgenie_config' - - $ref: '#/components/schemas/pagerduty_config' - - $ref: '#/components/schemas/sentinelone_config' - - $ref: '#/components/schemas/servicenow_config' - - $ref: '#/components/schemas/servicenow_itom_config' - - $ref: '#/components/schemas/slack_api_config' - - $ref: '#/components/schemas/swimlane_config' - - $ref: '#/components/schemas/thehive_config' - - $ref: '#/components/schemas/tines_config' - - $ref: '#/components/schemas/torq_config' - - $ref: '#/components/schemas/webhook_config' - - $ref: '#/components/schemas/cases_webhook_config' - - $ref: '#/components/schemas/xmatters_config' - secrets: - additionalProperties: {} - default: {} - oneOf: - - $ref: '#/components/schemas/bedrock_secrets' - - $ref: '#/components/schemas/crowdstrike_secrets' - - $ref: '#/components/schemas/d3security_secrets' - - $ref: '#/components/schemas/email_secrets' - - $ref: '#/components/schemas/gemini_secrets' - - $ref: '#/components/schemas/resilient_secrets' - - $ref: '#/components/schemas/jira_secrets' - - $ref: '#/components/schemas/defender_secrets' - - $ref: '#/components/schemas/teams_secrets' - - $ref: '#/components/schemas/genai_secrets' - - $ref: '#/components/schemas/opsgenie_secrets' - - $ref: '#/components/schemas/pagerduty_secrets' - - $ref: '#/components/schemas/sentinelone_secrets' - - $ref: '#/components/schemas/servicenow_secrets' - - $ref: '#/components/schemas/slack_api_secrets' - - $ref: '#/components/schemas/swimlane_secrets' - - $ref: '#/components/schemas/thehive_secrets' - - $ref: '#/components/schemas/tines_secrets' - - $ref: '#/components/schemas/torq_secrets' - - $ref: '#/components/schemas/webhook_secrets' - - $ref: '#/components/schemas/cases_webhook_secrets' - - $ref: '#/components/schemas/xmatters_secrets' - required: - - name - - connector_type_id - examples: - createEmailConnectorRequest: - $ref: '#/components/examples/create_email_connector_request' - createIndexConnectorRequest: - $ref: '#/components/examples/create_index_connector_request' - createWebhookConnectorRequest: - $ref: '#/components/examples/create_webhook_connector_request' - createXmattersConnectorRequest: - $ref: '#/components/examples/create_xmatters_connector_request' + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true responses: '200': content: application/json: + examples: + saveApmServerSchemaResponseExample1: + $ref: >- + #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false + description: The response body is intentionally empty for this endpoint. type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - examples: - createEmailConnectorResponse: - $ref: '#/components/examples/create_email_connector_response' - createIndexConnectorResponse: - $ref: '#/components/examples/create_index_connector_response' - createWebhookConnectorResponse: - $ref: '#/components/examples/create_webhook_connector_response' - createXmattersConnectorResponse: - $ref: '#/components/examples/get_connector_response' - description: Indicates a successful call. + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Create a connector + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - operationId: put-actions-connector-id + - APM server schema + /api/apm/services/{serviceName}/annotation: + post: + description: Create a new annotation for a specific service. + operationId: createAnnotation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service in: path - name: id + name: serviceName required: true schema: type: string requestBody: content: application/json: - schema: - additionalProperties: false - type: object - properties: - name: - description: The display name for the connector. - type: string - config: - additionalProperties: {} - default: {} - description: The connector configuration details. - oneOf: - - $ref: '#/components/schemas/bedrock_config' - - $ref: '#/components/schemas/crowdstrike_config' - - $ref: '#/components/schemas/d3security_config' - - $ref: '#/components/schemas/email_config' - - $ref: '#/components/schemas/gemini_config' - - $ref: '#/components/schemas/resilient_config' - - $ref: '#/components/schemas/index_config' - - $ref: '#/components/schemas/jira_config' - - $ref: '#/components/schemas/defender_config' - - $ref: '#/components/schemas/genai_azure_config' - - $ref: '#/components/schemas/genai_openai_config' - - $ref: '#/components/schemas/opsgenie_config' - - $ref: '#/components/schemas/pagerduty_config' - - $ref: '#/components/schemas/sentinelone_config' - - $ref: '#/components/schemas/servicenow_config' - - $ref: '#/components/schemas/servicenow_itom_config' - - $ref: '#/components/schemas/slack_api_config' - - $ref: '#/components/schemas/swimlane_config' - - $ref: '#/components/schemas/thehive_config' - - $ref: '#/components/schemas/tines_config' - - $ref: '#/components/schemas/torq_config' - - $ref: '#/components/schemas/webhook_config' - - $ref: '#/components/schemas/cases_webhook_config' - - $ref: '#/components/schemas/xmatters_config' - secrets: - additionalProperties: {} - default: {} - oneOf: - - $ref: '#/components/schemas/bedrock_secrets' - - $ref: '#/components/schemas/crowdstrike_secrets' - - $ref: '#/components/schemas/d3security_secrets' - - $ref: '#/components/schemas/email_secrets' - - $ref: '#/components/schemas/gemini_secrets' - - $ref: '#/components/schemas/resilient_secrets' - - $ref: '#/components/schemas/jira_secrets' - - $ref: '#/components/schemas/teams_secrets' - - $ref: '#/components/schemas/genai_secrets' - - $ref: '#/components/schemas/opsgenie_secrets' - - $ref: '#/components/schemas/pagerduty_secrets' - - $ref: '#/components/schemas/sentinelone_secrets' - - $ref: '#/components/schemas/servicenow_secrets' - - $ref: '#/components/schemas/slack_api_secrets' - - $ref: '#/components/schemas/swimlane_secrets' - - $ref: '#/components/schemas/thehive_secrets' - - $ref: '#/components/schemas/tines_secrets' - - $ref: '#/components/schemas/torq_secrets' - - $ref: '#/components/schemas/webhook_secrets' - - $ref: '#/components/schemas/cases_webhook_secrets' - - $ref: '#/components/schemas/xmatters_secrets' - required: - - name examples: - updateIndexConnectorRequest: - $ref: '#/components/examples/update_index_connector_request' + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true responses: '200': content: application/json: + examples: + createAnnotationResponse1: + $ref: >- + #/components/examples/APM_UI_annotation_object_post_200_response1 schema: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '403': - description: Indicates that this call is forbidden. - summary: Update a connector + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/actions/connector/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/actions/connector/{id}/_execute: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/actions/connector/{id}/_execute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. - operationId: post-actions-connector-id-execute + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + /api/apm/services/{serviceName}/annotation/search: + get: + description: Search for annotations related to a specific service. + operationId: getAnnotation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName required: true schema: - example: 'true' type: string - - description: An identifier for the connector. - in: path - name: id - required: true + - description: The environment to filter annotations by + in: query + name: environment + required: false schema: type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - params: - additionalProperties: {} - oneOf: - - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - - $ref: '#/components/schemas/run_documents' - - $ref: '#/components/schemas/run_message_email' - - $ref: '#/components/schemas/run_message_serverlog' - - $ref: '#/components/schemas/run_message_slack' - - $ref: '#/components/schemas/run_trigger_pagerduty' - - $ref: '#/components/schemas/run_addevent' - - $ref: '#/components/schemas/run_closealert' - - $ref: '#/components/schemas/run_closeincident' - - $ref: '#/components/schemas/run_createalert' - - $ref: '#/components/schemas/run_fieldsbyissuetype' - - $ref: '#/components/schemas/run_getagentdetails' - - $ref: '#/components/schemas/run_getagents' - - $ref: '#/components/schemas/run_getchoices' - - $ref: '#/components/schemas/run_getfields' - - $ref: '#/components/schemas/run_getincident' - - $ref: '#/components/schemas/run_issue' - - $ref: '#/components/schemas/run_issues' - - $ref: '#/components/schemas/run_issuetypes' - - $ref: '#/components/schemas/run_postmessage' - - $ref: '#/components/schemas/run_pushtoservice' - - $ref: '#/components/schemas/run_validchannelid' - required: - - params - examples: - runIndexConnectorRequest: - $ref: '#/components/examples/run_index_connector_request' - runJiraConnectorRequest: - $ref: '#/components/examples/run_jira_connector_request' - runServerLogConnectorRequest: - $ref: '#/components/examples/run_servicenow_itom_connector_request' - runSlackConnectorRequest: - $ref: '#/components/examples/run_slack_api_connector_request' - runSwimlaneConnectorRequest: - $ref: '#/components/examples/run_swimlane_connector_request' + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string responses: '200': content: application/json: schema: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - examples: - runIndexConnectorResponse: - $ref: '#/components/examples/run_index_connector_response' - runJiraConnectorResponse: - $ref: '#/components/examples/run_jira_connector_response' - runServerLogConnectorResponse: - $ref: '#/components/examples/run_server_log_connector_response' - runServiceNowITOMConnectorResponse: - $ref: '#/components/examples/run_servicenow_itom_connector_response' - runSlackConnectorResponse: - $ref: '#/components/examples/run_slack_api_connector_response' - runSwimlaneConnectorResponse: - $ref: '#/components/examples/run_swimlane_connector_response' - description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Run a connector - tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - /api/actions/connectors: - get: - operationId: get-actions-connectors - parameters: [] - responses: - '200': + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': content: application/json: schema: - items: - additionalProperties: false - type: object - properties: - auth_mode: - description: The authentication mode used for the connector. - enum: - - shared - - per-user - type: string - config: - additionalProperties: - nullable: true - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_connector_type_deprecated: - description: Indicates whether the connector type is deprecated. - type: boolean - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' - type: boolean - is_system_action: - description: Indicates whether the connector is used for system actions. - type: boolean - name: - description: ' The name of the connector.' - type: string - referenced_by_count: - description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. - type: number - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - - is_connector_type_deprecated - - referenced_by_count - type: array - examples: - getConnectorsResponse: - $ref: '#/components/examples/get_connectors_response' - description: Indicates a successful call. - '403': - description: Indicates that this call is forbidden. - summary: Get all connectors + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations tags: - - connectors - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/actions/connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/agent_builder/a2a/{agentId}: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/a2a/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - > warn - > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-a2a-agentid + - APM annotations + /api/apm/settings/agent-configuration: + delete: + description: > + Delete an existing agent configuration. You must have `all` privileges + for the APM and User Experience feature in Kibana. When successful, the + configuration is removed and, if Fleet is enabled, APM package policies + are synchronized accordingly. + operationId: deleteAgentConfiguration parameters: - - description: The unique identifier of the agent to send the A2A task to. - in: path - name: agentId - required: true - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - a2aTaskRequestExample: - description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' - value: - id: task-123 - jsonrpc: '2.0' - method: complete - params: - messages: - - content: Hello from A2A protocol - role: user - schema: {} + deleteAgentConfigurationRequest1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true responses: '200': content: application/json: examples: - a2aTaskResponseExample: - description: Example response from A2A Task Endpoint with results of task execution - value: - id: task-123 - jsonrpc: '2.0' - result: - conversation_id: conv-456 - response: - message: Hello! How can I help you today? - type: response - description: Indicates a successful response - summary: Send A2A task + deleteAgentConfigurationResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 + schema: + $ref: >- + #/components/schemas/APM_UI_delete_agent_configurations_response + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/a2a/{agentId}.json: + - APM agent configuration get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-a2a-agentid.json + description: > + Retrieve all agent configurations. You must have `read` privileges for + the APM and User Experience feature in Kibana. If agent configuration is + not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations parameters: - - description: The unique identifier of the agent to get A2A metadata for. - in: path - name: agentId - required: true - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: examples: - a2aAgentCardResponseExample: - description: Example response card of Elastic AI Agent - value: - capabilities: - pushNotifications: false - stateTransitionHistory: false - streaming: false - defaultInputModes: - - text/plain - defaultOutputModes: - - text/plain - description: Elastic AI Agent - name: Elastic AI Agent - protocolVersion: 0.3.0 - provider: - organization: Elastic - url: https://elastic.co - securitySchemes: - authorization: - description: Authentication token - in: header - name: Authorization - type: apiKey - skills: - - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. - examples: [] - id: platform.core.search - inputModes: - - text/plain - - application/json - name: platform.core.search - outputModes: - - text/plain - - application/json - tags: - - tool - supportsAuthenticatedExtendedCard: false - url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent - version: 0.1.0 - description: Indicates a successful response - summary: Get A2A agent card - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/a2a/{agentId}.json - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/agents: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-agents - parameters: [] - responses: - '200': + getAgentConfigurationsResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': content: application/json: - examples: - listAgentsResponseExample: - description: Example response that returns one built-in Elastic agent and one created by the user - value: - results: - - configuration: - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Elastic AI Agent - id: elastic-ai-agent - name: Elastic AI Agent - type: chat - - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: List agents + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/agents" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/agents - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: post-agent-builder-agents + - APM agent configuration + put: + description: > + Create or update an agent configuration. You must have `all` privileges + for the APM and User Experience feature in Kibana. When updating an + existing configuration, the `?overwrite=true` query parameter is + required. If the configuration already exists and `overwrite` is not set + to `true`, the API returns a 400 error. When successful and Fleet is + enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite schema: - example: 'true' - type: string + type: boolean requestBody: content: application/json: examples: - createAgentRequestExample: - description: Example request for creating a custom agent with special prompt and tools - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper + createUpdateAgentConfigurationRequestExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 schema: - additionalProperties: false - type: object - properties: - avatar_color: - description: Optional hex color code for the agent avatar. - type: string - avatar_symbol: - description: Optional symbol/initials for the agent avatar. - type: string - configuration: - additionalProperties: false - description: Configuration settings for the agent. - type: object - properties: - enable_elastic_capabilities: - description: When true, enables built-in Elastic capabilities for the agent. - type: boolean - instructions: - description: Optional system instructions that define the agent behavior. - type: string - plugin_ids: - description: Array of plugin IDs to assign to the agent. - items: - description: Plugin ID to assign to the agent. - type: string - maxItems: 100 - type: array - skill_ids: - description: Array of skill IDs to be available to the agent. - items: - description: Skill ID to be available to the agent. - type: string - maxItems: 100 - type: array - tools: - items: - additionalProperties: false - description: Tool selection configuration for the agent. - type: object - properties: - tool_ids: - description: Array of tool IDs that the agent can use. - items: - description: Tool ID to be available to the agent. - type: string - type: array - required: - - tool_ids - type: array - workflow_ids: - items: - description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. - type: string - maxItems: 100 - type: array - required: - - tools - description: - description: Description of what the agent does. - type: string - id: - description: Unique identifier for the agent. - type: string - labels: - description: Optional labels for categorizing and organizing agents. - items: - description: Label for categorizing the agent. - type: string - type: array - name: - description: Display name for the agent. - type: string - visibility: - description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' - enum: - - public - - shared - - private - type: string - required: - - id - - name - - description - - configuration + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true responses: '200': content: application/json: examples: - createAgentResponseExample: - description: Example response returning the definition of an agent created as a result of the request - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: Create an agent - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/agents" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "id": "new-agent-id", - "name": "Search Index Helper", - "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", - "labels": ["custom-indices", "department-search"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [ - { - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - } - ] - } - }' - - lang: Console - source: | - POST kbn://api/agent_builder/agents - { - "id": "new-agent-id", - "name": "Search Index Helper", - "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", - "labels": ["custom-indices", "department-search"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [ - { - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - } - ] - } - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/agents/{agent_id}/consumption: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: post-agent-builder-agents-agent-id-consumption - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the agent. - in: path - name: agent_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - consumptionDefaultExample: - description: Get consumption data for an agent with default pagination - value: - size: 25 - sort_field: updated_at - sort_order: desc - consumptionFilteredExample: - description: Get consumption data filtered by username with warnings - value: - has_warnings: true - size: 10 - sort_field: total_tokens - sort_order: desc - usernames: - - elastic - - admin - schema: - additionalProperties: false - type: object - properties: - has_warnings: - description: Filter to conversations with or without high-token warnings. - type: boolean - search: - description: Free-text search filter on conversation title. - type: string - search_after: - description: Cursor for pagination. Pass the search_after value from the previous response. - items: - nullable: true - maxItems: 10000 - type: array - size: - default: 25 - description: Number of results per page. - maximum: 100 - minimum: 1 - type: number - sort_field: - default: updated_at - description: Field to sort results by. - enum: - - updated_at - - total_tokens - - round_count - type: string - sort_order: - default: desc - description: Sort direction. - enum: - - asc - - desc - type: string - usernames: - description: Filter results to conversations by these usernames. - items: - type: string - maxItems: 10000 - type: array - responses: - '200': + createUpdateAgentConfigurationResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': content: application/json: - examples: - consumptionResponseExample: - description: Example response with per-conversation token usage data - value: - aggregations: - total_with_warnings: 0 - usernames: - - elastic - - admin - results: - - conversation_id: conv-abc123 - created_at: '2025-03-01T10:00:00Z' - llm_calls: 8 - round_count: 5 - title: Help me search my data - token_usage: - input_tokens: 15000 - output_tokens: 3000 - total_tokens: 18000 - updated_at: '2025-03-01T10:15:00Z' - user: - id: uid-1 - username: elastic - warnings: [] - - conversation_id: conv-def456 - created_at: '2025-03-02T14:00:00Z' - llm_calls: 20 - round_count: 12 - title: Analyze server logs - token_usage: - input_tokens: 250000 - output_tokens: 8000 - total_tokens: 258000 - updated_at: '2025-03-02T14:30:00Z' - user: - id: uid-2 - username: admin - warnings: - - input_tokens: 250000 - round_id: round-7 - type: high_input_tokens - search_after: - - 1709391000000 - - '2025-03-02T14:30:00Z' - total: 2 - description: Indicates a successful response - summary: Get agent consumption data + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -H "elastic-api-version: 2023-10-31" \ - -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' - - lang: Console - source: | - POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption - {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/agents/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/agents/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: delete-agent-builder-agents-id + - APM agent configuration + /api/apm/settings/agent-configuration/agent_name: + get: + description: Retrieve `agentName` for a service. + operationId: getAgentNameForService parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the agent to delete. - in: path - name: id + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName required: true schema: type: string @@ -1831,44 +929,46 @@ paths: '200': content: application/json: - examples: - deleteAgentResponseExample: - description: Example response showing that deletion of the agent has been successful - value: - success: true - description: Indicates a successful response - summary: Delete an agent + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/agent_builder/agents/{id} - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name + - APM agent configuration + /api/apm/settings/agent-configuration/environments: get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/agents/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-agents-id + description: > + Retrieve the available environments for a given service, to be used in + agent configuration. You must have `read` privileges for the APM and + User Experience feature in Kibana. If `serviceName` is omitted, + environments across all services are returned. + operationId: getEnvironmentsForService parameters: - - description: The unique identifier of the agent to retrieve. - in: path - name: id - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: >- + The name of the service. If omitted, environments across all + services are returned. + example: opbeans-node + in: query + name: serviceName schema: type: string responses: @@ -1876,321 +976,109 @@ paths: content: application/json: examples: - getAgentByIdResponseExample: - description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Hi! I can help you search the data within the indices starting with "content-" prefix. - id: created-agent-id - labels: - - custom-indices - - department-search - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: Get an agent by ID + getEnvironmentsForServiceResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_environments_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/agents/{id} - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/agents/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. - operationId: put-agent-builder-agents-id + - APM agent configuration + /api/apm/settings/agent-configuration/search: + post: + deprecated: true + description: > + DEPRECATED: This endpoint is intended for internal use by APM agents to + fetch their configuration and mark it as applied. Do not use for new + integrations. It searches for a single agent configuration matching the + given service, and optionally updates the `applied_by_agent` field when + the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the agent to update. - in: path - name: id - required: true - schema: - type: string + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - createAgentRequestExample: - description: Example request for updating custom agent - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Updated description - Search for anything in "content-*" indices! - id: created-agent-id - labels: - - custom-indices - - department-search - - elastic-employees - name: Search Index Helper + searchSingleConfigurationRequest1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 schema: - additionalProperties: false - type: object - properties: - avatar_color: - description: Updated hex color code for the agent avatar. - type: string - avatar_symbol: - description: Updated symbol/initials for the agent avatar. - type: string - configuration: - additionalProperties: false - description: Updated configuration settings for the agent. - type: object - properties: - enable_elastic_capabilities: - description: When true, enables built-in Elastic capabilities for the agent. - type: boolean - instructions: - description: Updated system instructions that define the agent behavior. - type: string - plugin_ids: - description: Array of plugin IDs to assign to the agent. - items: - description: Plugin ID to assign to the agent. - type: string - maxItems: 100 - type: array - skill_ids: - description: Array of skill IDs to be available to the agent. - items: - description: Skill ID to be available to the agent. - type: string - maxItems: 100 - type: array - tools: - items: - additionalProperties: false - description: Tool selection configuration for the agent. - type: object - properties: - tool_ids: - description: Array of tool IDs that the agent can use. - items: - description: Tool ID to be available to the agent. - type: string - type: array - required: - - tool_ids - type: array - workflow_ids: - items: - description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. - type: string - maxItems: 100 - type: array - description: - description: Updated description of what the agent does. - type: string - labels: - description: Updated labels for categorizing and organizing agents. - items: - description: Updated label for categorizing the agent. - type: string - type: array - name: - description: Updated display name for the agent. - type: string - visibility: - description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' - enum: - - public - - shared - - private - type: string + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true responses: '200': content: application/json: examples: - updateAgentResponseExample: - description: Example response returning the agent definition with the changes applied from the request - value: - avatar_color: '#BFDBFF' - avatar_symbol: SI - configuration: - instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". - tools: - - tool_ids: - - platform.core.search - - platform.core.list_indices - - platform.core.get_index_mapping - - platform.core.get_document_by_id - description: Updated description - Search for anything in "content-*" indices! - id: created-agent-id - labels: - - custom-indices - - department-search - - elastic-employees - name: Search Index Helper - type: chat - description: Indicates a successful response - summary: Update an agent - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "name": "Search Index Helper", - "description": "Updated description - Search for anything in \"content-*\" indices!", - "labels": ["custom-indices", "department-search", "elastic-employees"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [{ - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - }] - } - }' - - lang: Console - source: | - PUT kbn://api/agent_builder/agents/{id} - { - "name": "Search Index Helper", - "description": "Updated description - Search for anything in \"content-*\" indices!", - "labels": ["custom-indices", "department-search", "elastic-employees"], - "avatar_color": "#BFDBFF", - "avatar_symbol": "SI", - "configuration": { - "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", - "tools": [{ - "tool_ids": [ - "platform.core.search", - "platform.core.list_indices", - "platform.core.get_index_mapping", - "platform.core.get_document_by_id" - ] - }] - } - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/conversations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations - parameters: - - description: Optional agent ID to filter conversations by a specific agent. - in: query - name: agent_id - required: false - schema: - type: string - responses: - '200': + searchSingleConfigurationResponse1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 + schema: + $ref: >- + #/components/schemas/APM_UI_search_agent_configuration_response + description: Successful response + '400': content: application/json: - examples: - listConversationsResponseExample: - description: Example response containing the list of conversations with all agents - value: - results: - - agent_id: elastic-ai-agent - created_at: '2025-09-19T17:45:39.554Z' - id: bcc176c5-38f6-40be-be0c-898e34fa1480 - title: General Greeting - updated_at: '2025-09-19T17:45:39.554Z' - user: - username: elastic - description: Indicates a successful response - summary: List conversations + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/conversations - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations/{conversation_id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: delete-agent-builder-conversations-conversation-id + - APM agent configuration + /api/apm/settings/agent-configuration/view: + get: + description: > + Retrieve a single agent configuration matching the given service name + and environment. You must have `read` privileges for the APM and User + Experience feature in Kibana. If no matching configuration is found, the + API returns a 404. + operationId: getSingleAgentConfiguration parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name schema: - example: 'true' type: string - - description: The unique identifier of the conversation to delete. - in: path - name: conversation_id - required: true + - description: Service environment + example: prod + in: query + name: environment schema: type: string responses: @@ -2198,107436 +1086,35686 @@ paths: content: application/json: examples: - deleteConversationResponseExample: - description: Example response showing that deletion of conversation has been successful - value: - success: true - description: Indicates a successful response - summary: Delete conversation by ID + getSingleAgentConfigurationResponseExample1: + $ref: >- + #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 + schema: + $ref: >- + #/components/schemas/APM_UI_single_agent_configuration_response + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/agent_builder/conversations/{conversation_id} - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name + - APM agent configuration + /api/apm/sourcemaps: get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations-conversation-id + description: > + Get an array of Fleet artifacts, including source map uploads. You must + have `read` or `all` Kibana privileges for the APM and User Experience + feature. + operationId: getSourceMaps parameters: - - description: The unique identifier of the conversation to retrieve. - in: path - name: conversation_id - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page schema: - type: string + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number responses: '200': content: application/json: examples: - getConversationByIdResponseExample: - description: Example response containing the contents of a convesation with the chat agent - value: - agent_id: elastic-ai-agent - created_at: '2025-09-19T17:45:39.554Z' - id: bcc176c5-38f6-40be-be0c-898e34fa1480 - rounds: - - id: 170ec3b2-0f5a-4538-8b60-549572386d2a - input: - message: Hello, how are you? - response: - message: |- - Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. - - Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? - steps: [] - title: General Greeting - updated_at: '2025-09-19T17:45:39.554Z' - user: - username: elastic - description: Indicates a successful response - summary: Get conversation by ID + getSourceMapsResponse1: + $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_source_maps_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps tags: - - agent builder + - APM sourcemaps x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console + - lang: Curl source: | - GET kbn://api/agent_builder/conversations/{conversation_id} - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations-conversation-id-attachments + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + post: + description: > + Upload a source map for a specific service and version. You must have + `all` Kibana privileges for the APM and User Experience feature. + + The maximum payload size is `1mb`. If you attempt to upload a source map + that exceeds the maximum payload size, you will get a 413 error. Before + uploading source maps that exceed this default, change the maximum + payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap parameters: - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: Whether to include deleted attachments in the list. - in: query - name: include_deleted - required: false - schema: - type: boolean + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/APM_UI_upload_source_map_object' + required: true responses: '200': content: application/json: examples: - listAttachmentsResponseExample: - description: Example response containing active attachments for a conversation - value: - results: - - active: true - current_version: 2 - description: My text file - id: attachment-1 - type: text - versions: - - content_hash: abc123 - created_at: '2025-01-01T10:00:00.000Z' - data: Initial content - estimated_tokens: 3 - version: 1 - - content_hash: def456 - created_at: '2025-01-01T11:00:00.000Z' - data: Updated content - estimated_tokens: 3 - version: 2 - - active: true - current_version: 1 - description: Configuration data - id: attachment-2 - type: json - versions: - - content_hash: ghi789 - created_at: '2025-01-01T12:00:00.000Z' - data: - key: value - nested: - field: 123 - estimated_tokens: 15 - version: 1 - total_token_estimate: 21 - description: Indicates a successful response - summary: List conversation attachments - tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-conversations-conversation-id-attachments - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createHiddenAttachmentExample: - description: Example request for creating a hidden attachment - value: - data: Internal system data - description: System context - hidden: true - type: text - createJsonAttachmentExample: - description: Example request for creating a JSON attachment with custom ID - value: - data: - configuration: - enabled: true - threshold: 50 - metadata: - source: user_input - description: Application settings - id: custom-attachment-id - type: json - createTextAttachmentExample: - description: Example request for creating a text attachment - value: - data: This is the content of my text attachment - description: Meeting notes - type: text - schema: - additionalProperties: false - type: object - properties: - data: - description: The attachment data/content. Required unless origin is provided. - nullable: true - description: - description: Human-readable description of the attachment. - type: string - hidden: - description: Whether the attachment should be hidden from the user. - type: boolean - id: - description: Optional custom ID for the attachment. - type: string - origin: - description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. - type: string - type: - description: The type of the attachment (e.g., text, esql, visualization). - type: string - required: - - type - - data - responses: - '200': + uploadSourceMapResponse1: + $ref: >- + #/components/examples/APM_UI_source_maps_upload_200_response1 + schema: + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' + description: Successful response + '400': content: application/json: - examples: - createAttachmentResponseExample: - description: Example response returning the created attachment - value: - attachment: - active: true - current_version: 1 - description: Meeting notes - id: att-abc123 - type: text - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: This is the content of my text attachment - estimated_tokens: 12 - version: 1 - description: Indicates a successful response - summary: Create conversation attachment + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: - delete: - description: |- - **Spaces method and path for this operation:** + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: > + curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ + + -H 'Content-Type: multipart/form-data' \ + + -H 'kbn-xsrf: true' \ + + -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ -
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ -F 'service_name="foo"' \ + + -F 'service_version="1.0.0"' \ - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ - Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id + -F + 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' + /api/apm/sourcemaps/{id}: + delete: + description: > + Delete a previously uploaded source map. You must have `all` Kibana + privileges for the APM and User Experience feature. + operationId: deleteSourceMap parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to delete. + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: Source map identifier in: path - name: attachment_id + name: id required: true schema: type: string - - description: If true, permanently removes the attachment (only for unreferenced attachments). - in: query - name: permanent - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - permanentDeleteAttachmentResponseExample: - description: Example response for permanent delete (cannot be restored) - value: - permanent: true - success: true - softDeleteAttachmentResponseExample: - description: Example response for soft delete (can be restored) - value: - permanent: false - success: true - description: Indicates a successful response - summary: Delete conversation attachment + deleteSourceMapResponseExample1: + $ref: >- + #/components/examples/APM_UI_source_maps_delete_200_response1 + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: > + curl -X DELETE + "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ -
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ -H 'Content-Type: application/json' \ - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + -H 'kbn-xsrf: true' \ - Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + /api/asset_criticality: + delete: + description: Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID value of the asset. + example: my_host + in: query + name: id_value required: true schema: - example: 'true' type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id + - description: The field representing the ID. + example: host.name + in: query + name: id_field required: true schema: - type: string - - description: The unique identifier of the attachment to rename. - in: path - name: attachment_id - required: true + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false schema: + enum: + - wait_for type: string - requestBody: - content: - application/json: - examples: - renameAttachmentExample: - description: Example request for renaming an attachment - value: - description: Updated attachment name - schema: - additionalProperties: false - type: object - properties: - description: - description: The new description/name for the attachment. - type: string - required: - - description responses: '200': content: application/json: - examples: - renameAttachmentResponseExample: - description: Example response returning the renamed attachment (version unchanged) - value: - attachment: - active: true - current_version: 1 - description: Updated attachment name - id: att-abc123 - type: text - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: Content remains the same - estimated_tokens: 10 - version: 1 - success: true - description: Indicates a successful response - summary: Rename attachment + schema: + type: object + properties: + deleted: + description: >- + True if the record was deleted or false if the record did + not exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id + - Security Entity Analytics API + get: + description: Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id + - description: The ID value of the asset. + example: my_host + in: query + name: id_value required: true schema: type: string - - description: The unique identifier of the attachment to update. - in: path - name: attachment_id + - description: The field representing the ID. + example: host.name + in: query + name: id_field required: true schema: - type: string - requestBody: - content: - application/json: - examples: - updateAttachmentContentExample: - description: Example request for updating attachment content - value: - data: This is the updated content - updateAttachmentWithDescriptionExample: - description: Example request for updating both content and description - value: - data: New content version - description: Updated meeting notes - v2 - schema: - additionalProperties: false - type: object - properties: - data: - description: The new attachment data/content. - nullable: true - description: - description: Optional new description for the attachment. - type: string - required: - - data + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: - examples: - updateAttachmentResponseExample: - description: Example response returning the updated attachment with new version - value: - attachment: - active: true - current_version: 2 - description: Meeting notes - id: att-abc123 - type: text - versions: - - content_hash: sha256-abc - created_at: '2025-01-06T10:00:00.000Z' - data: Original content - estimated_tokens: 10 - version: 1 - - content_hash: sha256-def - created_at: '2025-01-06T11:00:00.000Z' - data: This is the updated content - estimated_tokens: 12 - version: 2 - new_version: 2 - description: Indicates a successful response - summary: Update conversation attachment + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: + - Security Entity Analytics API post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
+ description: > + Create or update an asset criticality record for a specific entity. - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to restore. - in: path - name: attachment_id - required: true - schema: - type: string + If a record already exists for the specified entity, that record is + overwritten with the specified value. If a record doesn't exist for the + specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host + required: true responses: '200': content: application/json: - examples: - restoreAttachmentResponseExample: - description: Example response returning the restored attachment - value: - attachment: - active: true - current_version: 1 - description: Restored attachment - id: att-abc123 - type: text - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: Restored content - estimated_tokens: 10 - version: 1 - success: true - description: Indicates a successful response - summary: Restore deleted attachment + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record tags: - - agent builder - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ - Security Entity Analytics API + /api/asset_criticality/bulk: + post: + description: > + Bulk upsert up to 1000 asset criticality records. - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true - schema: - type: string - - description: The unique identifier of the attachment to update. - in: path - name: attachment_id - required: true - schema: - type: string + If asset criticality records already exist for the specified entities, + those records are overwritten with the specified values. If asset + criticality records don't exist for the specified entities, new records + are created. + operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: - examples: - updateOriginExample: - description: Example request for linking an attachment to a saved visualization - value: - origin: abc123 schema: - additionalProperties: false + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 type: object properties: - origin: - description: The origin string (e.g., saved object ID for visualizations and dashboards). - type: string + records: + items: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array required: - - origin + - records responses: '200': content: application/json: - examples: - updateOriginResponseExample: - description: Example response returning the attachment with updated origin - value: - attachment: - active: true - current_version: 1 - description: Sales chart - id: att-123 - origin: abc123 - type: visualization - versions: - - content_hash: sha256-xyz - created_at: '2025-01-06T10:00:00.000Z' - data: - chart_type: bar - esql: FROM sales | STATS count=COUNT(*) BY month - query: Show monthly sales - visualization: {} - estimated_tokens: 50 - version: 1 - success: true - description: Indicates a successful response - summary: Update attachment origin + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records tags: - - agent builder - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/conversations/{conversation_id}/attachments/stale: + - Security Entity Analytics API + /api/asset_criticality/list: get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-conversations-conversation-id-attachments-stale + description: List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords parameters: - - description: The unique identifier of the conversation. - in: path - name: conversation_id - required: true + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false schema: type: string responses: '200': content: application/json: - examples: - checkStaleAttachmentsResponseExample: - description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' - value: - attachments: - - id: att-text-meeting-notes - is_stale: false - - id: att-lens-active-users - is_stale: false - - error: Origin could not be resolved - id: att-query-attachment - is_stale: false - - data: This is the content of my text attachment - hidden: false - id: att-text-runbook - is_stale: true - origin: document:hr-onboarding-v2 - type: text - description: Indicates a successful response - summary: Check attachment staleness + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records tags: - - agent builder - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/converse: + - Security Entity Analytics API + /api/attack_discovery/_bulk: post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/converse
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-converse - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: >- + Performs bulk updates on multiple Attack discoveries, including workflow + status changes and visibility settings. This endpoint allows efficient + batch processing of alert modifications without requiring individual API + calls for each alert. + operationId: PostAttackDiscoveryBulk requestBody: content: application/json: - examples: - converseRequestExample: - description: Example request to send a message to the agent as a part of the conversation - value: - agent_id: elastic-ai-agent - connector_id: my-connector-id - input: What is Elasticsearch? - converseRequestInferenceExample: - description: Example using inference_id (mutually exclusive with connector_id) - value: - agent_id: elastic-ai-agent - inference_id: my-inference-endpoint-id - input: What is Elasticsearch? + example: + update: + enable_field_rendering: false + ids: + - >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - >- + 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true schema: - additionalProperties: false type: object properties: - _execution_mode: - description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' - enum: - - local - - task_manager - type: string - action: - description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. - enum: - - regenerate - type: string - agent_id: - default: elastic-ai-agent - description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. - type: string - attachments: - description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' - items: - additionalProperties: false - type: object - properties: - data: - additionalProperties: - nullable: true - description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). - type: object - hidden: - description: When true, the attachment will not be displayed in the UI. - type: boolean - id: - description: Optional id for the attachment. - type: string - origin: - description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. - type: string - type: - description: Type of the attachment. - type: string - required: - - type - type: array - browser_api_tools: - description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. - items: - additionalProperties: false - type: object - properties: - description: - description: Description of what the browser API tool does. - type: string - id: - description: Unique identifier for the browser API tool. - type: string - schema: - description: JSON Schema defining the tool parameters (JsonSchema7Type). - nullable: true - required: - - id - - description - - schema - type: array - capabilities: - additionalProperties: false - description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + update: + description: >- + Configuration object containing all parameters for the bulk + update operation type: object properties: - visualizations: - description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + enable_field_rendering: + default: false + description: >- + Enables a markdown syntax used to render pivot fields, + for example `{{ user.name james }}`. When disabled, the + same example would be rendered as `james`. This is + primarily used for Attack Discovery views within Kibana. + Defaults to `false`. + example: false type: boolean - configuration_overrides: - additionalProperties: false - description: Runtime configuration overrides. These override the stored agent configuration for this execution only. - type: object - properties: - instructions: - description: Custom instructions for the agent. - type: string - tools: - description: Tool selection to enable for this execution. + ids: + description: Array of Attack Discovery IDs to update + example: + - >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - >- + 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 items: - additionalProperties: false - type: object - properties: - tool_ids: - items: - type: string - type: array - required: - - tool_ids - type: array - connector_id: - description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. - nullable: true - type: string - conversation_id: - description: Optional existing conversation ID to continue a previous conversation. - type: string - inference_id: - description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. - nullable: true - type: string - input: - description: The user input message to send to the agent. - type: string - prompts: - additionalProperties: - additionalProperties: false - type: object - properties: - allow: - type: boolean - required: - - allow - description: Can be used to respond to a confirmation prompt. - type: object - responses: - '200': - content: - application/json: - examples: - converseResponseExample: - description: Example response containing the chain of events representing a conversation with the agent - value: - conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 - response: - message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. - steps: - - reasoning: Searching for official documentation or content that explains what Elasticsearch is - type: reasoning - - params: - query: what is elasticsearch definition overview introduction - progression: - - message: Selecting the best target for this query - results: - - data: - message: Could not figure out which index to use - type: error - tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ - tool_id: platform.core.search - type: tool_call - description: Indicates a successful response - summary: Send chat message - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/converse" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "input": "What is Elasticsearch?", - "agent_id": "elastic-ai-agent"}' - - lang: Console - source: | - POST kbn://api/agent_builder/converse - { - "input": "What is Elasticsearch?", - "agent_id": "elastic-ai-agent" - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/converse/async: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/converse/async
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. - - ## Event types - - The endpoint emits Server-Sent Events (SSE) with the following custom event types: - - `conversation_id_set` - - Sets the conversation ID. - - Schema: - ```json - { - "conversation_id": "uuid" - } - ``` - - --- - - `conversation_created` - - Fires when a new conversation is persisted and assigned an ID. - - Schema: - ```json - { - "conversation_id": "uuid", - "title": "conversation title" - } - ``` - - --- - - `conversation_updated` - - Fires when a conversation is updated. - - Schema: - ```json - { - "conversation_id": "uuid", - "title": "updated conversation title" - } - ``` - - --- - - `reasoning` - - Handles reasoning-related data. - - Schema: - ```json - { - "reasoning": "plain text reasoning content", - "transient": false - } - ``` - - --- - - `tool_call` - - Triggers when a tool is invoked. - - Schema: - ```json - { - "tool_call_id": "uuid", - "tool_id": "tool_name", - "params": {} - } - ``` - - --- - - `tool_progress` - - Reports progress of a running tool. - - Schema: - ```json - { - "tool_call_id": "uuid", - "message": "progress message" - } - ``` - - --- - - `tool_result` - - Returns results from a completed tool call. - - Schema: - ```json - { - "tool_call_id": "uuid", - "tool_id": "tool_name", - "results": [] - } - ``` - - **Note:** `results` is an array of `ToolResult` objects. - - --- - - `message_chunk` - - Streams partial text chunks. - - Schema: - ```json - { - "message_id": "uuid", - "text_chunk": "partial text" - } - ``` - - --- - - `message_complete` - - Indicates message stream is finished. - - Schema: - ```json - { - "message_id": "uuid", - "message_content": "full text content of the message" - } - ``` - - --- - - `thinking_complete` - - Marks the end of the thinking/reasoning phase. - - Schema: - ```json - { - "time_to_first_token": 0 - } - ``` - - **Note:** `time_to_first_token` is in milliseconds. - - --- - - `round_complete` - - Marks end of one conversation round. - - Schema: - ```json - { - "round": {} - } - ``` - - **Note:** `round` contains the full round json object. - - --- - - ## Event flow - - A typical conversation round emits events in this sequence: - - 1. `reasoning` (potentially multiple, some transient) - 2. `tool_call` (if tools are used) - 3. `tool_progress` (zero or more progress updates) - 4. `tool_result` (when tool completes) - 5. `thinking_complete` - 6. `message_chunk` (multiple, as text streams) - 7. `message_complete` - 8. `round_complete` - -

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-converse-async - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - converseAsyncRequestExample: - description: Example request to send a message to the agent as a part of the conversation - value: - agent_id: elastic-ai-agent - conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 - input: Hello - converseAsyncRequestInferenceExample: - description: Example using inference_id (mutually exclusive with connector_id) - value: - agent_id: elastic-ai-agent - inference_id: my-inference-endpoint-id - input: Hello - schema: - additionalProperties: false - type: object - properties: - _execution_mode: - description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' - enum: - - local - - task_manager - type: string - action: - description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. - enum: - - regenerate - type: string - agent_id: - default: elastic-ai-agent - description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. - type: string - attachments: - description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' - items: - additionalProperties: false - type: object - properties: - data: - additionalProperties: - nullable: true - description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). - type: object - hidden: - description: When true, the attachment will not be displayed in the UI. - type: boolean - id: - description: Optional id for the attachment. - type: string - origin: - description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. - type: string - type: - description: Type of the attachment. - type: string - required: - - type - type: array - browser_api_tools: - description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. - items: - additionalProperties: false - type: object - properties: - description: - description: Description of what the browser API tool does. - type: string - id: - description: Unique identifier for the browser API tool. type: string - schema: - description: JSON Schema defining the tool parameters (JsonSchema7Type). - nullable: true - required: - - id - - description - - schema - type: array - capabilities: - additionalProperties: false - description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. - type: object - properties: - visualizations: - description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. - type: boolean - configuration_overrides: - additionalProperties: false - description: Runtime configuration overrides. These override the stored agent configuration for this execution only. - type: object - properties: - instructions: - description: Custom instructions for the agent. - type: string - tools: - description: Tool selection to enable for this execution. - items: - additionalProperties: false - type: object - properties: - tool_ids: - items: - type: string - type: array - required: - - tool_ids type: array - connector_id: - description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. - nullable: true - type: string - conversation_id: - description: Optional existing conversation ID to continue a previous conversation. - type: string - inference_id: - description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. - nullable: true - type: string - input: - description: The user input message to send to the agent. - type: string - prompts: - additionalProperties: - additionalProperties: false - type: object - properties: - allow: - type: boolean - required: - - allow - description: Can be used to respond to a confirmation prompt. - type: object - responses: - '200': - content: - text/event-stream: - examples: - converseAsyncResponseExample: - description: Example stream containing the chain of events representing a conversation with the agent - value: - - data: - data: - conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 - event: conversation_id_set - - data: - data: - reasoning: Starting with a general search to understand what content is available. - event: reasoning - - data: - data: - params: - query: latest documents - tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg - tool_id: platform.core.search - event: tool_call - - data: - data: - results: - - data: - message: Could not figure out which index to use - type: error - tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg - event: tool_result - - data: - data: - round: - id: a5692d54-bc06-4a6e-aea1-412779c73f66 - input: - message: Hello - response: - message: Hello! How can I help you today? - event: round_complete - description: Indicates a successful response - summary: Send chat message (streaming) - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "input": "Hello again let us have an async chat", - "agent_id": "elastic-ai-agent", - "conversation_id": "" - }' - - lang: Console - source: | - POST kbn://api/agent_builder/converse/async - { - "input": "Hello again let's have an async chat", - "agent_id": "elastic-ai-agent", - "conversation_id": "" - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/mcp: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/mcp
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - > warn - > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. - To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-mcp - parameters: - - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. - in: query - name: namespace - required: false - schema: - type: string - requestBody: - content: - application/json: - examples: - mcpInitializeRequestExample: - description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' - value: - id: 1 - jsonrpc: '2.0' - method: initialize - params: - capabilities: {} - clientInfo: - name: test-client - version: 1.0.0 - protocolVersion: '2024-11-05' - schema: {} + kibana_alert_workflow_status: + description: >- + When provided, update the kibana.alert.workflow_status + of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: >- + When provided, update the visibility of the alert, as + determined by the kibana.alert.attack_discovery.users + field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: >- + When true, returns the updated Attack discoveries with + text replacements applied to the detailsMarkdown, + entitySummaryMarkdown, summaryMarkdown, and title + fields. This substitutes anonymized values with + human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries + required: true responses: '200': content: application/json: - examples: - mcpInitializeResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - id: 1 - jsonrpc: '2.0' - result: - capabilities: - tools: - listChanged: true - protocolVersion: '2024-11-05' - serverInfo: - name: elastic-mcp-server - version: 0.0.1 - description: Indicates a successful response - summary: MCP server - tags: - - agent builder - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/plugins: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/plugins
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-plugins - parameters: [] - responses: - '200': + example: + data: + - id: >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + workflow_status: acknowledged + schema: + type: object + properties: + data: + description: >- + Array of updated Attack Discovery alert objects. Each item + includes the applied modifications from the bulk update + request. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + type: array + required: + - data + description: Indicates a successful call. + '400': content: application/json: - examples: - listPluginsResponseExample: - description: Example response that returns one installed plugin - value: - results: - - created_at: '2025-01-01T00:00:00.000Z' - description: Financial analysis tools and skills for Claude - id: financial-analysis - manifest: - author: - name: Anthropic - url: https://www.anthropic.com - keywords: - - finance - - analysis - repository: https://github.com/anthropics/financial-services-plugins - name: financial-analysis - skill_ids: - - financial-analysis-analyze-portfolio - source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - unmanaged_assets: - agents: [] - hooks: [] - lsp_servers: [] - mcp_servers: [] - output_styles: [] - updated_at: '2025-01-01T00:00:00.000Z' - version: 1.0.0 - description: Indicates a successful response - summary: List plugins + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: >- + Human-readable error message describing what went wrong + with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries tags: - - agent builder - x-codeSamples: - - lang: curl + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl source: | curl \ - -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/plugins - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/plugins/{pluginId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an installed plugin by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:write. - operationId: delete-agent-builder-plugins-pluginid + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + /api/attack_discovery/_find: + get: + description: >- + Find Attack discoveries that match the search criteria. Supports free + text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: >- + Filter results to Attack discoveries that include any of the + provided alert IDs + in: query + name: alert_ids + required: false schema: - example: 'true' - type: string - - description: The unique identifier of the plugin. - in: path - name: pluginId - required: true + items: + type: string + type: array + - description: >- + Filter results to Attack discoveries created by any of the provided + human readable connector names. Note that values must match the + human readable `connector_name` property of an Attack discovery, + e.g. "GPT-5 Chat", which are distinct from `connector_id` values + used to generate Attack discoveries. + in: query + name: connector_names + required: false schema: - type: string - - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. + items: + type: string + type: array + - description: >- + Enables a markdown syntax used to render pivot fields, for example + `{{ user.name james }}`. When disabled, the same example would be + rendered as `james`. This is primarily used for Attack Discovery + views within Kibana. Defaults to `false`. + example: false in: query - name: force + name: enable_field_rendering required: false schema: default: false type: boolean - responses: - '200': - content: - application/json: - examples: - deletePluginResponseExample: - description: Example response showing that deletion of the plugin has been successful - value: - success: true - description: Indicates a successful response - summary: Delete a plugin - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/agent_builder/plugins/{id} - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific plugin by ID.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-plugins-pluginid - parameters: - - description: The unique identifier of the plugin. - in: path - name: pluginId - required: true + - description: >- + End of the time range for the search. Accepts absolute timestamps + (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false schema: type: string - responses: - '200': - content: - application/json: - examples: - getPluginByIdResponseExample: - description: Example response returning a single installed plugin - value: - created_at: '2025-01-01T00:00:00.000Z' - description: Financial analysis tools and skills for Claude - id: financial-analysis - manifest: - author: - name: Anthropic - url: https://www.anthropic.com - keywords: - - finance - - analysis - repository: https://github.com/anthropics/financial-services-plugins - name: financial-analysis - skill_ids: - - financial-analysis-analyze-portfolio - source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - unmanaged_assets: - agents: [] - hooks: [] - lsp_servers: [] - mcp_servers: [] - output_styles: [] - updated_at: '2025-01-01T00:00:00.000Z' - version: 1.0.0 - description: Indicates a successful response - summary: Get a plugin by id - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/agent_builder/plugins/{id} - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/plugins/install: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/plugins/install
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.

[Required authorization] Route required privileges: agentBuilder:write. - operationId: post-agent-builder-plugins-install - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - installPluginFromGithubExample: - description: Example request for installing a plugin from a GitHub URL - value: - url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - installPluginFromZipExample: - description: Example request for installing a plugin from a direct zip URL - value: - url: https://my-server.example.com/my-plugin.zip - installPluginWithNameOverrideExample: - description: Example request for installing a plugin with a custom name - value: - plugin_name: my-custom-plugin-name - url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - schema: - additionalProperties: false - type: object - properties: - plugin_name: - description: Optional name override for the plugin. Defaults to the manifest name. - type: string - url: - description: URL to install the plugin from (GitHub URL or direct zip URL). - type: string - required: - - url - responses: - '200': - content: - application/json: - examples: - installPluginResponseExample: - description: Example response returning the definition of the installed plugin - value: - created_at: '2025-01-01T00:00:00.000Z' - description: Financial analysis tools and skills for Claude - id: financial-analysis - manifest: - author: - name: Anthropic - url: https://www.anthropic.com - keywords: - - finance - - analysis - repository: https://github.com/anthropics/financial-services-plugins - name: financial-analysis - skill_ids: - - financial-analysis-analyze-portfolio - source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis - unmanaged_assets: - agents: [] - hooks: [] - lsp_servers: [] - mcp_servers: [] - output_styles: [] - updated_at: '2025-01-01T00:00:00.000Z' - version: 1.0.0 - description: Indicates a successful response - summary: Install a plugin - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" - }' - - lang: Console - source: | - POST kbn://api/agent_builder/plugins/install - { - "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" - } - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/skills: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/skills
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all available skills (built-in and user-created).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-skills - parameters: - - description: Set to true to include skills from plugins. + items: + type: string + type: array + - description: >- + If `true`, the response will include `unique_alert_ids` and + `unique_alert_ids_count` aggregated across the matched Attack + discoveries + example: false in: query - name: include_plugins + name: include_unique_alert_ids required: false schema: - default: false type: boolean - responses: {} - summary: List skills - tags: - - agent builder - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/skills
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new user-defined skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. - operationId: post-agent-builder-skills - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - content: - description: Skill instructions content (markdown). - type: string - description: - description: Description of what the skill does. - type: string - id: - description: Unique identifier for the skill. - type: string - name: - description: Human-readable name for the skill. - type: string - referenced_content: - items: - additionalProperties: false - type: object - properties: - content: - description: Content of the reference. - type: string - name: - description: Name of the referenced content. - type: string - relativePath: - description: Relative path of the referenced content. - type: string - required: - - name - - relativePath - - content - maxItems: 100 - type: array - tool_ids: - default: [] - description: Tool IDs from the tool registry that this skill references. - items: - description: Tool ID from the tool registry. - type: string - maxItems: 100 - type: array - required: - - id - - name - - description - - content - responses: {} - summary: Create a skill - tags: - - agent builder - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/skills/{skillId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/skills/{skillId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.

[Required authorization] Route required privileges: agentBuilder:manageSkills. - operationId: delete-agent-builder-skills-skillid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + default: 1 + minimum: 1 + type: integer + - description: >- + Number of Attack discoveries to return per page (used for + pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false schema: - example: 'true' - type: string - - description: The unique identifier of the skill. - in: path - name: skillId - required: true + default: 10 + minimum: 1 + type: integer + - description: >- + Free-text search query applied to relevant text fields of Attack + discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false schema: - maxLength: 512 - minLength: 1 type: string - - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + - description: >- + Whether to filter by shared visibility. If omitted, both shared and + privately visible Attack discoveries are returned. Use `true` to + return only shared discoveries, `false` to return only those visible + to the current user. in: query - name: force + name: shared required: false schema: - default: false type: boolean - responses: - '200': - content: - application/json: - examples: - deleteSkillResponseExample: - description: Example response showing that the deletion operation was successful - value: - success: true - description: Indicates a successful response - summary: Delete a skill - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn:/api/agent_builder/skills/{skillId} - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/skills/{skillId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific skill by ID.

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-skills-skillid - parameters: - - description: The unique identifier of the skill. - in: path - name: skillId - required: true + - description: >- + Whether to filter by scheduled or ad-hoc attack discoveries. If + omitted, both types of attack discoveries are returned. Use `true` + to return only scheduled discoveries or `false` to return only + ad-hoc discoveries. + in: query + name: scheduled + required: false schema: - maxLength: 512 - minLength: 1 - type: string - responses: {} - summary: Get a skill by id - tags: - - agent builder - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/skills/{skillId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing user-created skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. - operationId: put-agent-builder-skills-skillid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + type: boolean + - description: >- + Field used to sort results. See `AttackDiscoveryFindSortField` for + allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false schema: - example: 'true' - type: string - - description: The unique identifier of the skill. - in: path - name: skillId - required: true + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField + default: '@timestamp' + - description: >- + Sort order direction `asc` for ascending or `desc` for descending. + Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: >- + Start of the time range for the search. Accepts absolute timestamps + (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false schema: - maxLength: 512 - minLength: 1 type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - content: - description: Updated skill instructions content. - type: string - description: - description: Updated description. - type: string - name: - description: Updated name for the skill. - type: string - referenced_content: - items: - additionalProperties: false - type: object - properties: - content: - description: Content of the reference. - type: string - name: - description: Name of the referenced content. - type: string - relativePath: - description: Relative path of the referenced content. - type: string - required: - - name - - relativePath - - content - maxItems: 100 - type: array - tool_ids: - description: Updated tool IDs from the tool registry. - items: - description: Updated tool ID. - type: string - maxItems: 100 - type: array - responses: {} - summary: Update a skill - tags: - - agent builder - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/tools: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/tools
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-tools - parameters: [] + - description: >- + Filter by alert workflow status. Provide one or more of the allowed + workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: >- + When true, return the created Attack discoveries with text + replacements applied to the detailsMarkdown, entitySummaryMarkdown, + summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean responses: '200': content: application/json: - examples: - listToolsResponseExample: - description: Example response returning a list of existing tools - value: - results: - - configuration: {} - description: |- - A powerful tool for searching and analyzing data within your Elasticsearch cluster. - It supports both full-text relevance searches and structured analytical queries. - - Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. - - Examples of queries: - - "find articles about serverless architecture" - - "search for support tickets mentioning 'billing issue' or 'refund request'" - - "what is our policy on parental leave?" - - "list all products where the category is 'electronics'" - - "show me the last 5 documents from that index" - - "show me the sales over the last year break down by month" - - Note: - - The 'index' parameter can be used to specify which index to search against. - If not provided, the tool will decide itself which is the best index to use. - - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already - know about the index and fields you want to search on, e.g. if the user explicitly specified it. - id: platform.core.search - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - index: - description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. - type: string - query: - description: A natural language query expressing the search request - type: string - required: - - query - tags: [] - type: builtin - - configuration: {} - description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. - id: platform.core.get_document_by_id - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - id: - description: ID of the document to retrieve - type: string - index: - description: Name of the index to retrieve the document from - type: string - required: - - id - - index - tags: [] - type: builtin - - configuration: {} - description: |- - Execute an ES|QL query and return the results in a tabular format. - - **IMPORTANT**: This tool only **runs** queries; it does not write them. - Think of this as the final step after a query has been prepared. - - You **must** get the query from one of two sources before calling this tool: - 1. The output of the `platform.core.generate_esql` tool (if the tool is available). - 2. A verbatim query provided directly by the user. - - Under no circumstances should you invent, guess, or modify a query yourself for this tool. - If you need a query, use the `platform.core.generate_esql` tool first. - id: platform.core.execute_esql - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - query: - description: The ES|QL query to execute - type: string - required: - - query - tags: [] - type: builtin - - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - required: - - startTime - - limit - tags: - - analytics - - finance - type: esql - - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - type: index_search - description: Indicates a successful response - summary: List tools - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn:/api/agent_builder/tools - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/tools
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. - operationId: post-agent-builder-tools - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - createEsqlToolRequest: - description: Example request to create an ESQL query tool with a pre-defined query - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - tags: - - analytics - - finance - type: esql - createIndexSearchToolRequest: - description: Example request to create an index_search tool with a pre-defined index pattern - value: - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - tags: - - search - - finance - type: index_search - schema: - additionalProperties: false - type: object - properties: - configuration: - additionalProperties: - nullable: true - description: Tool-specific configuration parameters. See examples for details. - type: object - description: - default: '' - description: Description of what the tool does. - type: string - id: - description: Unique identifier for the tool. - type: string - tags: - default: [] - description: Optional tags for categorizing and organizing tools. - items: - description: Tag for categorizing the tool. - type: string - type: array - type: - description: The type of tool to create (e.g., esql, index_search). - enum: - - esql - - index_search - - workflow - - mcp - type: string - required: - - id - - type - - configuration - responses: - '200': + example: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: >- + List of human readable connector names that are present in + the matched Attack discoveries. Useful for building client + filters or summaries. + items: + type: string + type: array + data: + description: >- + Array of matched Attack discovery objects. Each item + follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: >- + Total number of Attack discoveries matching the query + (across all pages). + type: integer + unique_alert_ids: + description: >- + List of unique alert IDs aggregated from the matched + Attack discoveries. Only present if + `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: >- + Number of unique alert IDs across all matched Attack + discoveries. Only present if + `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': content: application/json: - examples: - createEsqlToolExample: - description: Example response returning a definition of ESQL tool created - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - required: - - startTime - - limit - tags: - - analytics - - finance - type: esql - createIndexSearchToolExample: - description: Example response returning a definition of search tool tool created - value: - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - type: index_search - description: Indicates a successful response - summary: Create a tool + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria tags: - - agent builder - x-codeSamples: - - lang: curl + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl source: | curl \ - -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "id": "example-esql-tool", - "type": "esql", - "description": "Example ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" - }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - }' - - lang: Console - source: | - POST kbn:/api/agent_builder/tools - { - "id": "example-esql-tool", - "type": "esql", - "description": "An ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance", "updated"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" - }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/tools/_execute: + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/_generate: post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/agent_builder/tools/_execute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: post-agent-builder-tools-execute - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: >- + Initiates the generation of attack discoveries by analyzing security + alerts using AI. Returns an execution UUID that can be used to track the + generation progress and retrieve results. Results may also be retrieved + via the find endpoint. + operationId: PostAttackDiscoveryGenerate requestBody: content: application/json: - examples: - executeBuiltinEsqlToolRequest: - description: Example request executing platform.core.execute_esql tool - value: - tool_id: platform.core.execute_esql - tool_params: - query: FROM financial_trades | LIMIT 3 - executeBuiltinToolRequest: - description: Example request executing platform.core.get_document_by_id tool - value: - tool_id: platform.core.get_document_by_id - tool_params: - id: TRD-20250805-0820a89f - index: financial_trades - executeCustomEsqlToolRequest: - description: Example request executing custom example-esql-tool tool - value: - tool_id: example-esql-tool - tool_params: - limit: 3 - startTime: '2024-01-01T00:00:00Z' - executeIndexSearchToolRequest: - description: Example request executing custom example-index-search-tool tool - value: - tool_id: example-index-search-tool - tool_params: - nlQuery: find trades with high execution prices above 100 + example: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI schema: - additionalProperties: false - type: object - properties: - connector_id: - description: Optional connector ID for tools that require external integrations. - type: string - tool_id: - description: The ID of the tool to execute. - type: string - tool_params: - additionalProperties: - nullable: true - description: Parameters to pass to the tool execution. See examples for details - type: object - required: - - tool_id - - tool_params + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig + required: true responses: '200': content: application/json: - examples: - executeBuiltinEsqlToolExample: - description: Example response calling built-in platform.core.execute_esql tool - value: - results: - - data: - esql: FROM financial_trades | LIMIT 3 - type: query - - data: - columns: - - name: account_id - type: keyword - - name: execution_price - type: double - - name: symbol - type: keyword - - name: trade_type - type: keyword - query: FROM financial_trades | LIMIT 3 - source: esql - values: - - - ACC00179-1f91 - - 43.77000045776367 - - CVX - - sell - - - ACC00407-0bbb - - 660.4199829101562 - - V - - buy - - - ACC00179-1f91 - - 440.3599853515625 - - KO - - buy - tool_result_id: xTpT - type: esql_results - executeBuiltinToolExample: - description: Example response calling built-in platform.core.get_document_by_id tool - value: - results: - - data: - content: - account_id: ACC00271-fb5c - execution_price: 488.54 - execution_timestamp: '2025-08-05T08:04:11.649855' - last_updated: '2025-09-15T13:23:36' - order_status: executed - order_type: market - quantity: 131 - status_reason: fully_filled - symbol: EWL - trade_cost: 63998.74 - trade_id: TRD-20250805-0820a89f - trade_type: sell - partial: false - reference: - id: TRD-20250805-0820a89f - index: financial_trades - type: resource - executeCustomEsqlToolExample: - description: Example response calling custom example-esql-tool tool - value: - results: - - data: - columns: - - name: trade_count - type: long - - name: avg_price - type: double - - name: symbol - type: keyword - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - source: esql - values: - - - 2115 - - 89.33911587329621 - - US_T_BOND_20YR - - - 2112 - - 104.20854155945055 - - INTL_CORP_ASIA_D - - - 2105 - - 89.93244177666526 - - INTL_CORP_EU_B - tool_result_id: Voy8 - type: esql_results - executeIndexSearchToolExample: - description: Example response calling custom example-index-search-tool tool - value: - results: - - data: - esql: |- - FROM financial_trades - | WHERE execution_price > 100 - | LIMIT 100 - type: query - - data: - columns: - - name: account_id - type: keyword - - name: execution_price - type: double - - name: execution_timestamp - type: date - - name: symbol - type: keyword - - name: trade_type - type: keyword - query: |- - FROM financial_trades - | WHERE execution_price > 100 - | LIMIT 100 - source: esql - values: - - - ACC00407-0bbb - - 660.4199829101562 - - '2020-09-25T11:06:08.687Z' - - V - - buy - - - ACC00179-1f91 - - 440.3599853515625 - - '2025-08-07T21:56:45.377Z' - - KO - - buy - - - ACC00407-0bbb - - 132.8800048828125 - - '2020-11-19T04:39:13.655Z' - - JAP_JGB_10YR - - sell - tool_result_id: uE8y - type: esql_results - description: Indicates a successful response - summary: Run a tool - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "tool_id": "platform.core.search", - "tool_params": { - "query": "can you find john doe's email from the employee index?"} - } - }' - - lang: Console - source: | - POST kbn:/api/agent_builder/tools/_execute - { - "tool_id": "platform.core.search", - "tool_params": { - "query": "can you find john doe's email from the employee index?" - } - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/agent_builder/tools/{toolId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/agent_builder/tools/{toolId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. - operationId: delete-agent-builder-tools-toolid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the tool to delete. - in: path - name: toolId - required: true - schema: - type: string - - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. - in: query - name: force - required: false - schema: - default: false - type: boolean - responses: - '200': + example: + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier for the attack discovery generation + process. Use this UUID to track the generation progress + and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': content: application/json: - examples: - deleteAgentResponseExample: - description: Example response showing that the deletion operation was successful - value: - success: true - description: Indicates a successful response - summary: Delete a tool + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts tags: - - agent builder - x-codeSamples: - - lang: curl + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl source: | curl \ - -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn:/api/agent_builder/tools/{toolId} - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/agent_builder/tools/{toolId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. - operationId: get-agent-builder-tools-toolid - parameters: - - description: The unique identifier of the tool to retrieve. - in: path - name: toolId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBuiltinToolExample: - description: Example response returning built-in platform.core.search tool - value: - configuration: {} - description: |- - A powerful tool for searching and analyzing data within your Elasticsearch cluster. - It supports both full-text relevance searches and structured analytical queries. - - Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. - - Examples of queries: - - "find articles about serverless architecture" - - "search for support tickets mentioning 'billing issue' or 'refund request'" - - "what is our policy on parental leave?" - - "list all products where the category is 'electronics'" - - "show me the last 5 documents from that index" - - "show me the sales over the last year break down by month" - - Note: - - The 'index' parameter can be used to specify which index to search against. - If not provided, the tool will decide itself which is the best index to use. - - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already - know about the index and fields you want to search on, e.g. if the user explicitly specified it. - id: platform.core.search - readonly: true - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - index: - description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. - type: string - query: - description: A natural language query expressing the search request - type: string - required: - - query - tags: [] - type: builtin - getEsqlToolExample: - description: Example response returning custom example-esql-tool tool - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Example ES|QL query tool for analyzing financial trades with time filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - required: - - startTime - - limit - tags: - - analytics - - finance - type: esql - getIndexSearchToolExample: - description: Example response returning custom example-index-search-tool tool - value: - configuration: - pattern: financial_* - description: Search tool specifically for financial data analysis and reporting - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - type: index_search - description: Indicates a successful response - summary: Get a tool by id - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn:/api/agent_builder/tools/{toolId} - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/agent_builder/tools/{toolId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. - operationId: put-agent-builder-tools-toolid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the tool to update. - in: path - name: toolId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateEsqlToolRequest: - description: Example request to update the custom ESQL tool - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - symbolPattern: - description: Pattern to filter symbols (e.g., 'US_*' for US instruments) - type: keyword - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering - tags: - - analytics - - finance - - reporting - updateIndexSearchToolRequest: - description: Example request to update the custom Search tool - value: - description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring - tags: - - search - - finance - - compliance - - reporting - schema: - additionalProperties: false - type: object - properties: - configuration: - additionalProperties: - nullable: true - description: Updated tool-specific configuration parameters. See examples for details. - type: object - description: - description: Updated description of what the tool does. - type: string - tags: - description: Updated tags for categorizing and organizing tools. - items: - description: Updated tag for categorizing the tool. - type: string - type: array - responses: - '200': - content: - application/json: - examples: - updateEsqlToolExample: - description: Example response showing the updated ESQL tool - value: - configuration: - params: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - type: date - symbolPattern: - description: Pattern to filter symbols (e.g., 'US_*' for US instruments) - type: keyword - query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit - description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering - id: example-esql-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - description: Parameters needed to execute the enhanced query - type: object - properties: - limit: - description: Maximum number of results to return - type: integer - startTime: - description: Start time for the analysis in ISO format - format: date-time - type: string - symbolPattern: - description: Pattern to filter symbols (e.g., 'US_*' for US instruments) - type: string - required: - - startTime - - symbolPattern - - limit - tags: - - analytics - - finance - - reporting - type: esql - updateIndexSearchToolExample: - description: Example response showing the updated Search tool - value: - configuration: - pattern: financial_* - description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring - id: example-index-search-tool - readonly: false - schema: - $schema: http://json-schema.org/draft-07/schema# - additionalProperties: false - type: object - properties: - nlQuery: - description: A natural language query expressing the search request - type: string - required: - - nlQuery - tags: - - search - - finance - - compliance - - reporting - type: index_search - description: Indicates a successful response - summary: Update a tool - tags: - - agent builder - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance", "updated"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" - }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - }' - - lang: Console - source: | - PUT kbn:/api/agent_builder/tools/{toolId} - { - "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", - "tags": ["analytics", "finance", "updated"], - "configuration": { - "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", - "params": { - "startTime": { - "type": "date", - "description": "Start time for the analysis in ISO format" + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" }, - "limit": { - "type": "integer", - "description": "Maximum number of results to return" - } - } - } - } - x-state: Added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/alerting/_health: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/_health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. - operationId: getAlertingHealth - responses: - '200': - content: - application/json: - examples: - getAlertingHealthResponse: - $ref: '#/components/examples/Alerting_get_health_response' - schema: - type: object - properties: - alerting_framework_health: - description: | - Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. - type: object - properties: - decryption_health: - description: The timestamp and status of the rule decryption. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - execution_health: - description: The timestamp and status of the rule run. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - read_health: - description: The timestamp and status of the rule reading events. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - has_permanent_encryption_key: - description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. - example: true - type: boolean - is_sufficiently_secure: - description: If `false`, security is enabled but TLS is not. - example: true - type: boolean - description: Indicates a successful call. - '401': - content: - application/json: - examples: - healthUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_health_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the alerting framework health - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - /api/alerting/rule_types: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rule_types
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. - operationId: getRuleTypes - responses: - '200': - content: - application/json: - examples: - getRuleTypesResponse: - $ref: '#/components/examples/Alerting_get_rule_types_response' - schema: - items: - type: object - properties: - action_groups: - description: | - An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. - items: - type: object - properties: - id: - type: string - name: - type: string - type: array - action_variables: - description: | - A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. - type: object - properties: - context: - items: - type: object - properties: - description: - type: string - name: - type: string - useWithTripleBracesInTemplates: - type: boolean - type: array - params: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - state: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - alerts: - description: | - Details for writing alerts as data documents for this rule type. - type: object - properties: - context: - description: | - The namespace for this rule type. - enum: - - ml.anomaly-detection - - observability.apm - - observability.logs - - observability.metrics - - observability.slo - - observability.threshold - - observability.uptime - - security - - stack - type: string - dynamic: - description: Indicates whether new fields are added dynamically. - enum: - - 'false' - - runtime - - strict - - 'true' - type: string - isSpaceAware: - description: | - Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. - type: boolean - mappings: - type: object - properties: - fieldMap: - additionalProperties: - $ref: '#/components/schemas/Alerting_fieldmap_properties' - description: | - Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. - type: object - secondaryAlias: - description: | - A secondary alias. It is typically used to support the signals alias for detection rules. - type: string - shouldWrite: - description: | - Indicates whether the rule should write out alerts as data. - type: boolean - useEcs: - description: | - Indicates whether to include the ECS component template for the alerts. - type: boolean - useLegacyAlerts: - default: false - description: | - Indicates whether to include the legacy component template for the alerts. - type: boolean - authorized_consumers: - description: The list of the plugins IDs that have access to the rule type. - type: object - properties: - alerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - apm: - type: object - properties: - all: - type: boolean - read: - type: boolean - discover: - type: object - properties: - all: - type: boolean - read: - type: boolean - infrastructure: - type: object - properties: - all: - type: boolean - read: - type: boolean - logs: - type: object - properties: - all: - type: boolean - read: - type: boolean - ml: - type: object - properties: - all: - type: boolean - read: - type: boolean - monitoring: - type: object - properties: - all: - type: boolean - read: - type: boolean - siem: - type: object - properties: - all: - type: boolean - read: - type: boolean - slo: - type: object - properties: - all: - type: boolean - read: - type: boolean - stackAlerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - uptime: - type: object - properties: - all: - type: boolean - read: - type: boolean - category: - description: The rule category, which is used by features such as category-specific maintenance windows. - enum: - - management - - observability - - securitySolution - type: string - default_action_group_id: - description: The default identifier for the rule type group. - type: string - does_set_recovery_context: - description: Indicates whether the rule passes context variables to its recovery action. - type: boolean - enabled_in_license: - description: Indicates whether the rule type is enabled or disabled based on the subscription. - type: boolean - has_alerts_mappings: - description: Indicates whether the rule type has custom mappings for the alert data. - type: boolean - has_fields_for_a_a_d: - type: boolean - id: - description: The unique identifier for the rule type. - type: string - is_exportable: - description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. - type: boolean - minimum_license_required: - description: The subscriptions required to use the rule type. - example: basic - type: string - name: - description: The descriptive name of the rule type. - type: string - producer: - description: An identifier for the application that produces this rule type. - example: stackAlerts - type: string - recovery_action_group: - description: An action group to use when an alert goes from an active state to an inactive one. - type: object - properties: - id: - type: string - name: - type: string - rule_task_timeout: - example: 5m - type: string - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - ruleTypesUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_rule_types_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the rule types - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - /api/alerting/rule/{id}: - delete: - operationId: delete-alerting-rule-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Delete a rule - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: get-alerting-rule-id - parameters: - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getRuleResponse: - description: A response that contains information about an index threshold rule. - summary: Get an index threshold rule - value: - actions: [] - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - mute_all: false - muted_alert_ids: [] - name: my alert - notify_when: onActionGroupChange - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - throttle: null - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Get rule details - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: post-alerting-rule-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. If it is omitted, an ID is randomly generated. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createEsQueryEsqlRuleRequest: - description: | - Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. - summary: Elasticsearch query rule (ES|QL) - value: - actions: - - frequency: - notify_when: onActiveAlert - summary: false - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: |- - Elasticsearch query rule '{{rule.name}}' is active: - - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} - consumer: stackAlerts - name: my Elasticsearch query ESQL rule - params: - esqlQuery: - esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 - searchType: esqlQuery - size: 0 - threshold: - - 0 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - rule_type_id: .es-query - schedule: - interval: 1d - createEsQueryKqlRuleRequest: - description: Create an Elasticsearch query rule that uses Kibana query language (KQL). - summary: Elasticsearch query rule (KQL) - value: - consumer: alerts - name: my Elasticsearch query KQL rule - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - query: - language: kuery - query: '""geo.src : "US" ""' - searchType: searchSource - size: 100 - threshold: - - 1000 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - rule_type_id: .es-query - schedule: - interval: 1m - createEsQueryRuleRequest: - description: | - Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. - summary: Elasticsearch query rule (DSL) - value: - actions: - - frequency: - notify_when: onThrottleInterval - summary: true - throttle: 1d - group: query matched - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - - frequency: - notify_when: onActionGroupChange - summary: false - group: recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: Recovered - consumer: alerts - name: my Elasticsearch query rule - params: - esQuery: '"""{"query":{"match_all" : {}}}"""' - index: - - kibana_sample_data_logs - size: 100 - threshold: - - 100 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - rule_type_id: .es-query - schedule: - interval: 1d - createIndexThresholdRuleRequest: - description: | - Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. - summary: Index threshold rule - value: - actions: - - frequency: - notify_when: onActionGroupChange - summary: false - group: threshold met - id: 48de3460-f401-11ed-9f8e-399c75a2deeb - params: - level: info - message: |- - Rule '{{rule.name}}' is active for group '{{context.group}}': - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - alert_delay: - active: 3 - consumer: alerts - name: my rule - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - createTrackingContainmentRuleRequest: - description: | - Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. - summary: Tracking containment rule - value: - consumer: alerts - name: my tracking rule - params: - boundaryGeoField: location - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - boundaryIndexTitle: boundary* - boundaryNameField: name - boundaryType: entireIndex - dateField": '@timestamp' - entity: agent.keyword - geoField: geo.coordinates - index: kibana_sample_data_logs - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - rule_type_id: .geo-containment - schedule: - interval: 1h - schema: - anyOf: - - discriminator: - propertyName: rule_type_id - oneOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' - - additionalProperties: false - type: object - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the rule. - type: object - rule_type_id: - description: The rule type identifier. - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - responses: - '200': - content: - application/json: - examples: - createEsQueryEsqlRuleResponse: - description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). - summary: Elasticsearch query rule (ES|QL) - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onActiveAlert - summary: false - throttle: null - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: |- - Elasticsearch query rule '{{rule.name}}' is active: - - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} - uuid: bfe370a3-531b-4855-bbe6-ad739f578844 - api_key_created_by_user: false - api_key_owner: elastic - consumer: stackAlerts - created_at: '2023-11-01T19:00:10.453Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2023-11-01T19:00:10.453Z' - status: pending - id: e0d62360-78e8-11ee-9177-f7d404c8c945 - mute_all: false - muted_alert_ids: [] - name: my Elasticsearch query ESQL rule - notify_when: null - params: - aggType: count - esqlQuery: - esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 - excludeHitsFromPreviousRun": true, - groupBy: all - searchType: esqlQuery - size: 0 - threshold: - - 0 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - revision: 0 - rule_type_id: .es-query - running: false - schedule: - interval: 1d - scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 - tags: [] - throttle: null - updated_at: '2023-11-01T19:00:10.453Z' - updated_by: elastic", - createEsQueryKqlRuleResponse: - description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). - summary: Elasticsearch query rule (KQL) - value: - actions: [] - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2023-07-14T20:24:50.729Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2023-07-14T20:24:50.729Z' - status: pending - id: 7bd506d0-2284-11ee-8fad-6101956ced88 - mute_all: false - muted_alert_ids: [] - name: my Elasticsearch query KQL rule" - notify_when: null - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - query: - language: kuery - query: '""geo.src : "US" ""' - searchType: searchSource - size: 100 - threshold: - - 1000 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .es-query - running: false - schedule: - interval: 1m - scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 - tags: [] - throttle: null - updated_at: '2023-07-14T20:24:50.729Z' - updated_by: elastic - createEsQueryRuleResponse: - description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). - summary: Elasticsearch query rule (DSL) - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onThrottleInterval - summary: true - throttle: 1d - group: query matched - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: Recovered - uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2023-08-22T00:03:38.263Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2023-08-22T00:03:38.263Z' - status: pending - id: 58148c70-407f-11ee-850e-c71febc4ca7f - mute_all: false - muted_alert_ids: [] - name: my Elasticsearch query rule - notify_when: null - params: - aggType: count - esQuery: '"""{"query":{"match_all" : {}}}"""' - excludeHitsFromPreviousRun: true - groupBy: all - index: - - kibana_sample_data_logs - searchType: esQuery - size: 100 - threshold: - - 100 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - revision: 0 - rule_type_id: .es-query - running: false - schedule: - interval: 1d - scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f - tags: [] - throttle: null - updated_at: '2023-08-22T00:03:38.263Z' - updated_by: elastic - createIndexThresholdRuleResponse: - description: The response for successfully creating an index threshold rule. - summary: Index threshold rule - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: threshold met - id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group} : - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - alert_delay: - active: 3 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2022-06-08T17:20:31.632Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2022-06-08T17:20:31.632Z' - status: pending - id: 41893910-6bca-11eb-9e0d-85d233e3ee35 - mute_all: false - muted_alert_ids: [] - name: my rule - notify_when: null - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - running: false - schedule: - interval: 1m - scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 - tags: - - cpu - throttle: null - updated_at: '2022-06-08T17:20:31.632Z' - updated_by: elastic - createTrackingContainmentRuleResponse: - description: The response for successfully creating a tracking containment rule. - summary: Tracking containment rule - value: - actions: [] - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2024-02-14T19:52:55.920Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 74 - last_execution_date: '2024-02-15T03:25:38.125Z' - status: ok - id: b6883f9d-5f70-4758-a66e-369d7c26012f - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: null - outcome_order: 0 - warning: null - mute_all: false - muted_alert_ids: [] - name: my tracking rule - next_run: '2024-02-15T03:26:38.033Z' - notify_when: null - params: - boundaryGeoField: location - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - boundaryIndexTitle: boundary* - boundaryNameField: name - boundaryType: entireIndex - dateField: '@timestamp' - entity: agent.keyword - geoField: geo.coordinates - index: kibana_sample_data_logs - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - revision: 1 - rule_type_id: .geo-containment - running: false - schedule: - interval: 1h - scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f - tags: [] - throttle: null - updated_at: '2024-02-15T03:24:32.574Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '409': - description: Indicates that the rule id is already in use. - summary: Create a rule - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - operationId: put-alerting-rule-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateRuleRequest: - description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. - summary: Index threshold rule - value: - actions: - - frequency: - notify_when: onActionGroupChange - summary: false - group: threshold met - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - name: new name - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .updated-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - schedule: - interval: 1m - tags: [] - schema: - additionalProperties: false - type: object - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the rule. - type: object - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - items: - description: The tags for the rule. - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - schedule - responses: - '200': - content: - application/json: - examples: - updateRuleResponse: - description: The response for successfully updating an index threshold rule. - summary: Index threshold rule - value: - actions: - - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: threshold met - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date} - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2024-03-26T23:13:20.985Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 52 - last_execution_date: '2024-03-26T23:22:51.390Z' - status: ok - id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: null - warning: null - mute_all: false - muted_alert_ids: [] - name: new name - next_run: '2024-03-26T23:23:51.316Z' - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - .updated-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 1 - rule_type_id: .index-threshold - running: false - schedule: - interval: 1m - scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea - tags: [] - throttle: null - updated_at: '2024-03-26T23:22:59.949Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - '409': - description: Indicates that the rule has already been updated by another user. - summary: Update a rule - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/alerting/rule/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_disable: - post: - operationId: post-alerting-rule-id-disable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - disableRuleRequest: - description: A request that disables a rule and untracks all alerts that were generated by the rule. - summary: Disable a rule and untrack its alerts - value: - untrack: true - schema: - additionalProperties: false - nullable: true - type: object - properties: - untrack: - description: Defines whether this rule's alerts should be untracked. - type: boolean - x-oas-optional: true - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Disable a rule - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_enable: - post: - operationId: post-alerting-rule-id-enable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Enable a rule - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_mute_all: - post: - operationId: post-alerting-rule-id-mute-all - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Mute all alerts - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_unmute_all: - post: - operationId: post-alerting-rule-id-unmute-all - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Unmute all alerts - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/_update_api_key: - post: - operationId: post-alerting-rule-id-update-api-key - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - '409': - description: Indicates that the rule has already been updated by another user. - summary: Update the API key for a rule - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{id}/snooze_schedule: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. - operationId: post-alerting-rule-id-snooze-schedule - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Identifier of the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - snoozeRuleRecurringRequest: - description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. - summary: Snooze a rule on a recurring weekly schedule - value: - schedule: - custom: - duration: 8h - recurring: - every: 1w - occurrences: 4 - onWeekDay: - - MO - start: '2025-03-17T09:00:00.000Z' - timezone: UTC - snoozeRuleRequest: - description: A request that snoozes a rule for 24 hours starting now. - summary: Snooze a rule for 24 hours - value: - schedule: - custom: - duration: 24h - start: '2025-03-12T12:00:00.000Z' - timezone: UTC - schema: - additionalProperties: false - type: object - properties: - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - schedule - responses: - '200': - content: - application/json: - examples: - snoozeRuleResponse: - description: A response that contains the created snooze schedule. - summary: Snooze schedule response - value: - schedule: - custom: - duration: 24h - start: '2025-03-12T12:00:00.000Z' - timezone: UTC - id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 - schema: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - id: - description: Identifier of the snooze schedule. - type: string - required: - - id - required: - - schedule - required: - - body - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given id does not exist. - summary: Schedule a snooze for the rule - tags: - - alerting - x-state: Generally available; added in 8.19.0 - x-metaTags: - - content: Kibana - name: product_name - /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: - post: - operationId: post-alerting-rule-rule-id-alert-alert-id-mute - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: rule_id - required: true - schema: - type: string - - description: The identifier for the alert. - in: path - name: alert_id - required: true - schema: - type: string - - description: Whether to validate the existence of the alert. - in: query - name: validate_alerts_existence - required: false - schema: - type: boolean - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule or alert with the given ID does not exist. - summary: Mute an alert - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: - post: - operationId: post-alerting-rule-rule-id-alert-alert-id-unmute - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: rule_id - required: true - schema: - type: string - - description: The identifier for the alert. - in: path - name: alert_id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule or alert with the given ID does not exist. - summary: Unmute an alert - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: - delete: - operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: ruleId - required: true - schema: - type: string - - description: The identifier for the snooze schedule. - in: path - name: scheduleId - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given id does not exist. - summary: Delete a snooze schedule for a rule - tags: - - alerting - x-state: Generally available; added in 8.19.0 - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/_find: - get: - operationId: get-alerting-rules-find - parameters: - - description: The number of rules to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 0 - type: number - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: An Elasticsearch simple_query_string query that filters the objects in the response. - in: query - name: search - required: false - schema: - type: string - - description: The default operator to use for the simple_query_string. - in: query - name: default_search_operator - required: false - schema: - default: OR - enum: - - OR - - AND - type: string - - description: The fields to perform the simple_query_string parsed query against. - in: query - name: search_fields - required: false - schema: - items: - type: string - type: array - - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. - in: query - name: sort_field - required: false - schema: - type: string - - description: Determines the sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. - in: query - name: has_reference - required: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - - description: The fields to return in the `attributes` key of the response. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' - in: query - name: filter - required: false - schema: - type: string - - in: query - name: filter_consumers - required: false - schema: - items: - description: List of consumers to filter. - type: string - type: array - responses: - '200': - content: - application/json: - examples: - findConditionalActionRulesResponse: - description: A response that contains information about an index threshold rule. - summary: Index threshold rule - value: - data: - - actions: - - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - group: threshold met - id: 9dca3e00-74f5-11ed-9801-35303b735aef - params: - connector_type_id: .server-log - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 48 - last_execution_date: '2022-12-06T01:44:23.983Z' - status: ok - id: 3583a470-74f6-11ed-9801-35303b735aef - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: null - warning: null - mute_all: false - muted_alert_ids: [] - name: my alert - next_run: '2022-12-06T01:45:23.912Z' - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 1 - rule_type_id: .index-threshold - schedule: - interval: 1m - scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef - tags: - - cpu - throttle: null - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - findRulesResponse: - description: A response that contains information about a security rule that has conditional actions. - summary: Security rule - value: - data: - - actions: - - alerts_filter: - query: - filters: - - $state: - store: appState - meta: - alias: null - disabled: false - field: client.geo.region_iso_code - index: c4bdca79-e69e-4d80-82a1-e5192c621bea - key: client.geo.region_iso_code - negate: false - params: - query: CA-QC - type: phrase - query: - match_phrase: - client.geo.region_iso_code: CA-QC - kql: '' - timeframe: - days: - - 7 - hours: - end: '17:00' - start: '08:00' - timezone: UTC - connector_type_id: .index - frequency: - notify_when: onActiveAlert - summary: true - throttle: null - group: default - id: 49eae970-f401-11ed-9f8e-399c75a2deeb - params: - documents: - - alert_id: - '[object Object]': null - context_message: - '[object Object]': null - rule_id: - '[object Object]': null - rule_name: - '[object Object]': null - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - api_key_created_by_user: false - api_key_owner: elastic - consumer: siem - created_at: '2023-05-16T15:50:28.358Z' - created_by: elastic - enabled: true - execution_status: - last_duration: 166 - last_execution_date: '2023-05-16T20:26:49.590Z' - status: ok - id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - last_run: - alerts_count: - active: 0 - ignored: 0 - new: 0 - recovered: 0 - outcome: succeeded - outcome_msg: - - Rule execution completed successfully - outcome_order: 0 - warning: null - mute_all: false - muted_alert_ids: [] - name: security_rule - next_run: '2023-05-16T20:27:49.507Z' - notify_when: null - params: - author: [] - description: A security threshold rule. - exceptionsList: [] - falsePositives: [] - filters: [] - from: now-3660s - immutable: false - index: - - kibana_sample_data_logs - language: kuery - license: '' - maxSignals: 100 - meta: - from: 1h - kibana_siem_app_url: https://localhost:5601/app/security - outputIndex: '' - query: '*' - references: [] - riskScore: 21 - riskScoreMapping: [] - ruleId: an_internal_rule_id - severity: low - severityMapping: [] - threat: [] - threshold: - cardinality: [] - field: - - bytes - value: 1 - to: now - type: threshold - version: 1 - revision: 1 - rule_type_id: siem.thresholdRule - running: false - schedule: - interval: 1m - scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - tags: [] - throttle: null - updated_at: '2023-05-16T20:25:42.559Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. - nullable: true - type: string - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - description: User-created content that describes alert causes and remdiation. - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: - nullable: true - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: Calculation of different percentiles and success ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: Indicates whether the rule run was successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - gap_range: - additionalProperties: false - nullable: true - type: object - properties: - gte: - description: End of the gap range. - type: string - lte: - description: Start of the gap range. - type: string - required: - - lte - - gte - total_alerts_created: - description: Total number of alerts created during last rule run. - nullable: true - type: number - total_alerts_detected: - description: Total number of alerts detected during last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: Indicates months of the year that this rule should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: Indicates the days of the year that this rule should recur. - type: number - nullable: true - type: array - count: - description: Number of times the rule should recur until it stops. - type: number - dtstart: - description: Rule start date in Coordinated Universal Time (UTC). - type: string - freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: Indicates the start of week, defaults to Monday. - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: The identifier for the user that updated this rule most recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Get information about rules - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rules/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/backfill/_find: - post: - operationId: post-alerting-rules-backfill-find - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The end date for filtering backfills. - in: query - name: end - required: false - schema: - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: The number of backfills to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 0 - type: number - - description: A comma-separated list of rule identifiers. - in: query - name: rule_ids - required: false - schema: - type: string - - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. - in: query - name: initiator - required: false - schema: - enum: - - user - - system - type: string - - description: The start date for filtering backfills. - in: query - name: start - required: false - schema: - type: string - - description: The field to sort backfills by. - in: query - name: sort_field - required: false - schema: - enum: - - createdAt - - start - type: string - - description: The sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - examples: - findBackfillResponse: - summary: Find backfills response - value: - data: - - created_at: '2024-01-30T00:00:00.000Z' - duration: 12h - enabled: true - id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 - initiator: user - rule: - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - name: my alert - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schedule: - - interval: 12h - run_at: '2024-01-01T12:00:00.000Z' - status: pending - - interval: 12h - run_at: '2024-01-02T00:00:00.000Z' - status: pending - space_id: default - start: '2024-01-01T00:00:00.000Z' - status: pending - page: 1 - per_page: 10 - total: 1 - schema: - additionalProperties: false - type: object - properties: - data: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - duration: - type: string - enabled: - type: boolean - end: - type: string - id: - type: string - initiator: - enum: - - user - - system - type: string - initiator_id: - type: string - rule: - additionalProperties: false - type: object - properties: - api_key_created_by_user: - nullable: true - type: boolean - api_key_owner: - nullable: true - type: string - consumer: - type: string - created_at: - type: string - created_by: - nullable: true - type: string - enabled: - type: boolean - id: - type: string - name: - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - type: number - rule_type_id: - type: string - schedule: - additionalProperties: false - type: object - properties: - interval: - type: string - required: - - interval - tags: - items: - type: string - type: array - updated_at: - type: string - updated_by: - nullable: true - type: string - required: - - id - - name - - tags - - rule_type_id - - params - - api_key_owner - - consumer - - enabled - - schedule - - created_by - - updated_by - - created_at - - updated_at - - revision - schedule: - items: - additionalProperties: false - type: object - properties: - interval: - type: string - run_at: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - run_at - - status - - interval - type: array - space_id: - type: string - start: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - id - - created_at - - duration - - enabled - - rule - - space_id - - initiator - - start - - status - - schedule - type: array - page: - type: number - per_page: - type: number - total: - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Find backfills for rules - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rules/backfill/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/backfill/_schedule: - post: - operationId: post-alerting-rules-backfill-schedule - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - scheduleBackfillRequest: - summary: Schedule a backfill for an index threshold rule - value: - - ranges: - - end: '2024-01-02T00:00:00.000Z' - start: '2024-01-01T00:00:00.000Z' - rule_id: 3583a470-74f6-11ed-9801-35303b735aef - schema: - items: - additionalProperties: false - type: object - properties: - ranges: - items: - additionalProperties: false - type: object - properties: - end: - type: string - start: - type: string - required: - - start - - end - type: array - rule_id: - type: string - run_actions: - type: boolean - required: - - rule_id - - ranges - maxItems: 100 - minItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - scheduleBackfillResponse: - summary: Schedule backfill response - value: - - created_at: '2024-01-30T00:00:00.000Z' - duration: 12h - enabled: true - id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 - initiator: user - rule: - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - name: my alert - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schedule: - - interval: 12h - run_at: '2024-01-01T12:00:00.000Z' - status: pending - - interval: 12h - run_at: '2024-01-02T00:00:00.000Z' - status: pending - space_id: default - start: '2024-01-01T00:00:00.000Z' - status: pending - schema: - items: - anyOf: - - additionalProperties: false - type: object - properties: - created_at: - type: string - duration: - type: string - enabled: - type: boolean - end: - type: string - id: - type: string - initiator: - enum: - - user - - system - type: string - initiator_id: - type: string - rule: - additionalProperties: false - type: object - properties: - api_key_created_by_user: - nullable: true - type: boolean - api_key_owner: - nullable: true - type: string - consumer: - type: string - created_at: - type: string - created_by: - nullable: true - type: string - enabled: - type: boolean - id: - type: string - name: - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - type: number - rule_type_id: - type: string - schedule: - additionalProperties: false - type: object - properties: - interval: - type: string - required: - - interval - tags: - items: - type: string - type: array - updated_at: - type: string - updated_by: - nullable: true - type: string - required: - - id - - name - - tags - - rule_type_id - - params - - api_key_owner - - consumer - - enabled - - schedule - - created_by - - updated_by - - created_at - - updated_at - - revision - schedule: - items: - additionalProperties: false - type: object - properties: - interval: - type: string - run_at: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - run_at - - status - - interval - type: array - space_id: - type: string - start: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - id - - created_at - - duration - - enabled - - rule - - space_id - - initiator - - start - - status - - schedule - - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - rule: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - status: - type: number - required: - - message - - rule - required: - - error - type: array - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Schedule a backfill for rules - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/alerting/rules/backfill/_schedule
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/alerting/rules/backfill/{id}: - delete: - operationId: delete-alerting-rules-backfill-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the backfill. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a backfill with the given ID does not exist. - summary: Delete a backfill by ID - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/alerting/rules/backfill/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: get-alerting-rules-backfill-id - parameters: - - description: The identifier for the backfill. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBackfillResponse: - summary: Get a backfill for an index threshold rule - value: - created_at: '2024-01-30T00:00:00.000Z' - duration: 12h - enabled: true - id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 - initiator: user - rule: - api_key_owner: elastic - consumer: alerts - created_at: '2022-12-05T23:40:33.132Z' - created_by: elastic - enabled: true - id: 3583a470-74f6-11ed-9801-35303b735aef - name: my alert - params: - aggField: sheet.version - aggType: avg - groupBy: top - index: - - test-index - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - revision: 0 - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - updated_at: '2022-12-05T23:40:33.132Z' - updated_by: elastic - schedule: - - interval: 12h - run_at: '2024-01-01T12:00:00.000Z' - status: pending - - interval: 12h - run_at: '2024-01-02T00:00:00.000Z' - status: pending - space_id: default - start: '2024-01-01T00:00:00.000Z' - status: pending - schema: - additionalProperties: false - type: object - properties: - created_at: - type: string - duration: - type: string - enabled: - type: boolean - end: - type: string - id: - type: string - initiator: - enum: - - user - - system - type: string - initiator_id: - type: string - rule: - additionalProperties: false - type: object - properties: - api_key_created_by_user: - nullable: true - type: boolean - api_key_owner: - nullable: true - type: string - consumer: - type: string - created_at: - type: string - created_by: - nullable: true - type: string - enabled: - type: boolean - id: - type: string - name: - type: string - params: - additionalProperties: - nullable: true - description: The parameters for the rule. - type: object - revision: - type: number - rule_type_id: - type: string - schedule: - additionalProperties: false - type: object - properties: - interval: - type: string - required: - - interval - tags: - items: - type: string - type: array - updated_at: - type: string - updated_by: - nullable: true - type: string - required: - - id - - name - - tags - - rule_type_id - - params - - api_key_owner - - consumer - - enabled - - schedule - - created_by - - updated_by - - created_at - - updated_at - - revision - schedule: - items: - additionalProperties: false - type: object - properties: - interval: - type: string - run_at: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - run_at - - status - - interval - type: array - space_id: - type: string - start: - type: string - status: - enum: - - complete - - pending - - running - - error - - timeout - type: string - required: - - id - - created_at - - duration - - enabled - - rule - - space_id - - initiator - - start - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a backfill with the given ID does not exist. - summary: Get a backfill by ID - tags: - - alerting - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/alerting/rules/backfill/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/apm/agent_keys: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/agent_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent key for APM. - The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. - After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true - responses: - '200': - content: - application/json: - examples: - createAgentKeyResponse1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key - tags: - - APM agent keys - x-metaTags: - - content: Kibana - name: product_name - /api/apm/fleet/apm_server_schema: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/fleet/apm_server_schema
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. - operationId: saveApmServerSchema - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - schema: - type: object - properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true - responses: - '200': - content: - application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema - tags: - - APM server schema - x-metaTags: - - content: Kibana - name: product_name - /api/apm/services/{serviceName}/annotation: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/services/{serviceName}/annotation
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new annotation for a specific service. - operationId: createAnnotation - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true - responses: - '200': - content: - application/json: - examples: - createAnnotationResponse1: - $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation - tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - x-metaTags: - - content: Kibana - name: product_name - /api/apm/services/{serviceName}/annotation/search: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Search for annotations related to a specific service. - operationId: getAnnotation - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false - schema: - format: date-time - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations - tags: - - APM annotations - x-metaTags: - - content: Kibana - name: product_name - /api/apm/settings/agent-configuration: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/apm/settings/agent-configuration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. - operationId: deleteAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - deleteAgentConfigurationRequest1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' - schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true - responses: - '200': - content: - application/json: - examples: - deleteAgentConfigurationResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - responses: - '200': - content: - application/json: - examples: - getAgentConfigurationsResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/apm/settings/agent-configuration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite - schema: - type: boolean - requestBody: - content: - application/json: - examples: - createUpdateAgentConfigurationRequestExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true - responses: - '200': - content: - application/json: - examples: - createUpdateAgentConfigurationResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - /api/apm/settings/agent-configuration/agent_name: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve `agentName` for a service. - operationId: getAgentNameForService - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - /api/apm/settings/agent-configuration/environments: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration/environments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. - operationId: getEnvironmentsForService - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service. If omitted, environments across all services are returned. - example: opbeans-node - in: query - name: serviceName - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnvironmentsForServiceResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - /api/apm/settings/agent-configuration/search: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/settings/agent-configuration/search
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - searchSingleConfigurationRequest1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' - schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true - responses: - '200': - content: - application/json: - examples: - searchSingleConfigurationResponse1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - /api/apm/settings/agent-configuration/view: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/settings/agent-configuration/view
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. - operationId: getSingleAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name - schema: - type: string - - description: Service environment - example: prod - in: query - name: environment - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getSingleAgentConfigurationResponseExample1: - $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration - tags: - - APM agent configuration - x-metaTags: - - content: Kibana - name: product_name - /api/apm/sourcemaps: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/apm/sourcemaps
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. - operationId: getSourceMaps - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page - schema: - type: number - - description: Number of records per page - in: query - name: perPage - schema: - type: number - responses: - '200': - content: - application/json: - examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/apm/sourcemaps
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. - The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true - responses: - '200': - content: - application/json: - examples: - uploadSourceMapResponse1: - $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: | - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: multipart/form-data' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - -F 'service_name="foo"' \ - -F 'service_version="1.0.0"' \ - -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ - -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - x-metaTags: - - content: Kibana - name: product_name - /api/apm/sourcemaps/{id}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/apm/sourcemaps/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. - operationId: deleteSourceMap - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteSourceMapResponseExample1: - $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: | - curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - x-metaTags: - - content: Kibana - name: product_name - /api/asset_criticality: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/asset_criticality
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. - in: query - name: refresh - required: false - schema: - enum: - - wait_for - type: string - responses: - '200': - content: - application/json: - schema: - type: object - properties: - deleted: - description: True if the record was deleted or false if the record did not exist. - type: boolean - record: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/asset_criticality
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/asset_criticality
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update an asset criticality record for a specific entity. - - If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json: - schema: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - - type: object - properties: - refresh: - description: If 'wait_for' the request will wait for the index refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/asset_criticality/bulk: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/asset_criticality/bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk upsert up to 1000 asset criticality records. - - If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. - operationId: BulkUpsertAssetCriticalityRecords - requestBody: - content: - application/json: - schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 - type: object - properties: - records: - items: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - - type: object - properties: - criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array - required: - - records - responses: - '200': - content: - application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' - type: array - stats: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/asset_criticality/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/asset_criticality/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords - parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false - schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' - type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. - operationId: PostAttackDiscoveryBulk - requestBody: - content: - application/json: - example: - update: - enable_field_rendering: false - ids: - - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true - schema: - type: object - properties: - update: - description: Configuration object containing all parameters for the bulk update operation - type: object - properties: - enable_field_rendering: - default: false - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. - example: false - type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - items: - type: string - type: array - kibana_alert_workflow_status: - description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids - required: - - update - description: Bulk update parameters for Attack discoveries - required: true - responses: - '200': - content: - application/json: - example: - data: - - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - workflow_status: acknowledged - schema: - type: object - properties: - data: - description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' - type: array - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind - parameters: - - description: Filter results to Attack discoveries that include any of the provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. - in: query - name: connector_names - required: false - schema: - items: - type: string - type: array - - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false - schema: - type: string - - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' - default: '@timestamp' - - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false - schema: - type: string - - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false - schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean - responses: - '200': - content: - application/json: - example: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. - items: - type: string - type: array - data: - description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: Total number of Attack discoveries matching the query (across all pages). - type: integer - unique_alert_ids: - description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/_generate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/_generate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. - operationId: PostAttackDiscoveryGenerate - requestBody: - content: - application/json: - example: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' - required: true - responses: - '200': - content: - application/json: - example: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.dataset", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "caiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.module", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.outcome", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "c6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.Ext.original.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "daiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "d6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "e6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "faiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "f6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.original_time", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.risk_score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.description", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "g6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.references", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "haiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "h6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "i6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.severity", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "j6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.workflow_status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "message", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "network.protocol", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.bytes_compressed_present", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.all_names", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "naiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.matches", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.signature.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "n6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.token.integrity_level_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "k6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.signing_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "laiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "l6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "maiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.exit_code", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "m6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.md5", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha1", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "o6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "paiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args_count", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "p6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "q6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "raiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pe.original_file_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pid", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "r6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.working_directory", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "u6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "source.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "v6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "waiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "w6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "x6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.domain", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "yaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "y6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.target.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "zKiJW5gB4U27o8XO8oLg" - } - ], - "replacements": {}, - "size": 100, - "subAction": "invokeAI", - "apiConfig": { - "connectorId": "12345678-1234-1234-1234-123456789012", - "actionTypeId": ".gen-ai" - }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/generations: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/generations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. - operationId: GetAttackDiscoveryGenerations - parameters: - - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: The maximum number of generations to retrieve - example: 50 - in: query - name: size - required: false - schema: - default: 50 - minimum: 1 - type: number - - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false - schema: - type: string - responses: - '200': - content: - application/json: - example: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded - schema: - type: object - properties: - generations: - description: List of Attack Discovery generations - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' - type: array - required: - - generations - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Get the latest Attack Discovery generations metadata for the current user - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/generations/{execution_uuid}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. - operationId: GetAttackDiscoveryGeneration - parameters: - - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean - responses: - '200': - content: - application/json: - example: - data: - - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded - schema: - type: object - properties: - data: - description: Array of Attack discoveries generated during this execution. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' - type: array - generation: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' - description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong with the request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss - parameters: - - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed - schema: - type: object - properties: - alerts_context_count: - description: The number of alerts that were sent as context to the LLM for this generation. - example: 75 - type: number - connector_id: - description: The unique identifier of the connector used to generate the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: The average duration in nanoseconds for successful generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: The total number of Attack discoveries successfully created for this generation - example: 2 - type: number - discoveries: - description: The number of attack discoveries that were generated during this execution. - example: 3 - type: number - end: - description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. - example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. - type: string - reason: - description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string - status: - description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string - required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type or category - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong with the request. - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/schedules: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/schedules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules - requestBody: - content: - application/json: - example: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' - description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions - required: true - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - description: The Attack Discovery schedule was successfully created. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Create Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/schedules/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/schedules/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules - parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - type: number - - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - type: number - - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. - example: name - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. - example: asc - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - example: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - schema: - type: object - properties: - data: - description: Array of matched Attack Discovery schedule objects. - items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - type: array - page: - description: Current page number of the paginated result set. - type: number - per_page: - description: Number of items requested per page. - type: number - total: - description: Total number of Attack Discovery schedules matching the query (across all pages). - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/schedules/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/attack_discovery/schedules/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Permanently deletes an Attack Discovery schedule and all associated configuration. - operationId: DeleteAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier of the deleted Attack Discovery schedule - required: - - id - description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Delete Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/attack_discovery/schedules/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Get Attack Discovery schedule by ID - tags: - - Security Attack discovery API - x-code-samples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/attack_discovery/schedules/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - requestBody: - content: - application/json: - example: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' - description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. - required: true - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' - description: Successfully updated Attack Discovery schedule with the new configuration and metadata - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Update Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/schedules/{id}/_disable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier of the disabled Attack Discovery schedule - required: - - id - description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Disable Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/attack_discovery/schedules/{id}/_enable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. - operationId: EnableAttackDiscoverySchedules - parameters: - - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The unique identifier of the enabled Attack Discovery schedule - required: - - id - description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' - description: Bad Request response. - summary: Enable Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - x-metaTags: - - content: Kibana - name: product_name - /api/cases: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/cases
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_ids' - responses: - '204': - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete cases - tags: - - cases - x-code-samples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: | - DELETE kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] - x-metaTags: - - content: Kibana - name: product_name - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/cases
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. - operationId: updateCaseDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - updateCaseRequest: - $ref: '#/components/examples/Cases_update_case_request' - schema: - $ref: '#/components/schemas/Cases_update_case_request' - responses: - '200': - content: - application/json: - examples: - updateCaseResponse: - $ref: '#/components/examples/Cases_update_case_response' - schema: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update cases - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/cases
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. - operationId: createCaseDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createCaseRequest: - $ref: '#/components/examples/Cases_create_case_request' - schema: - $ref: '#/components/schemas/Cases_create_case_request' - required: true - responses: - '200': - content: - application/json: - examples: - createCaseResponse: - $ref: '#/components/examples/Cases_create_case_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Create a case - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/_find: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. - operationId: findCasesDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_assignees_filter' - - $ref: '#/components/parameters/Cases_category' - - $ref: '#/components/parameters/Cases_defaultSearchOperator' - - $ref: '#/components/parameters/Cases_from' - - $ref: '#/components/parameters/Cases_owner_filter' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_reporters' - - $ref: '#/components/parameters/Cases_search' - - $ref: '#/components/parameters/Cases_searchFields' - - $ref: '#/components/parameters/Cases_severity' - - $ref: '#/components/parameters/Cases_sortField' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_status' - - $ref: '#/components/parameters/Cases_tags' - - $ref: '#/components/parameters/Cases_to' - responses: - '200': - content: - application/json: - examples: - findCaseResponse: - $ref: '#/components/examples/Cases_find_case_response' - schema: - type: object - properties: - cases: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - maxItems: 10000 - type: array - count_closed_cases: - type: integer - count_in_progress_cases: - type: integer - count_open_cases: - type: integer - page: - type: integer - per_page: - type: integer - total: - type: integer - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Search cases - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/{caseId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns case details. The response does not include a comments property; use the find case comments API to retrieve comments. The totalComment field reflects the actual number of user comments on the case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. - operationId: getCaseDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - responses: - '200': - content: - application/json: - examples: - getDefaultCaseResponse: - $ref: '#/components/examples/Cases_get_case_response' - getDefaultObservabilityCaseResponse: - $ref: '#/components/examples/Cases_get_case_observability_response' - schema: - $ref: '#/components/schemas/Cases_case_response_get_case' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case information - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/alerts: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/{caseId}/alerts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. - operationId: getCaseAlertsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - responses: - '200': - content: - application/json: - examples: - getCaseAlertsResponse: - $ref: '#/components/examples/Cases_get_case_alerts_response' - schema: - items: - $ref: '#/components/schemas/Cases_alert_response_properties' - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get all alerts for a case - tags: - - cases - x-state: Technical preview - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/comments: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/cases/{caseId}/comments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - responses: - '204': - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete all case comments and alerts - tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: | - DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments - x-metaTags: - - content: Kibana - name: product_name - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/cases/{caseId}/comments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. - operationId: updateCaseCommentDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - requestBody: - content: - application/json: - examples: - updateCaseCommentRequest: - $ref: '#/components/examples/Cases_update_comment_request' - schema: - $ref: '#/components/schemas/Cases_update_case_comment_request' - required: true - responses: - '200': - content: - application/json: - examples: - updateCaseCommentResponse: - $ref: '#/components/examples/Cases_update_comment_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update a case comment or alert - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/cases/{caseId}/comments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. - operationId: addCaseCommentDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - requestBody: - content: - application/json: - examples: - createCaseCommentRequest: - $ref: '#/components/examples/Cases_add_comment_request' - schema: - $ref: '#/components/schemas/Cases_add_case_comment_request' - required: true - responses: - '200': - content: - application/json: - examples: - createCaseCommentResponse: - $ref: '#/components/examples/Cases_add_comment_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add a case comment or alert - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/comments/_find: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/{caseId}/comments/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. - operationId: findCaseCommentsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - responses: - '200': - content: - application/json: - examples: - findCaseCommentsResponse: - $ref: '#/components/examples/Cases_find_case_comments_response' - schema: - $ref: '#/components/schemas/Cases_find_comments_response' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case comments - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/comments/{commentId}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/cases/{caseId}/comments/{commentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' - responses: - '204': - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete a case comment or alert - tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: | - DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/{caseId}/comments/{commentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. - operationId: getCaseCommentDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' - responses: - '200': - content: - application/json: - examples: - getCaseCommentResponse: - $ref: '#/components/examples/Cases_get_comment_response' - schema: - oneOf: - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get a case comment or alert - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/connector/{connectorId}/_push: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. - operationId: pushCaseDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_connector_id' - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - pushCaseRequest: - summary: Push a case to an external service. No request body is required. - value: null - schema: - nullable: true - type: object - responses: - '200': - content: - application/json: - examples: - pushCaseResponse: - $ref: '#/components/examples/Cases_push_case_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Push a case to an external service - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/files: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/cases/{caseId}/files
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: - - The `Content-Type: multipart/form-data` HTTP header. - - The location of the file that is being uploaded. - operationId: addCaseFileDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - requestBody: - content: - multipart/form-data: - examples: - addCaseFileRequest: - summary: Attach a plain text file named "my_attachment". - value: - filename: my_attachment - schema: - $ref: '#/components/schemas/Cases_add_case_file_request' - required: true - responses: - '200': - content: - application/json: - examples: - addCaseFileResponse: - $ref: '#/components/examples/Cases_add_comment_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Attach a file to a case - tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" \ - --form "file=@/path/to/my_attachment.txt" \ - --form "filename=my_attachment" - x-metaTags: - - content: Kibana - name: product_name - /api/cases/{caseId}/user_actions/_find: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/{caseId}/user_actions/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. - operationId: findCaseActivityDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_user_action_types' - responses: - '200': - content: - application/json: - examples: - findCaseActivityResponse: - $ref: '#/components/examples/Cases_find_case_activity_response' - schema: - type: object - properties: - page: - type: integer - perPage: - type: integer - total: - type: integer - userActions: - items: - $ref: '#/components/schemas/Cases_user_actions_find_response_properties' - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case activity - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/alerts/{alertId}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/alerts/{alertId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. - operationId: getCasesByAlertDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_alert_id' - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': - content: - application/json: - examples: - getCasesByAlertResponse: - summary: Cases associated with a given alert. - value: - - createdAt: '2020-02-19T23:06:33.798Z' - description: Investigating suspicious activity - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 - status: open - title: security_case - totals: - alerts: 1 - events: 0 - userComments: 0 - schema: - items: - $ref: '#/components/schemas/Cases_related_case' - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get cases for an alert - tags: - - cases - x-state: Technical preview - x-metaTags: - - content: Kibana - name: product_name - /api/cases/configure: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/configure
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get setting details such as the closure type, custom fields, templates, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. - operationId: getCaseConfigurationDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': - content: - application/json: - examples: - getConfigurationResponse: - $ref: '#/components/examples/Cases_get_case_configuration_response' - schema: - items: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. - example: none - type: string - name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case settings - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/cases/configure
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. - operationId: setCaseConfigurationDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - setCaseConfigRequest: - $ref: '#/components/examples/Cases_set_case_configuration_request' - schema: - $ref: '#/components/schemas/Cases_set_case_configuration_request' - responses: - '200': - content: - application/json: - examples: - setCaseConfigResponse: - $ref: '#/components/examples/Cases_set_case_configuration_response' - schema: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. - example: none - type: string - name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add case settings - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/configure/{configurationId}: - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/cases/configure/{configurationId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. - operationId: updateCaseConfigurationDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_configuration_id' - requestBody: - content: - application/json: - examples: - updateCaseConfigurationRequest: - $ref: '#/components/examples/Cases_update_case_configuration_request' - schema: - $ref: '#/components/schemas/Cases_update_case_configuration_request' - responses: - '200': - content: - application/json: - examples: - updateCaseConfigurationResponse: - $ref: '#/components/examples/Cases_update_case_configuration_response' - schema: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. - example: none - type: string - name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update case settings - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/configure/connectors/_find: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/configure/connectors/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. - operationId: findCaseConnectorsDefaultSpace - responses: - '200': - content: - application/json: - examples: - findConnectorResponse: - $ref: '#/components/examples/Cases_find_connector_response' - schema: - items: - type: object - properties: - actionTypeId: - $ref: '#/components/schemas/Cases_connector_types' - config: - additionalProperties: true - type: object - properties: - apiUrl: - type: string - projectKey: - type: string - id: - type: string - isDeprecated: - type: boolean - isMissingSecrets: - type: boolean - isPreconfigured: - type: boolean - name: - type: string - referencedByCount: - type: integer - maxItems: 1000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case connectors - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/reporters: - get: - description: | - Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. - operationId: getCaseReportersDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': - content: - application/json: - examples: - getReportersResponse: - $ref: '#/components/examples/Cases_get_reporters_response' - schema: - items: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case creators - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/cases/tags: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/cases/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. - operationId: getCaseTagsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': - content: - application/json: - examples: - getTagsResponse: - $ref: '#/components/examples/Cases_get_tags_response' - schema: - items: - type: string - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case tags - tags: - - cases - x-metaTags: - - content: Kibana - name: product_name - /api/data_views: - get: - operationId: getAllDataViewsDefault - responses: - '200': - content: - application/json: - examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' - schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view: - post: - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view/{viewId}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/data_views/data_view/{viewId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - WARNING: When you delete a data view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - get: - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json: - examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views/data_view/{viewId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view/{viewId}/fields: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update fields presentation metadata such as count, customLabel, customDescription, and format. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update data view fields metadata - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - /api/data_views/data_view/{viewId}/runtime_field: - post: - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - operationId: createUpdateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field from a data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json: - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true - responses: - '200': - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/default: - get: - operationId: getDefaultDataViewDefault - responses: - '200': - content: - application/json: - examples: - getDefaultDataViewResponse: - $ref: '#/components/examples/Data_views_get_default_data_view_response' - schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/data_views/default
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: | - The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/default
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/data_views/swap_references: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/swap_references
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. - operationId: swapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - /api/data_views/swap_references/_preview: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/data_views/swap_references/_preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Preview the impact of swapping saved object references from one data view identifier to another. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: '#/components/examples/Data_views_preview_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview a saved object reference swap - tags: - - data views - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/index: - delete: - operationId: DeleteAlertsIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - schema: - type: string - description: Index does not exist response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an alerts index - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/detection_engine/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - operationId: ReadAlertsIndex - responses: - '200': - content: - application/json: - examples: - success: - value: - index_mapping_outdated: false - name: .alerts-security.alerts-default - schema: - type: object - properties: - index_mapping_outdated: - nullable: true - type: boolean - name: - type: string - required: - - name - - index_mapping_outdated - description: Successful response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Reads the alert index name if it exists - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates an index for Elastic Security alerts. Calling this API is not - required for the detection engine to function properly. You can create - rules and alerts without calling this API. - operationId: CreateAlertsIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Create an alerts index - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/privileges: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves whether or not the user is authenticated, and the user's Kibana - space and index privileges, which determine if the user can create an - index for the Elastic Security alerts generated by - detection engine rules. - operationId: ReadPrivileges - responses: - '200': - content: - application/json: - examples: - success: - value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic - schema: - type: object - properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean - required: - - is_authenticated - - has_encryption_key - description: Successful response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a detection rule using the `rule_id` or `id` field. - - The URL query must include one of the following: - - * `id` - `DELETE /api/detection_engine/rules?id=` - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - operationId: DeleteRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_UUID' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a detection rule using the `rule_id` or `id` field. - - The URL query must include one of the following: - - * `id` - `GET /api/detection_engine/rules?id=` - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_UUID' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for a retrieved rule - value: - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low - tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: | - Indicates a successful call. - > info - > These fields are under development and their usage or schema may change: execution_summary. - summary: Retrieve a detection rule - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - x-metaTags: - - content: Kibana - name: product_name - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update specific fields of an existing detection rule using the `rule_id` or `id` field. - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - operationId: PatchRule - requestBody: - content: - application/json: - examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: | - FROM logs-abc* - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' - example7: - summary: Patch machine learning rule - value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new detection rule. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - - You can create the following types of rules: - - * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. - * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. - * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. - * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. - * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. - > info - > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. - - To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: - - ```json - ... - "job_id": "linux_anomalous_network_activity_ecs", - "job_type": "anomaly_detector", - "job_version": "7.7.0", - "groups": [ - "auditbeat", - "process", - "siem" - ], - ... - ``` - - Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: - - * Slack - * Email - * PagerDuty - * Webhook - * Microsoft Teams - * IBM Resilient - * Jira - * ServiceNow ITSM - > info - > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - - To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. - - For detailed information on Kibana actions and alerting, and additional API calls, see: - - * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) - * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) - * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule - requestBody: - content: - application/json: - examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address - summary: Threshold rule - value: - description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: host.name:prml-19 and event.category:authentication and event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: | - Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: Checks for bad IP addresses listed in the ip-threat-list index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: New terms rule that creates alerts a new IP address is detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: esql rule that creates alerts from events that match an Excel parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period - summary: Query rule 2 - value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true - responses: - '200': - content: - application/json: - examples: - example1: - description: Example response for a query rule - summary: Query rule response - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response - value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response - value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: host.name:prml-19 and event.category:authentication and event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response - value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response - value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Checks for bad IP addresses listed in the ip-threat-list index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response - value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response - value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/detection_engine/rules
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. - - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - operationId: UpdateRule - requestBody: - content: - application/json: - examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule - value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' - risk_score: 21 - severity: low - tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: | - FROM logs* - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ - | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: | - > info - > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/_bulk_action: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. - - The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. - The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - operationId: PerformRulesBulkAction - parameters: - - description: | - Enables dry run mode for the request call. - - Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. - - To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. - > info - > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. - in: query - name: dry_run - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: The following request runs the rule with the specified ID within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: The following request exports the rules with the specified IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: The following request adds investigation field to the rules with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - value: - - field1 - - field2 - example18: - description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) schedule for rules (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: '2023-10-31T00:00:00.000Z' - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: The following request set alert suppression to the rules with the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: The following request set alert suppression to threshold rules with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: The following request triggers the filling of gaps for the specified rule ids and time range - summary: Fill Gaps - Manually trigger the filling of gaps for specified rules - value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' - - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' - responses: - '200': - content: - application/json: - examples: - example01: - description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: Successful response - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: Partial failure - value: - value: - attributes: - errors: - - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: | - event.kind:alert and not event.module:(endgame or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: Dry run - value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: Idempotent behavior of set_tags - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: Idempotent behavior of add_tags - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' - description: OK - summary: Apply a bulk action to detection rules - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/_export: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: - - Actions - - Exception lists - > info - > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. - - > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. - - > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: | - File name for saving the exported rules. - > info - > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string - requestBody: - content: - application/json: - schema: - nullable: true - type: object - properties: - objects: - description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - required: - - rule_id - type: array - required: - - objects - required: false - responses: - '200': - content: - application/ndjson: - schema: - description: | - An `.ndjson` file containing the returned rules. - - Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/rules/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. - operationId: FindRules - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: | - Search query - - Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: - - name - - enabled - - tags - - createdBy - - interval - - updatedBy - > info - > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start - in: query - name: gaps_range_start - required: false - schema: - type: string - - description: Gaps range end - in: query - name: gaps_range_end - required: false - schema: - type: string - - description: Gap fill statuses - in: query - name: gap_fill_statuses - required: false - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: Gap auto fill scheduler ID used to determine gap fill status for rules - in: query - name: gap_auto_fill_scheduler_id - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - example1: - value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 - schema: - type: object - properties: - data: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_WarningSchema' - type: array - required: - - page - - perPage - - total - - data - description: | - Successful response - > info - > These fields are under development and their usage or schema may change: execution_summary. - summary: List all detection rules - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/_import: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: - - The `Content-Type: multipart/form-data` HTTP header. - - A link to the `.ndjson` file containing the rules. - > warn - > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. - > info - > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. - - > info - > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. - - > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. - - > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. - operationId: ImportRules - parameters: - - description: Determines whether existing rules with the same `rule_id` are overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Import rules with success - value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 - schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_WarningSchema' - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer - required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules - tags: - - Security Detections API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/{id}/exceptions: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - requestBody: - content: - application/json: - schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object - properties: - items: - items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' - type: array - required: - - items - description: Rule exception items. - required: true - responses: - '200': - content: - application/json: - examples: - ruleExceptionItems: - value: - - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - schema: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 - badRequest: - value: - error: Bad Request - message: '[request params]: id: Invalid uuid' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create rule exception items - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/prepackaged: - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/detection_engine/rules/prepackaged
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install and update all Elastic prebuilt detection rules and Timelines. - - This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. - When you call this endpoint, it will: - - Install any new prebuilt detection rules that are not currently installed in your system. - - Update any existing prebuilt detection rules that have been modified or improved by Elastic. - - Install any new prebuilt Timelines that are not currently installed in your system. - - Update any existing prebuilt Timelines that have been modified or improved by Elastic. - - This ensures that your detection engine is always up-to-date with the latest rules and Timelines, - providing you with the most current and effective threat detection capabilities. - operationId: InstallPrebuiltRulesAndTimelines - responses: - '200': - content: - application/json: - examples: - example1: - value: - rules_installed: 112 - rules_updated: 0 - timelines_installed: 5 - timelines_updated: 2 - schema: - additionalProperties: false - type: object - properties: - rules_installed: - description: The number of rules installed - minimum: 0 - type: integer - rules_updated: - description: The number of rules updated - minimum: 0 - type: integer - timelines_installed: - description: The number of timelines installed - minimum: 0 - type: integer - timelines_updated: - description: The number of timelines updated - minimum: 0 - type: integer - required: - - rules_installed - - rules_updated - - timelines_installed - - timelines_updated - description: Indicates a successful call - summary: Install prebuilt detection rules and Timelines - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/prepackaged/_status: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/rules/prepackaged/_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the status of all Elastic prebuilt detection rules and Timelines. - - This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. - operationId: ReadPrebuiltRulesAndTimelinesStatus - responses: - '200': - content: - application/json: - examples: - example1: - value: - rules_custom_installed: 0 - rules_installed: 0 - rules_not_installed: 112 - rules_not_updated: 0 - timelines_installed: 0 - timelines_not_installed: 0 - timelines_not_updated: 0 - schema: - additionalProperties: false - type: object - properties: - rules_custom_installed: - description: The total number of custom rules - minimum: 0 - type: integer - rules_installed: - description: The total number of installed prebuilt rules - minimum: 0 - type: integer - rules_not_installed: - description: The total number of available prebuilt rules that are not installed - minimum: 0 - type: integer - rules_not_updated: - description: The total number of outdated prebuilt rules - minimum: 0 - type: integer - timelines_installed: - description: The total number of installed prebuilt timelines - minimum: 0 - type: integer - timelines_not_installed: - description: The total number of available prebuilt timelines that are not installed - minimum: 0 - type: integer - timelines_not_updated: - description: The total number of outdated prebuilt timelines - minimum: 0 - type: integer - required: - - rules_custom_installed - - rules_installed - - rules_not_installed - - rules_not_updated - - timelines_installed - - timelines_not_installed - - timelines_not_updated - description: Indicates a successful call - summary: Retrieve the status of prebuilt detection rules and Timelines - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/rules/preview: - post: - operationId: RulePreview - parameters: - - description: Enables logging and returning in response ES queries, performed during rule execution - in: query - name: enable_logged_requests - required: false - schema: - type: boolean - requestBody: - content: - application/json: - schema: - anyOf: - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - discriminator: - propertyName: type - description: An object containing tags to add or remove and alert ids the changes will be applied - required: true - responses: - '200': - content: - application/json: - schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' - type: array - previewId: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - logs - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/detection_engine/signals/assignees: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/assignees
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees - requestBody: - content: - application/json: - examples: - add: - $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' - remove: - $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' - required: true - responses: - '200': - content: - application/ndjson: - examples: - add: - value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 76, - total: 1, - updated: 1, - version_conflicts: 0, - description: Indicates a successful call. - '400': - description: Invalid request. - summary: Assign and unassign users from detection alerts - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/signals/finalize_migration: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/finalize_migration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. - The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, - finalize it. - operationId: FinalizeAlertsMigration - requestBody: - content: - application/json: - schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to finalize. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to finalize - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - migrations: - - completed: true - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: '2021-01-06T22:05:56.859Z' - version: 16 - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' - type: array - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Finalize detection alert migrations - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/signals/migration: - delete: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/detection_engine/signals/migration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of - the migration process. A successful migration will result in both the old and new indices being present. - As such, the old, orphaned index can (and likely should) be deleted. - - While you can delete these indices manually, - the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted - after 30 days. It also deletes other artifacts specific to the migration implementation. - operationId: AlertsMigrationCleanup - requestBody: - content: - application/json: - schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to cleanup. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to cleanup - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - migrations: - - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: '2021-01-06T22:05:56.859Z' - version: 16 - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' - type: array - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Clean up detection alert migrations - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/migration
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initiate a migration of detection alerts. - Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. - operationId: CreateAlertsMigration - requestBody: - content: - application/json: - examples: - singleIndex: - value: - index: - - .siem-signals-default-000001 - schema: - allOf: - - type: object - properties: - index: - description: Array of index names to migrate. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - required: - - index - - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' - description: Alerts migration parameters - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - indices: - - index: .siem-signals-default-000001, - migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d - migration_index: .siem-signals-default-000001-r000016 - schema: - type: object - properties: - indices: - items: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' - - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' - - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' - type: array - required: - - indices - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Initiate a detection alert migration - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/signals/migration_status: - get: - deprecated: true - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/signals/migration_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. - operationId: ReadAlertsMigrationStatus - parameters: - - description: Maximum age of qualifying detection alerts - in: query - name: from - required: true - schema: - description: | - Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes - before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). - example: now-30d - format: date-math - type: string - responses: - '200': - content: - application/json: - examples: - success: - value: - indices: - - index: .siem-signals-default-000002 - is_outdated: true - migrations: - - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - status: pending - updated: '2021-01-06T20:41:37.173Z' - version: 16 - signal_versions: - - count: 100 - version: 15 - - count: 87 - version: 16 - version: 15 - - index: .siem-signals-default-000003 - is_outdated: false - migrations: [] - signal_versions: - - count: 54 - version: 16 - version: 16 - schema: - type: object - properties: - indices: - items: - $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' - type: array - required: - - indices - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieve the status of detection alert migrations - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/signals/search: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/search
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: '2025-01-17T08:00:00.000Z' - lte: '2025-01-18T07:59:59.999Z' - runtime_mappings: {} - size: 0 - schema: - $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 - schema: - additionalProperties: true - description: Elasticsearch search response - type: object - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/signals/status: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json: - examples: - byId: - value: - signal_ids: - - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: - value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: '2024-10-23T07:00:00.000Z' - lte: '2025-01-21T20:12:11.704Z' - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: '2024-10-23T07:00:00.000Z' - lte: '2025-01-21T20:12:11.704Z' - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' - description: An object containing desired status and explicit alert ids or a query to select alerts - required: true - responses: - '200': - content: - application/json: - examples: - byId: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/signals/tags: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/signals/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - And tags to detection alerts, and remove them from alerts. - > info - > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json: - examples: - add: - $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' - remove: - $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: An object containing tags to add or remove and alert ids the changes will be applied - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/detection_engine/tags: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json: - examples: - example1: - value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - x-metaTags: - - content: Kibana - name: product_name - /api/encrypted_saved_objects/_rotate_key: - post: - description: | - Superuser role required. - - If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. - - This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - operationId: rotateEncryptionKey - parameters: - - description: | - Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. - in: query - name: batch_size - required: false - schema: - default: 10000 - type: number - - description: | - Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. - in: query - name: type - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - rotateEncryptionKeyResponse: - $ref: '#/components/examples/Saved_objects_key_rotation_response' - schema: - type: object - properties: - failed: - description: | - Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. - type: number - successful: - description: | - Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. - - NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. - type: number - total: - description: | - Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. - type: number - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - '429': - content: - application/json: - schema: - type: object - description: Already in progress. - summary: Rotate a key for encrypted saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint_list: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint_list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. - operationId: CreateEndpointList - responses: - '200': - content: - application/json: - examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created - value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Create an Elastic Endpoint rule exception list - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint_list/items: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. - operationId: DeleteEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - responses: - '200': - content: - application/json: - examples: - deleted: - summary: Deleted endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Delete an Elastic Endpoint exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. - operationId: ReadEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - responses: - '200': - content: - application/json: - examples: - item: - summary: Endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. - operationId: CreateEndpointListItem - requestBody: - content: - application/json: - examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash - value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple - schema: - type: object - properties: - comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' - item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' - os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Endpoint exception list item created - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '409': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item already exists - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/endpoint_list/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. - operationId: UpdateEndpointListItem - requestBody: - content: - application/json: - examples: - updateName: - summary: Update an endpoint exception list item - value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple - schema: - type: object - properties: - _version: - description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. - type: string - comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified - item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' - description: Either `id` or `item_id` must be specified - meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' - os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - updated: - summary: Endpoint exception list item updated - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint_list/items/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint_list/items/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: | - Filters the returned results according to the value of the specified field, - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json: - examples: - foundItems: - summary: Found endpoint exception list items - value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - description: The list of endpoint exception list items. - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - type: array - page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string - total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Endpoint list not found - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' - description: Internal server error - summary: Get Elastic Endpoint exception list items - tags: - - Security Endpoint Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all response actions. - operationId: EndpointGetActionsList - parameters: - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - in: query - name: endDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - in: query - name: agentTypes - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - in: query - name: withOutputs - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - in: query - name: types - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' - description: Indicates a successful call. - summary: Get response actions - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/{action_id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/{action_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - in: path - name: action_id - required: true - schema: - description: The ID of the action to retrieve. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' - description: OK - summary: Get action details - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/{action_id}/file/{file_id}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: | - The file identifier is constructed in one of two ways: - - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: - `{file_id}` = `{action_id}.{agent_id}` - - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - properties: - data: - type: object - properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time - type: string - id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. - type: string - name: - description: The file name. - type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED - type: string - description: Indicates a successful call. - summary: Get file information - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/{action_id}/file/{file_id}/download: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. - > info - > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. - operationId: EndpointFileDownload - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: | - The file identifier is constructed in one of two ways: - - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: - `{file_id}` = `{action_id}.{agent_id}` - - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/octet-stream: - schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cancel a running or pending response action (Applies only to some agent types). - operationId: CancelAction - requestBody: - content: - application/json: - examples: - MicrosoftDefenderEndpoint: - summary: Cancel a response action on a Microsoft Defender for Endpoint host - value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - CancelSuccess: - summary: Cancel action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Cancel a response action - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/execute: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/execute
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - ExecuteSuccess: - summary: Execute action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Run a command - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/get_file: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/get_file
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - GetFileSuccess: - summary: Get file action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Get a file - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/isolate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/isolate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Isolate an endpoint from the network. The endpoint remains isolated until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - required: true - responses: - '200': - content: - application/json: - examples: - IsolateSuccess: - summary: Isolate action successfully created - value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' - description: Indicates a successful call. - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/kill_process: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/kill_process
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - KillProcessSuccess: - summary: Kill process action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Terminate a process - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/memory_dump: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/memory_dump
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump - requestBody: - content: - application/json: - examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine - value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Generate a memory dump from the host machine - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/running_procs: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/running_procs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json: - examples: - singleEndpoint: - summary: Get running processes on a single endpoint - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - RunningProcsSuccess: - summary: Running processes action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Get running processes - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/runscript: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/runscript
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction - requestBody: - content: - application/json: - examples: - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent - value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - RunScriptSuccess: - summary: Run script action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Run a script - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/scan: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/scan
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json: - examples: - scanFile: - summary: Scan a file on an endpoint - value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - ScanSuccess: - summary: Scan action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Scan a file or directory - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/state: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/action/state
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a response actions state, which reports whether encryption is enabled. - operationId: EndpointGetActionsState - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' - description: OK - summary: Get actions state - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/suspend_process: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/suspend_process
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Suspend a process - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/unisolate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/unisolate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction - requestBody: - content: - application/json: - examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - required: true - responses: - '200': - content: - application/json: - examples: - UnisolateSuccess: - summary: Unisolate action successfully created - value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' - description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/action/upload: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/action/upload
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - UploadSuccess: - summary: Upload action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' - description: Indicates a successful call. - summary: Upload a file - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/metadata: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/metadata
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList - parameters: - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - in: query - name: hostStatuses - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - in: query - name: sortDirection - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' - description: Indicates a successful call. - summary: Get a metadata list - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/metadata/{id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/metadata/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata - parameters: - - description: The agent ID of the endpoint. - in: path - name: id - required: true - schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' - description: Indicates a successful call. - summary: Get metadata - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/policy_response: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/policy_response
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse - parameters: - - description: The agent ID to retrieve the policy response for. - in: query - name: agentId - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' - description: Indicates a successful call. - summary: Get a policy response - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote - parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' - description: Indicates a successful call. - summary: Get a protection updates note - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - description: The package policy ID to create or update the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - type: object - properties: - note: - description: The note content. - type: string - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' - description: Indicates a successful call. - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/engine/delete: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully - value: - deleted: true - schema: - type: object - properties: - deleted: - type: boolean - required: - - deleted - description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/engine/disable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': - content: - application/json: - examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully - value: - status: disabled - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' - description: Successful response - summary: Disable the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/engine/init: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. - operationId: InitMonitoringEngine - responses: - '200': - content: - application/json: - examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully - value: - status: started - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' - description: Successful response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/engine/schedule_now: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine - responses: - '200': - content: - application/json: - examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully - value: - success: true - schema: - type: object - properties: - success: - description: Indicates the scheduling was successful - type: boolean - description: Successful response - '409': - content: - application/json: - schema: - type: object - properties: - message: - description: Error message indicating the engine is already running - type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/privileges/health: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. - operationId: PrivMonHealth - responses: - '200': - content: - application/json: - examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine - value: - status: started - users: - current_count: 42 - max_allowed: 1000 - schema: - type: object - properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: Maximum number of privileged users allowed to be monitored - type: integer - required: - - current_count - - max_allowed - required: - - status - description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check if the current user has all required permissions for Privilege Monitoring - operationId: PrivMonPrivileges - responses: - '200': - content: - application/json: - example: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' - description: Successful response - summary: Run a privileges check on Privilege Monitoring - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/users: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/users
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new privileged user to be monitored by the Privilege Monitoring Engine. - operationId: CreatePrivMonUser - requestBody: - content: - application/json: - examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true - responses: - '200': - content: - application/json: - examples: - CreatePrivMonUserResponse: - summary: Created monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' - description: User created successfully - summary: Create a new monitored user - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/users/_csv: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - responses: - '200': - content: - application/json: - schema: - example: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 1 - type: object - properties: - errors: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' - type: array - stats: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/users/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - DeletePrivMonUserResponse: - summary: User deleted successfully - value: - acknowledged: true - message: User deleted successfully - schema: - type: object - properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean - message: - description: A message providing additional information about the deletion status - type: string - required: - - success - description: User deleted successfully - summary: Delete a monitored user - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates the details of an existing monitored privileged user by their document ID. - operationId: UpdatePrivMonUser - parameters: - - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - required: true - responses: - '200': - content: - application/json: - examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' - description: User updated successfully - summary: Update a monitored user - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/monitoring/users/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/monitoring/users/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. - operationId: ListPrivMonUsers - parameters: - - description: KQL query to filter the list of monitored users - in: query - name: kql - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - ListPrivMonUsersResponse: - summary: List of monitored users - value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage - responses: - '200': - content: - application/json: - examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully - value: - message: Privileged access detection package installed successfully - schema: - type: object - properties: - message: - type: string - required: - - message - description: Successful response - summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': - content: - application/json: - examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running - value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete - schema: - type: object - properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete - type: string - package_installation_status: - enum: - - complete - - incomplete - type: string - required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/watchlists: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist - requestBody: - content: - application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources - value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' - identifierField: - description: Field used to query the entity store for index-type sources - type: string - indexPattern: - type: string - integrationName: - description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' - type: array - name: - type: string - queryRule: - description: KQL query used to filter data from the provided index patterns - type: string - range: - $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': - content: - application/json: - examples: - CreateWatchlistResponse: - summary: Created watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' - schema: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - - type: object - properties: - entitySources: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/watchlists/{id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/watchlists/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieves the details of an entity analytics watchlist by its unique identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - GetWatchlistResponse: - summary: Watchlist details - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - description: Watchlist details - summary: Get a watchlist by ID - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_analytics/watchlists/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. - operationId: UpdateWatchlist - parameters: - - description: The ID of the watchlist to update - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdateWatchlistRequest: - summary: Update watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': - content: - application/json: - examples: - UpdateWatchlistResponse: - summary: Updated watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - description: Watchlist updated successfully - summary: Update an existing watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row - with a "type" column (user, host, service, or generic) and one or more ECS identity - fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. - - Matched entities are added to the watchlist and their `entity.attributes.watchlists` - field is updated in the entity store. - - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - multipart/form-data: - examples: - csvUpload: - summary: CSV file with user entities - value: - file: | - type,user.name - user,john.doe - user,jane.smith - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - required: true - responses: - '200': - content: - application/json: - examples: - CsvUploadResponse: - summary: CSV upload response with mixed results - value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 - schema: - type: object - properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' - type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer - required: - - successful - - failed - - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Assigns the provided entities to the specified watchlist using a "manual" source label. - The entities must already exist in the entity store. - - If an entity is already on the watchlist, no new document is created — the "manual" label - is added to its existing source labels instead. - operationId: AssignWatchlistEntities - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - assignEntities: - summary: Assign two entities to a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true - responses: - '200': - content: - application/json: - examples: - assignEntitiesResponse: - summary: Successful assignment of two entities - value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 - schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities - parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - unassignEntities: - summary: Unassign two entities from a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true - responses: - '200': - content: - application/json: - examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities - value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 - schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' - type: array - not_found: - description: Number of entities not found in the manual watchlist assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/entity_analytics/watchlists/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_analytics/watchlists/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': - content: - application/json: - examples: - ListWatchlistsResponse: - summary: List of watchlists - value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - type: array - description: List of watchlists - summary: List all watchlists - tags: - - Security Entity Analytics API - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/enable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize the entire Entity Store, creating engines for all or specified entity types. - operationId: InitEntityStore - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - lookbackPeriod: - default: 3h - description: The amount of time the transform looks back to calculate the aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: The initial page size to use for the composite aggregation of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true - responses: - '200': - content: - application/json: - examples: - initEntityStoreExample: - description: The Entity Store was successfully initialized, creating host and user engines in the installing state. - summary: Entity Store initialized with host and user engines - value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true - schema: - type: object - properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean - description: Successful response - '400': - description: Invalid request - summary: Initialize the Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines - parameters: - - description: The entity type of the engine ('user', 'host', 'service', 'generic'). - examples: - hostAndService: - value: host,service - in: query - name: entityTypes - required: false - schema: - description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine - value: - deleted: - - host - still_running: - - generic - - user - - service - schema: - type: object - properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - still_running: - description: Entity types whose engines are still running. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_store/engines
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/engines
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': - content: - application/json: - examples: - listEntityEnginesExample: - description: Returns a list with one running host engine and one stopped user engine. - summary: Two engines installed - value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user - schema: - type: object - properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine - value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_store/engines/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/engines/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the engine descriptor for a specific entity type, including its configuration and current status. - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - getEntityEngineExample: - description: Returns the engine descriptor for a host engine that is currently running with default settings. - summary: A running host engine - value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - description: Successful response - summary: Get an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/engines/{entityType}/init: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/{entityType}/init
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine - parameters: - - description: The entity type of the engine. - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - lookbackPeriod: - default: 3h - description: The amount of time the transform looks back to calculate the aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: The initial page size to use for the composite aggregation of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. - type: string - description: Schema for the engine initialization - required: true - responses: - '200': - content: - application/json: - examples: - initEntityEngineExample: - description: A host engine was successfully initialized and is now in the installing state. - summary: Host engine initialized - value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - description: Successful response - '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/engines/{entityType}/start: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/{entityType}/start
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Start a previously stopped entity engine, resuming transform processing for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - startEntityEngineExample: - description: The engine was successfully started and is now processing data. - summary: Engine started successfully - value: - started: true - schema: - type: object - properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/engines/{entityType}/stop: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Stop a running entity engine, pausing transform processing for the given entity type. - operationId: StopEntityEngine - parameters: - - description: The entity type of the engine to stop. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - stopEntityEngineExample: - description: The engine was successfully stopped and is no longer processing data. - summary: Engine stopped successfully - value: - stopped: true - schema: - type: object - properties: - stopped: - description: Whether the engine was successfully stopped. - type: boolean - description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/engines/apply_dataview_indices: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': - content: - application/json: - examples: - applyDataviewIndicesExample: - description: All running engines were successfully updated with the current data view index patterns. - summary: All engines updated - value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true - schema: - type: object - properties: - result: - description: Per-engine update results. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': - content: - application/json: - examples: - partialSuccessExample: - description: The host engine was updated but the user engine failed due to insufficient privileges. - summary: One engine failed - value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false - schema: - type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': - content: - application/json: - examples: - serverErrorExample: - description: An unexpected error occurred while applying data view indices. - summary: Internal server error - value: - body: An internal error occurred while updating engine indices - statusCode: 500 - schema: - type: object - properties: - body: - description: Error message. - type: string - statusCode: - description: HTTP status code. - type: number - description: Error response - summary: Apply DataView indices to all installed engines - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/entities/{entityType}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a single entity in Entity Store. - The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. - operationId: DeleteSingleEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - id: - description: Identifier of the entity to be deleted, commonly entity.id value. - example: arn:aws:iam::123456789012:user/jane.doe - type: string - required: - - id - description: Schema for the deleting entity - required: true - responses: - '200': - content: - application/json: - examples: - deleteEntityExample: - description: The entity was found and successfully removed from the latest index. - summary: Entity deleted - value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled - summary: Delete an entity in Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update or create an entity in Entity Store. - If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. - > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. - > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. - operationId: UpsertEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: Conflict. The entity was updated while another update was happening in ElasticSearch - '503': - description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled - summary: Upsert an entity in Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/entities/bulk: - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/entity_store/entities/bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update or create many entities in Entity Store. - If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. - The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. - operationId: UpsertEntitiesBulk - parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/entities/list: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/entities/list
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List entities records, paging, sorting and filtering as needed. - operationId: ListEntities - parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - responses: - '200': - content: - application/json: - schema: - type: object - properties: - inspect: - $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - type: array - total: - description: Total number of entities matching the query. - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/entity_store/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/entity_store/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: If true, returns a detailed status of each engine including all its components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - entityStoreRunning: - description: The Entity Store is running with both host and user engines started and using default settings. - summary: Entity Store running with two engines - value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running - schema: - type: object - properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - - type: object - properties: - components: - description: Detailed component-level status. Only included when include_components is true. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' - type: array - type: array - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' - description: The overall status of the Entity Store. - required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList - parameters: - - description: Exception list's identifier. Either `id` or `list_id` must be specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - detectionExceptionList: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList - parameters: - - description: Exception list's identifier. Either `id` or `list_id` must be specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - detectionType: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. - > info - > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList - requestBody: - content: - application/json: - schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - type: object - properties: - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json: - examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: '2025-01-09T01:05:23.019Z' - created_by: elastic - description: This is a sample detection type exception with an autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: '2025-01-09T01:05:23.020Z' - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: '2025-01-09T01:10:36.369Z' - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: '2025-01-09T01:10:36.369Z' - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - typeEndpoint: - value: - _version: WzQsMV0= - created_at: '2025-01-09T01:07:49.658Z' - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: '2025-01-09T01:07:49.658Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/exception_lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList - requestBody: - content: - application/json: - schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection - type: object - properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json: - examples: - simpleList: - value: - _version: WzExLDFd - created_at: '2025-01-07T20:43:55.264Z' - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: '2025-01-07T21:32:03.726Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/_duplicate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/_duplicate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Duplicate an existing exception list. - operationId: DuplicateExceptionList - parameters: - - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true - type: string - responses: - '200': - content: - application/json: - examples: - detectionExceptionList: - value: - _version: WzExNDY1LDFd - created_at: '2025-01-09T16:19:50.280Z' - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: '2025-01-09T16:19:50.280Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Exception list not found - '405': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList - parameters: - - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. - example: true - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/ndjson: - examples: - exportSavedObjectsResponse: - value: | - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} - schema: - description: A `.ndjson` file containing specified exception list and its items - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: list_id: Required, namespace_type: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: | - Filters the returned results according to the value of the specified field. - - Uses the `so type.field name:field` value syntax, where `so type` can be: - - - `exception-list`: Specify a space-aware exception list. - - `exception-list-agnostic`: Specify an exception list that is shared across spaces. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - - description: | - Determines whether the returned containers are Kibana associated with a Kibana space - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: desc - type: string - responses: - '200': - content: - application/json: - examples: - simpleLists: - value: - data: - - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/_import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: | - Determines whether existing exception lists with the same `list_id` are overwritten. - If any exception items have the same `item_id`, those are also overwritten. - in: query - name: overwrite - required: false - schema: - default: false - example: false - type: boolean - - description: | - Determines whether the list being imported will have a new `list_id` generated. - Additional `item_id`'s are generated for each exception item. Both the exception - list and its items are overwritten. - in: query - name: as_new_list - required: false - schema: - default: false - example: false - type: boolean - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - example: | - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - withErrors: - value: - errors: - - error: - message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' - status_code: 400 - list_id: (unknown list_id) - - error: - message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: - value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, - schema: - type: object - properties: - errors: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/items: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem - parameters: - - description: Exception item's identifier. Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - simpleExceptionItem: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - schema: - example: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an exception list item using the `id` or `item_id` field. - operationId: ReadExceptionListItem - parameters: - - description: Exception list item's identifier. Either `id` or `item_id` must be specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. - in: query - name: item_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - responses: - '200': - content: - application/json: - examples: - simpleListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an exception item and associate it with the specified exception list. - > info - > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem - requestBody: - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: '2025-01-09T01:16:23.322Z' - created_by: elastic - description: This is a sample exception that has no item_id so it is autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: '2025-01-09T01:16:23.322Z' - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: '2025-01-07T20:07:33.119Z' - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: '2025-01-07T20:07:33.119Z' - updated_by: elastic - withValueListEntry: - value: - _version: WzcsMV0= - comments: [] - created_at: '2025-01-09T01:31:12.614Z' - created_by: elastic - description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: '2025-01-09T01:31:12.614Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list item id: \"simple_list_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/exception_lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem - requestBody: - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - simpleListItem: - value: - _version: WzEyLDFd - comments: [] - created_at: '2025-01-07T21:12:25.512Z' - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: '2025-01-07T21:34:50.233Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: item_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/items/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/items/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems - parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id - required: true - schema: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - type: array - - description: | - Filters the returned results according to the value of the specified field, - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: array - - description: | - Determines whether the returned containers are Kibana associated with a Kibana space - or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - type: array - - in: query - name: search - required: false - schema: - example: host.name - type: string - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: desc - type: string - responses: - '200': - content: - application/json: - examples: - simpleListItems: - value: - data: - - _version: WzgsMV0= - comments: [] - created_at: '2025-01-07T21:12:25.512Z' - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: '2025-01-07T21:12:25.512Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exception_lists/summary: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/exception_lists/summary
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a summary of the specified exception list. - operationId: ReadExceptionListSummary - parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - - description: Search filter clause - in: query - name: filter - required: false - schema: - example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" - type: string - responses: - '200': - content: - application/json: - examples: - summary: - value: - linux: 0 - macos: 0 - total: 0 - windows: 0 - schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/exceptions/shared: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/exceptions/shared
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. - > info - > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList - requestBody: - content: - application/json: - schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: object - properties: - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - required: - - name - - description - required: true - responses: - '200': - content: - application/json: - examples: - sharedList: - value: - _version: WzIsMV0= - created_at: '2025-01-07T19:34:27.942Z' - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: '2025-01-07T19:34:27.942Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list - tags: - - Security Exceptions API - x-metaTags: - - content: Kibana - name: product_name - /api/features: - get: - description: | - Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. - operationId: get-features - responses: - '200': - content: - application/json: - examples: - getFeaturesExample: - value: | - { - "features": [ - { - "name": "tasks", - "description": "Manages task results" - }, - { - "name": "security", - "description": "Manages configuration for Security features, such as users and roles" - }, - { - "name": "searchable_snapshots", - "description": "Manages caches and configuration for searchable snapshots" - }, - { - "name": "logstash_management", - "description": "Enables Logstash Central Management pipeline storage" - }, - { - "name": "transform", - "description": "Manages configuration and state for transforms" - }, - { - "name": "kibana", - "description": "Manages Kibana configuration and reports" - }, - { - "name": "synonyms", - "description": "Manages synonyms" - }, - { - "name": "async_search", - "description": "Manages results of async searches" - }, - { - "name": "ent_search", - "description": "Manages configuration for Enterprise Search features" - }, - { - "name": "machine_learning", - "description": "Provides anomaly detection and forecasting functionality" - }, - { - "name": "geoip", - "description": "Manages data related to GeoIP database downloader" - }, - { - "name": "watcher", - "description": "Manages Watch definitions and state" - }, - { - "name": "fleet", - "description": "Manages configuration for Fleet" - }, - { - "name": "enrich", - "description": "Manages data related to Enrich policies" - }, - { - "name": "inference_plugin", - "description": "Inference plugin for managing inference services and inference" - } - ] - } - schema: - type: object - description: Indicates a successful call - summary: Get features - tags: - - system - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_download_sources: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_download_sources
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. - operationId: get-fleet-agent-download-sources - parameters: [] - responses: - '200': - content: - application/json: - examples: - getDownloadSourcesExample: - description: List of agent binary download sources - value: - items: - - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent binary download sources - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_download_sources
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-agent-download-sources - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDownloadSourceRequestExample: - description: Create a new agent binary download source - value: - host: https://my-custom-host.example.com/downloads/ - is_default: false - name: My custom download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host - responses: - '200': - content: - application/json: - examples: - postDownloadSourceExample: - description: The created agent binary download source - value: - item: - host: https://my-custom-host.example.com/downloads/ - id: download-source-id-2 - is_default: false - name: My custom download source - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_download_sources/{sourceId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-agent-download-sources-sourceid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: sourceId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteDownloadSourceExample: - description: The download source was successfully deleted - value: - id: download-source-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. - operationId: get-fleet-agent-download-sources-sourceid - parameters: - - in: path - name: sourceId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadSourceExample: - description: An agent binary download source - value: - item: - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-agent-download-sources-sourceid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: sourceId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putDownloadSourceRequestExample: - description: Update an agent binary download source - value: - host: https://updated-host.example.com/downloads/ - is_default: false - name: Updated download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host - responses: - '200': - content: - application/json: - examples: - putDownloadSourceExample: - description: The updated agent binary download source - value: - item: - host: https://updated-host.example.com/downloads/ - id: download-source-id-1 - is_default: false - name: Updated download source - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: The ID of the proxy to use for this download source. See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Download source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent binary download source - tags: - - Elastic Agent binary download sources - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: get-fleet-agent-policies - parameters: - - in: query - name: page - required: false - schema: - type: number - - in: query - name: perPage - required: false - schema: - type: number - - in: query - name: sortField - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - in: query - name: kuery - required: false - schema: - type: string - - description: use withAgentCount instead - in: query - name: noAgentCount - required: false - schema: - deprecated: true - type: boolean - - description: get policies with agent count - in: query - name: withAgentCount - required: false - schema: - type: boolean - - description: get full policies with package policies populated - in: query - name: full - required: false - schema: - type: boolean - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPoliciesExample: - description: List of agent policies - value: - items: - - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent policies - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: sys_monitoring - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postAgentPolicyRequestExample: - description: Create a new agent policy - value: - description: A sample agent policy - monitoring_enabled: - - logs - - metrics - name: My agent policy - namespace: default - schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace - responses: - '200': - content: - application/json: - examples: - postAgentPolicyExample: - description: The created agent policy - value: - item: - description: A sample agent policy - id: agent-policy-id-2 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/_bulk_get: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies - value: - items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPolicyExample: - description: An agent policy - value: - item: - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putAgentPolicyRequestExample: - description: Update an agent policy - value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default - schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace - responses: - '200': - content: - application/json: - examples: - putAgentPolicyExample: - description: The updated agent policy - value: - item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy - value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 - schema: - additionalProperties: false - type: object - properties: - currentVersions: - items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: Number of agents that failed to upgrade to this version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get auto upgrade agent status - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name - value: - description: A copy of the original agent policy - name: Copy of my agent policy - schema: - additionalProperties: false - type: object - properties: - description: - type: string - name: - minLength: 1 - type: string - required: - - name - responses: - '200': - content: - application/json: - examples: - postCopyAgentPolicyExample: - description: The copied agent policy - value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - description: Indicates this is a short-lived verifier policy used for OTel permission verification. - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Copy an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/download: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number - responses: - '200': - content: - application/json: - examples: - getDownloadAgentPolicyExample: - description: The agent policy download response - value: - item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' - schema: - type: string - description: Successful response — returns the agent policy as a YAML file download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/full: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number - responses: - '200': - content: - application/json: - examples: - getFullAgentPolicyExample: - description: The full agent policy configuration - value: - item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch - revision: 1 - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: - type: string - timeout: - type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: - type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: - type: boolean - monitoring: - additionalProperties: false - type: object - properties: - _runtime_experimental: - type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - signing_key: - type: string - uninstall_token_hash: - type: string - required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: - - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: - type: string - required: - - hosts - - protocol - required: - - kibana - id: - type: string - inputs: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: - items: - type: string - maxItems: 100 - type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true - type: object - properties: - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - type: - type: string - required: - - type - type: object - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10000 - type: array - service: - additionalProperties: false - type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: - additionalProperties: false - type: object - properties: - data: - type: string - signature: - type: string - required: - - data - - signature - required: - - id - - outputs - - inputs - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy - value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/delete: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean - required: - - agentPolicyId - responses: - '200': - content: - application/json: - examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted - value: - id: agent-policy-id-1 - name: My agent policy - schema: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/outputs: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: post-fleet-agent-policies-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies - value: - items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs for agent policies - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status - parameters: - - in: query - name: policyId - required: false - schema: - type: string - - in: query - name: policyIds - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentStatusExample: - description: Agent status summary for an agent policy - value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 - schema: - additionalProperties: false - type: object - properties: - results: - additionalProperties: false - type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active - required: - - results - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an agent status summary - tags: - - Elastic Agent status - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_status/data: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_status/data
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-status-data - parameters: - - in: query - name: agentsIds - required: true - schema: - items: - type: string - maxItems: 10000 - type: array - - in: query - name: pkgName - required: false - schema: - type: string - - in: query - name: pkgVersion - required: false - schema: - type: string - - in: query - name: previewData - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to - value: - items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host - total: 1 - totalMonitoring: 0 - schema: - additionalProperties: false - type: object - properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array - items: - items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object - maxItems: 10000 - type: array - required: - - items - - dataPreview - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get incoming agent data - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agentless_policies: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agentless_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an agentless policy - operationId: post-fleet-agentless-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The format of the response package policy. - in: query - name: format - required: false - schema: - default: simplified - enum: - - legacy - - simplified - type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: Example request to create agentless policy reusing an existing AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: Example request to create agentless policy with AWS cloud connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: Example request to create agentless policy with Azure cloud connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - cloud_connector: - additionalProperties: false - type: object - properties: - cloud_connector_id: - description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. - type: boolean - name: - description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: Target cloud service provider. If not provided, will be auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_template: - description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration - value: - item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - description: The created agentless package policy. - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Indicates a successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictErrorResponseExample: - description: Example of a conflict error response - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create an agentless policy - tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agentless_policies/{policyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the policy to delete. - in: path - name: policyId - required: true - schema: - type: string - - description: Force delete the policy even if the policy is managed. - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - schema: - additionalProperties: false - description: Response for deleting an agentless package policy. - type: object - properties: - id: - description: The ID of the deleted agentless package policy. - type: string - required: - - id - description: Indicates a successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictErrorResponseExample: - description: Example of a conflict error response - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Delete an agentless policy - tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents - parameters: - - in: query - name: page - required: false - schema: - type: number - - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - in: query - name: kuery - required: false - schema: - type: string - - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean - - in: query - name: showUpgradeable - required: false - schema: - default: false - type: boolean - - in: query - name: getStatusSummary - required: false - schema: - default: false - type: boolean - - in: query - name: sortField - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - - in: query - name: searchAfter - required: false - schema: - type: string - - in: query - name: openPit - required: false - schema: - type: boolean - - in: query - name: pitId - required: false - schema: - type: string - - in: query - name: pitKeepAlive - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentsExample: - description: List of agents - value: - items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - maxItems: 10000 - type: array - nextSearchAfter: - type: string - page: - type: number - perPage: - type: number - pit: - type: string - statusSummary: - additionalProperties: - type: number - type: object - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agents - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs - value: - actionIds: - - action-id-1 - - action-id-2 - schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 1000 - type: array - required: - - actionIds - responses: - '200': - content: - application/json: - examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions - value: - items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agents by action ids - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agents/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteAgentExample: - description: Agent successfully deleted - value: - id: agent-id-1 - success: true - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid - parameters: - - in: path - name: agentId - required: true - schema: - type: string - - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getAgentExample: - description: Agent details - value: - item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/agents/{agentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: - nullable: true - type: object - responses: - '200': - content: - application/json: - examples: - putAgentExample: - description: Updated agent details - value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/actions: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/actions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent - value: - action: - type: UNENROLL - schema: - additionalProperties: false - type: object - properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action - responses: - '200': - content: - application/json: - examples: - postAgentActionExample: - description: Created agent action - value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an agent action - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/effective_config: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - effective_config: {} - schema: - additionalProperties: false - type: object - properties: - effective_config: - nullable: true - required: - - effective_config - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get an agent's effective config - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/migrate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster - value: - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - replace_token: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - uri - - enrollment_token - responses: - '200': - content: - application/json: - examples: - postMigrateAgentExample: - description: Agent migration initiated - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Migrate a single agent - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/privilege_level_change: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to change privilege level for - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - changeAgentPrivilegeLevelRequest: - value: - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - nullable: true - type: object - properties: - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Change agent privilege level - tags: - - Elastic Agents - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/reassign: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy - value: - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - policy_id: - type: string - required: - - policy_id - responses: - '200': - content: - application/json: - examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} - schema: - additionalProperties: false - type: object - properties: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Reassign an agent - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/request_diagnostics: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent - value: - additional_metrics: - - CPU - schema: - additionalProperties: false - nullable: true - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - postRequestDiagnosticsExample: - description: Diagnostics action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: Agent agent-id-1 does not support request diagnostics action. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Request agent diagnostics - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback an agent - tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/unenroll: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key - value: - revoke: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - revoke: - type: boolean - responses: - '200': - content: - application/json: - examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Unenroll an agent - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version - value: - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - skipRateLimitCheck: - type: boolean - source_uri: - type: string - version: - type: string - required: - - version - responses: - '200': - content: - application/json: - examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} - schema: - additionalProperties: false - type: object - properties: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade an agent - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/{agentId}/uploads: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads - parameters: - - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentUploadsExample: - description: List of files uploaded by the agent - value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string - required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent uploads - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/action_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/action_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status - parameters: - - in: query - name: page - required: false - schema: - default: 0 - type: number - - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - in: query - name: date - required: false - schema: - type: string - - in: query - name: latest - required: false - schema: - type: number - - in: query - name: errorSize - required: false - schema: - default: 5 - type: number - responses: - '200': - content: - application/json: - examples: - getActionStatusExample: - description: Status of recent agent actions - value: - items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: - items: - additionalProperties: false - description: latest errors that happened when the agents executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an agent action status - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/actions/{actionId}/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: actionId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} - responses: - '200': - content: - application/json: - examples: - postCancelActionExample: - description: Cancellation action created - value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Cancel an agent action - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/available_versions: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/available_versions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-available-versions - parameters: [] - responses: - '200': - content: - application/json: - examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade - value: - items: - - 8.17.0 - - 8.16.3 - - 8.16.2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get available agent versions - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_migrate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_migrate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token - responses: - '200': - content: - application/json: - examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Migrate multiple agents - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_privilege_level_change: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk change agent privilege level - tags: - - Elastic Agents - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_reassign: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_reassign
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy - value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string - required: - - policy_id - - agents - responses: - '200': - content: - application/json: - examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk reassign agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_request_diagnostics: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents - value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 - schema: - additionalProperties: false - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk request diagnostics from agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionIds: - - actionId1 - - actionId2 - schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 10000 - type: array - required: - - actionIds - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback agents - tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_unenroll: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_unenroll
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: When passing agents by KQL query, unenrolls inactive agents too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk unenroll agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_update_agent_tags: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: - items: - type: string - maxItems: 10 - type: array - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk update agent tags - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/bulk_upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/bulk_upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version - responses: - '200': - content: - application/json: - examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade agents - tags: - - Elastic Agent actions - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/files/{fileId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/agents/files/{fileId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: fileId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted - value: - deleted: true - id: file-id-1 - schema: - additionalProperties: false - type: object - properties: - deleted: - type: boolean - id: - type: string - required: - - id - - deleted - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete an uploaded file - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/files/{fileId}/{fileName}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename - parameters: - - in: path - name: fileId - required: true - schema: - type: string - - in: path - name: fileName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: - schema: - type: object - description: Successful response — returns the uploaded file content - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an uploaded file - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/setup: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/setup
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] - responses: - '200': - content: - application/json: - examples: - agentsSetupNotReadyExample: - description: Fleet is not ready — a Fleet Server and API keys are required - value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met - value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC - schema: - additionalProperties: false - description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. - type: object - properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent setup info - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agents/setup
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: post-fleet-agents-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - agentsSetupSuccessExample: - description: Fleet setup initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - schema: - additionalProperties: false - description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Initiate Fleet setup - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agents/tags: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agents/tags
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags - parameters: - - in: query - name: kuery - required: false - schema: - type: string - - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getAgentTagsExample: - description: List of tags used across agents - value: - items: - - production - - linux - - datacenter-1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent tags - tags: - - Elastic Agents - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/check-permissions: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/check-permissions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions - parameters: - - in: query - name: fleetServerSetup - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions - value: - success: true - schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Check permissions - tags: - - Fleet internals - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/cloud_connectors: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/cloud_connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors - parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - type: string - - description: KQL query to filter cloud connectors. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors - value: - items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connectors - tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/cloud_connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector - value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - required: - - name - - cloudProvider - - vars - responses: - '200': - content: - application/json: - examples: - postCloudConnectorExample: - description: The created Fleet cloud connector - value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to delete. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: If true, forces deletion even if the cloud connector is in use. - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted - value: - id: cloud-connector-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete cloud connector (supports force deletion) - tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getCloudConnectorExample: - description: A Fleet cloud connector - value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to update. - in: path - name: cloudConnectorId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector - value: - name: Updated AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - responses: - '200': - content: - application/json: - examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector - value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: The page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getCloudConnectorUsageResponseExample: - description: Example response showing package policies using the cloud connector - value: - items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - name: - type: string - package: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array - updated_at: - type: string - required: - - id - - name - - policy_ids - - created_at - - updated_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: Cloud connector not found - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) - tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/data_streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/data_streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] - responses: - '200': - content: - application/json: - examples: - getDataStreamsExample: - description: List of Fleet-managed data streams - value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics - schema: - additionalProperties: false - type: object - properties: - data_streams: - items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array - required: - - data_streams - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/enrollment_api_keys: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/enrollment_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys - parameters: - - in: query - name: page - required: false - schema: - default: 1 - type: number - - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys - value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - list: - deprecated: true - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - - list - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get enrollment API keys - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/enrollment_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy - value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - expiration: - type: string - name: - type: string - policy_id: - type: string - required: - - policy_id - responses: - '200': - content: - application/json: - examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key - value: - action: created - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - created - type: string - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item - - action - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an enrollment API key - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/enrollment_api_keys/{keyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked - value: - action: deleted - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke an enrollment API key - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid - parameters: - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnrollmentApiKeyExample: - description: An enrollment API key - value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an enrollment API key - tags: - - Fleet enrollment API keys - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/bulk_assets: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/bulk_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - additionalProperties: false - type: object - properties: - assetIds: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - assetIds - responses: - '200': - content: - application/json: - examples: - postBulkGetAssetsExample: - description: Requested assets - value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false - type: object - properties: - description: - type: string - service: - type: string - title: - type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk get assets - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/categories: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/categories
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-categories - parameters: - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: include_policy_templates - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getCategoriesExample: - description: List of integration categories - value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - count: - type: number - id: - type: string - parent_id: - type: string - parent_title: - type: string - title: - type: string - required: - - id - - title - - count - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package categories - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/custom_integrations: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/custom_integrations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - datasets: - items: - additionalProperties: false - type: object - properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - required: - - name - - type - maxItems: 10 - type: array - force: - type: boolean - integrationName: - type: string - required: - - integrationName - - datasets - responses: - '200': - content: - application/json: - examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created - value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a custom integration - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/custom_integrations/{pkgName}: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - categories: - items: - type: string - maxItems: 10 - type: array - readMeData: - type: string - required: - - readMeData - responses: - '200': - content: - application/json: - examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update a custom integration - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/data_streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/data_streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams - parameters: - - in: query - name: type - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - in: query - name: datasetQuery - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string - - in: query - name: uncategorisedOnly - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getDataStreamsExample: - description: List of data streams from installed packages - value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages - parameters: - - in: query - name: category - required: false - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: excludeInstallStatus - required: false - schema: - type: boolean - - in: query - name: withPackagePoliciesCount - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackagesExample: - description: List of available integration packages - value: - items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: true - type: object - properties: - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - id: - type: string - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - integration: - type: string - internal: - type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - id - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: - schema: - format: binary - type: string - responses: - '200': - content: - application/gzip; application/zip: - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - application/json: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - description: Successful response - '400': - content: - application/gzip; application/zip: - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Install a package by upload - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - postBulkInstallPackagesExample: - description: Bulk install results - value: - items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - name: - type: string - result: - additionalProperties: false - type: object - properties: - assets: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - error: - nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed - type: string - required: - - error - - installType - version: - type: string - required: - - name - - version - - result - - additionalProperties: false - type: object - properties: - error: - anyOf: - - type: string - - nullable: true - name: - type: string - statusCode: - type: number - required: - - name - - statusCode - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk install packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackRequest: - value: - packages: - - name: system - schema: - additionalProperties: false - type: object - properties: - packages: - items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - taskId: taskId - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get Bulk rollback packages details - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_uninstall: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated - value: - taskId: task-id-1 - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk uninstall packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task - value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk uninstall packages details - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions - value: - packages: - - name: system - - name: elastic_agent - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - prerelease: - type: boolean - upgrade_package_policies: - default: false - type: boolean - required: - - packages - responses: - '200': - content: - application/json: - examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated - value: - taskId: task-id-1 - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task - value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk upgrade packages details - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information about a package by name, returning the latest installed or available version. - operationId: get-fleet-epm-packages-pkgname - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: full - required: false - schema: - type: boolean - - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - additionalProperties: false - type: object - properties: - keepPoliciesUpToDate: - type: boolean - required: - - keepPoliciesUpToDate - responses: - '200': - content: - application/json: - examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: full - required: false - schema: - type: boolean - - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - additionalProperties: false - type: object - properties: - keepPoliciesUpToDate: - type: boolean - required: - - keepPoliciesUpToDate - responses: - '200': - content: - application/json: - examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: path - name: filePath - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package file - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: packagePolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted - value: - items: - - id: logs-my_package.access-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete assets for an input package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: - value: - items: [] - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - title - maxItems: 1000 - type: array - required: - - items - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - packageNotFoundResponse: - value: - message: '[my-package-1.0.0] package not found in registry' - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get package dependencies - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted - value: - items: - - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - space_ids: - description: When provided install assets in the specified spaces instead of the current space. - items: - type: string - maxItems: 100 - minItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed - value: - items: - - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json: - examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed - value: - items: - - id: rule-asset-id-1 - type: security_rule - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana alert rule for a package - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package - value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 - schema: - additionalProperties: false - type: object - properties: - transforms: - items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 - type: array - required: - - transforms - responses: - '200': - content: - application/json: - examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized - value: - - success: true - transformId: logs-transform-1 - schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Authorize transforms - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/review_upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to review upgrade for - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - acceptUpgrade: - value: - action: accept - target_version: 2.0.0 - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - accept - - decline - - pending - type: string - target_version: - type: string - required: - - action - - target_version - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - success: true - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to roll back - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - success: true - version: 1.0.0 - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - version: - type: string - required: - - version - - success - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback a package to previous version - tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/stats: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPackageStatsExample: - description: Usage stats for a specific package - value: - response: - agent_policy_count: 3 - schema: - additionalProperties: false - type: object - properties: - response: - additionalProperties: false - type: object - properties: - agent_policy_count: - type: number - package_policy_count: - type: number - required: - - agent_policy_count - - package_policy_count - required: - - response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package stats - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/installed: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/installed
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed - parameters: - - in: query - name: dataStreamType - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - in: query - name: showOnlyActiveDataStreams - required: false - schema: - type: boolean - - in: query - name: nameQuery - required: false - schema: - type: string - - in: query - name: searchAfter - required: false - schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - in: query - name: perPage - required: false - schema: - default: 15 - type: number - - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - examples: - getInstalledPackagesExample: - description: List of installed integration packages - value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: - type: string - icons: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - name: - type: string - status: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - status - - dataStreams - maxItems: 10000 - type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array - total: - type: number - required: - - items - - total - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get installed packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/limited: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/limited
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] - responses: - '200': - content: - application/json: - examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled - value: - items: - - elastic_agent - - fleet_server - schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a limited package list - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - default: json - enum: - - json - - yml - - yaml - type: string - - in: query - name: prerelease - required: false - schema: - type: boolean - - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getInputsTemplateExample: - description: Inputs template for a package - value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text - schema: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - inputs: - items: - additionalProperties: false - type: object - properties: - id: - type: string - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: - additionalProperties: false - type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - required: - - inputs - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an inputs template - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/verification_key_id: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/verification_key_id
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] - responses: - '200': - content: - application/json: - examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures - value: - id: D27D666CD88E42B4 - schema: - additionalProperties: false - type: object - properties: - id: - nullable: true - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/fleet_server_hosts: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts - value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/fleet_server_hosts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host - value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - responses: - '200': - content: - application/json: - examples: - postFleetServerHostExample: - description: The created Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/fleet_server_hosts/{itemId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid - parameters: - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getFleetServerHostExample: - description: A Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host - value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - proxy_id - responses: - '200': - content: - application/json: - examples: - putFleetServerHostExample: - description: The updated Fleet Server host - value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/health_check: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/health_check
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - responses: - '200': - content: - application/json: - examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: Fleet Server host is not reachable (request timed out or aborted) - value: - host_id: fleet-server-host-id-1 - status: OFFLINE - schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response - '400': - content: - application/json: - examples: - badRequestExample: - description: The host ID exists but has no associated host URLs configured - value: - error: Bad Request - message: The requested host id fleet-server-host-id-1 does not have associated host urls. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: The requested host id fleet-server-host-id-1 does not exist. - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health - tags: - - Fleet internals - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/kubernetes: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent - value: - item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - additionalProperties: false - type: object - properties: - item: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/kubernetes/download: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - type: string - description: Successful response — returns the Kubernetes manifest as a YAML file download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No manifest was found - value: - error: Not Found - message: Agent manifest not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/logstash_api_keys: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/logstash_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-logstash-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - postLogstashApiKeyExample: - description: The generated Logstash API key - value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - rotateKeyPairSuccessExample: - description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. - value: - message: Key pair rotated successfully. - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully - '400': - content: - application/json: - examples: - acknowledgeRequiredExample: - description: Request was rejected because the acknowledge query parameter was not set to true - value: - error: Bad Request - message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available - value: - error: Internal Server Error - message: Failed to rotate key pair. Message signing service is unavailable! - statusCode: 500 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair - tags: - - Message Signing Service - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] - responses: - '200': - content: - application/json: - examples: - getOutputsExample: - description: List of Fleet outputs - value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postOutputRequestExample: - description: Create a new Elasticsearch output - value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' - responses: - '200': - content: - application/json: - examples: - postOutputExample: - description: The created Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/outputs/{outputId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteOutputExample: - description: The output was successfully deleted - value: - id: output-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Delete output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid - parameters: - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputExample: - description: A Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: outputId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putOutputRequestExample: - description: Update a Fleet output - value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' - responses: - '200': - content: - application/json: - examples: - putOutputExample: - description: The updated Fleet output - value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Update output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/outputs/{outputId}/health: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}/health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health - parameters: - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all package policies. - operationId: get-fleet-package-policies - parameters: - - in: query - name: page - required: false - schema: - type: number - - in: query - name: perPage - required: false - schema: - type: number - - in: query - name: sortField - required: false - schema: - type: string - - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - in: query - name: kuery - required: false - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - - in: query - name: withAgentCount - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackagePoliciesExample: - description: List of package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy - value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Package policy unique identifier - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - name - - inputs - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - description: You should use inputs as an object and not use the deprecated inputs array. - responses: - '200': - content: - application/json: - examples: - postPackagePolicyExample: - description: The created package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictExample: - description: A package policy with the same name already exists - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/_bulk_get: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID - value: - ids: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more package policies were not found - value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: packagePolicyId - required: true - schema: - type: string - - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted - value: - id: package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - in: path - name: packagePolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getPackagePolicyExample: - description: A package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No package policy was found with the given ID - value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: packagePolicyId - required: true - schema: - type: string - - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - type: boolean - inputs: - items: - additionalProperties: false - type: object - properties: - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - type: string - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '403': - content: - application/json: - examples: - forbiddenExample: - description: The update is not authorized for this package - value: - error: Forbidden - message: An error message describing what went wrong - statusCode: 403 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Forbidden - summary: Update a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/delete: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: post-fleet-package-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeletePackagePoliciesRequestExample: - description: Delete multiple package policies by ID - value: - packagePolicyIds: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json: - examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation - value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Use `policy_ids` instead - nullable: true - type: string - policy_ids: - items: - type: string - maxItems: 10000 - type: array - statusCode: - type: number - success: - type: boolean - required: - - id - - success - - policy_ids - - package - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk delete package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/upgrade: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/upgrade
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: post-fleet-package-policies-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postUpgradePackagePoliciesRequestExample: - description: Upgrade package policies to the latest version - value: - packagePolicyIds: - - package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json: - examples: - postUpgradePackagePoliciesExample: - description: Results of the upgrade operation - value: - - id: package-policy-id-1 - name: nginx-1 - success: true - schema: - items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - statusCode: - type: number - success: - type: boolean - required: - - id - - success - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/upgrade/dryrun: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. - operationId: post-fleet-package-policies-upgrade-dryrun - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDryRunPackagePoliciesRequestExample: - description: Dry run an upgrade of a package policy - value: - packagePolicyIds: - - package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - packageVersion: - type: string - required: - - packagePolicyIds - responses: - '200': - content: - application/json: - examples: - postDryRunPackagePoliciesExample: - description: Preview of the package policy upgrade diff - value: - - diff: - - id: package-policy-id-1 - name: nginx-1 - package: - name: nginx - version: 1.20.0 - - name: nginx-1 - package: - name: nginx - version: 1.21.0 - hasErrors: false - name: nginx-1 - schema: - items: - additionalProperties: false - type: object - properties: - agent_diff: - items: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - required: - - package - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - maxItems: 1 - type: array - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - diff: - items: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - id: - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - - additionalProperties: true - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array - force: - type: boolean - id: - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - is_managed: - type: boolean - missingVars: - items: - type: string - maxItems: 100 - type: array - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - maxItems: 2 - type: array - hasErrors: - type: boolean - name: - type: string - statusCode: - type: number - required: - - hasErrors - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Dry run a package policy upgrade - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/proxies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/proxies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-proxies - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetProxiesExample: - description: List of Fleet proxies - value: - items: - - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get proxies - tags: - - Fleet proxies - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/proxies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-proxies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postFleetProxyRequestExample: - description: Create a new Fleet proxy - value: - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - url - - name - responses: - '200': - content: - application/json: - examples: - postFleetProxyExample: - description: The created Fleet proxy - value: - item: - id: proxy-id-2 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/proxies/{itemId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/proxies/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-proxies-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetProxyExample: - description: The Fleet proxy was successfully deleted - value: - id: proxy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/proxies/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-proxies-itemid - parameters: - - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getFleetProxyExample: - description: A Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/proxies/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-proxies-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: itemId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putFleetProxyRequestExample: - description: Update a Fleet proxy - value: - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - certificate_authorities - - certificate - - certificate_key - responses: - '200': - content: - application/json: - examples: - putFleetProxyExample: - description: The updated Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a proxy - tags: - - Fleet proxies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/remote_synced_integrations/{outputId}/remote_status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the synchronization status of remote integrations for a specific output by its ID.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. - operationId: get-fleet-remote-synced-integrations-outputid-remote-status - parameters: - - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getRemoteSyncedIntegrationsInfoExample: - description: Synchronization status of remote integrations for a specific output - value: - integrations: - - id: nginx-remote - install_status: - main: installed - remote: installed - package_name: nginx - package_version: 1.20.0 - sync_status: COMPLETED - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - custom_assets: - additionalProperties: - additionalProperties: false - type: object - properties: - error: - type: string - is_deleted: - type: boolean - name: - type: string - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - type: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - type - - name - - package_name - - package_version - - sync_status - type: object - error: - type: string - integrations: - items: - additionalProperties: false - type: object - properties: - error: - type: string - id: - type: string - install_status: - additionalProperties: false - type: object - properties: - main: - type: string - remote: - type: string - required: - - main - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - updated_at: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - sync_status - - install_status - maxItems: 10000 - type: array - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - integrations - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get remote synced integrations status by outputId - tags: - - Fleet remote synced integrations - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/remote_synced_integrations/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/remote_synced_integrations/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the synchronization status of all remote integrations across connected remote clusters.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. - operationId: get-fleet-remote-synced-integrations-status - parameters: [] - responses: - '200': - content: - application/json: - examples: - getRemoteSyncedIntegrationsStatusExample: - description: Synchronization status of remote integrations across connected remote clusters - value: - integrations: - - id: nginx-remote - install_status: - main: installed - remote: installed - package_name: nginx - package_version: 1.20.0 - sync_status: COMPLETED - updated_at: '2024-01-01T00:00:00.000Z' - - error: Failed to sync package to remote cluster - id: system-remote - install_status: - main: installed - remote: not_installed - package_name: system - package_version: 1.38.0 - sync_status: FAILED - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - custom_assets: - additionalProperties: - additionalProperties: false - type: object - properties: - error: - type: string - is_deleted: - type: boolean - name: - type: string - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - type: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - type - - name - - package_name - - package_version - - sync_status - type: object - error: - type: string - integrations: - items: - additionalProperties: false - type: object - properties: - error: - type: string - id: - type: string - install_status: - additionalProperties: false - type: object - properties: - main: - type: string - remote: - type: string - required: - - main - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - updated_at: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - sync_status - - install_status - maxItems: 10000 - type: array - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - integrations - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get remote synced integrations status - tags: - - Fleet remote synced integrations - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/service_tokens: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/service_tokens
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-service-tokens - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postGenerateServiceTokenRequestExample: - description: Generate a service token for a remote Fleet Server - value: - remote: true - schema: - additionalProperties: false - nullable: true - type: object - properties: - remote: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - postGenerateServiceTokenExample: - description: The generated Fleet Server service token - value: - name: elastic/fleet-server/token-1234567890 - value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P - schema: - additionalProperties: false - type: object - properties: - name: - type: string - value: - type: string - required: - - name - - value - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a service token - tags: - - Fleet service tokens - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/settings: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-settings - parameters: [] - responses: - '200': - content: - application/json: - examples: - getSettingsExample: - description: The current Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: false - secret_storage_requirements_met: true - version: WzEsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get settings - tags: - - Fleet internals - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-settings - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - putSettingsRequestExample: - description: Update Fleet settings to enable pre-release integrations - value: - prerelease_integrations_enabled: true - schema: - additionalProperties: false - type: object - properties: - additional_yaml_config: - deprecated: true - type: string - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - has_seen_add_data_notice: - deprecated: true - type: boolean - integration_knowledge_enabled: - type: boolean - kibana_ca_sha256: - deprecated: true - type: string - kibana_urls: - deprecated: true - items: - format: uri - type: string - maxItems: 10 - type: array - prerelease_integrations_enabled: - type: boolean - responses: - '200': - content: - application/json: - examples: - putSettingsExample: - description: The updated Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: true - secret_storage_requirements_met: true - version: WzIsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Update settings - tags: - - Fleet internals - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/setup: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/setup
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: post-fleet-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - fleetSetupSuccessExample: - description: Fleet initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - fleetSetupWithNonFatalErrorsExample: - description: Fleet initialized but encountered non-fatal errors during setup - value: - isInitialized: true - nonFatalErrors: - - message: Package fleet_server not found in registry - name: PackageNotFoundError - schema: - additionalProperties: false - description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - internalErrorResponseExample: - description: Example of an internal server error response - value: - error: Internal Server Error - message: An error message describing what went wrong - statusCode: 500 - schema: - additionalProperties: false - description: Internal Server Error - type: object - properties: - message: - type: string - required: - - message - description: Internal Server Error - summary: Initiate Fleet setup - tags: - - Fleet internals - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/space_settings: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/space_settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the Fleet settings for the current Kibana space. - operationId: get-fleet-space-settings - parameters: [] - responses: - '200': - content: - application/json: - examples: - getSpaceSettingsExample: - description: The Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Get space settings - tags: [] - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/space_settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-space-settings - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - putSpaceSettingsRequestExample: - description: Update allowed namespace prefixes for the current Kibana space - value: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 10 - type: array - responses: - '200': - content: - application/json: - examples: - putSpaceSettingsExample: - description: The updated Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Create space settings - tags: [] - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/uninstall_tokens: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/uninstall_tokens
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens - parameters: - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - maxLength: 50 - type: string - - in: query - name: search - required: false - schema: - maxLength: 50 - type: string - - description: The number of items to return - in: query - name: perPage - required: false - schema: - minimum: 5 - type: number - - in: query - name: page - required: false - schema: - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getUninstallTokensExample: - description: List of uninstall token metadata for agent policies - value: - items: - - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - - created_at: '2024-01-02T00:00:00.000Z' - id: token-id-2 - namespaces: - - production - policy_id: policy-id-2 - policy_name: Production policy - page: 1 - perPage: 20 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - required: - - id - - policy_id - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - conflictingQueryParamsExample: - description: Both policyId and search query parameters were provided - value: - error: Bad Request - message: Query parameters `policyId` and `search` cannot be used at the same time. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get metadata for latest uninstall tokens - tags: - - Fleet uninstall tokens - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/uninstall_tokens/{uninstallTokenId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens-uninstalltokenid - parameters: - - in: path - name: uninstallTokenId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getUninstallTokenExample: - description: Decrypted uninstall token for an agent policy - value: - item: - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - token: CKHJsJcBqNwIRcRBNDaE - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - token: - type: string - required: - - id - - policy_id - - created_at - - token - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No uninstall token was found with the given ID - value: - error: Not Found - message: Uninstall Token not found with ID token-id-1 - statusCode: 404 - description: Not Found - summary: Get a decrypted uninstall token - tags: - - Fleet uninstall tokens - x-metaTags: - - content: Kibana - name: product_name - /api/lists: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList - parameters: - - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Determines whether exception items referencing this value list should be deleted. - in: query - name: deleteReferences - required: false - schema: - default: false - example: false - type: boolean - - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. - in: query - name: ignoreReferences - required: false - schema: - default: false - example: false - type: boolean - responses: - '200': - content: - application/json: - examples: - ipList: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:39:39.292Z' - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a value list using the list ID. - operationId: ReadList - parameters: - - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:21:53.843Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update specific fields of an existing list using the list `id`. - operationId: PatchList - requestBody: - content: - application/json: - schema: - example: - id: ip_list - name: Bad ips list - UPDATED - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:21:53.843Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new value list. - operationId: CreateList - requestBody: - content: - application/json: - examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: - value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword - schema: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer - required: - - name - - description - - type - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T04:47:34.273Z' - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-09T18:23:52.241Z' - created_at: '2025-01-09T18:23:52.241Z' - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: '2025-01-09T18:23:52.241Z' - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-09T18:24:55.786Z' - created_at: '2025-01-09T18:24:55.786Z' - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: '2025-01-09T18:24:55.786Z' - updated_by: elastic - version: 1 - keyword_custom_format: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-09T18:25:39.604Z' - created_at: '2025-01-09T18:25:39.604Z' - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: '2025-01-09T18:25:39.604Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - notFound: - value: - message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/lists
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. - > info - > You cannot modify the `id` value. - operationId: UpdateList - requestBody: - content: - application/json: - schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - name - - description - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T05:39:39.292Z' - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. - operationId: FindLists - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - example: 1 - type: integer - - description: The number of value lists to return per page. - in: query - name: per_page - required: false - schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: asc - type: string - - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: | - Filters the returned results according to the value of the specified field, - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' - responses: - '200': - content: - application/json: - examples: - ipList: - value: - cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d - data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received nan' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/index: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/lists/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - post: - deprecated: true - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create `.lists` and `.items` data streams in the relevant space. - operationId: CreateListIndex - responses: - '200': - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: | - [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'data stream: \".lists-default\" and \".items-default\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/items: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a value list item using its `id`, or its `list_id` and `value` fields. - operationId: DeleteListItem - parameters: - - description: Value list item's identifier. Required if `list_id` and `value` are not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The value used to evaluate exceptions. Required if `id` is not specified. - in: query - name: value - required: false - schema: - example: 255.255.255.255 - type: string - - description: Determines when changes made by the request are made visible to search. - in: query - name: refresh - required: false - schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': '2025-01-08T05:15:05.159Z' - created_at: '2025-01-08T05:15:05.159Z' - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: '2025-01-08T05:44:14.009Z' - updated_by: elastic - value: 255.255.255.255 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either \"list_id\" or \"id\" needs to be defined in the request - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a value list item. - operationId: ReadListItem - parameters: - - description: Value list item identifier. Required if `list_id` and `value` are not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Value list item list's `id` identfier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The value used to evaluate exceptions. Required if `id` is not specified. - in: query - name: value - required: false - schema: - example: 127.0.0.2 - type: string - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzExLDFd - '@timestamp': '2025-01-08T05:16:25.882Z' - created_at: '2025-01-08T05:16:25.882Z' - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: '2025-01-08T05:16:25.882Z' - updated_by: elastic - value: 127.0.0.2 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either \"list_id\" or \"id\" needs to be defined in the request - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update specific fields of an existing value list item using the item `id`. - operationId: PatchListItem - requestBody: - content: - application/json: - schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: Determines when changes made by the request are made visible to search. - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ipItem: - value: - _version: WzE5LDFd - '@timestamp': '2025-01-08T05:15:05.159Z' - created_at: '2025-01-08T05:15:05.159Z' - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: '2025-01-08T05:23:37.602Z' - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a value list item and associate it with the specified value list. - - All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. - > info - > Before creating a list item, you must create a list. - operationId: CreateListItem - requestBody: - content: - application/json: - examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: - value: - list_id: keyword_list - value: zeek - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: Determines when changes made by the request are made visible to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:59:06.154Z' - created_at: '2025-01-08T04:59:06.154Z' - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: '2025-01-08T04:59:06.154Z' - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': '2025-01-09T18:33:08.202Z' - created_at: '2025-01-09T18:33:08.202Z' - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: '2025-01-09T18:33:08.202Z' - updated_by: elastic - value: 192.168.0.0/16 - keyword: - value: - _version: WzIsMV0= - '@timestamp': '2025-01-09T18:34:29.422Z' - created_at: '2025-01-09T18:34:29.422Z' - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: '2025-01-09T18:34:29.422Z' - updated_by: elastic - value: zeek - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/lists/items
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. - > info - > You cannot modify the `id` value. - operationId: UpdateListItem - requestBody: - content: - application/json: - example: - id: ip_item - value: 255.255.255.255 - schema: - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': '2025-01-08T05:15:05.159Z' - created_at: '2025-01-08T05:15:05.159Z' - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: '2025-01-08T05:44:14.009Z' - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/items/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/items/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export list item values from the specified value list. - operationId: ExportListItems - parameters: - - description: Value list's `id` to export. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/ndjson: - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/items/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/items/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get all value list items in the specified list. - operationId: FindListItems - parameters: - - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. - in: query - name: page - required: false - schema: - example: 1 - type: integer - - description: The number of list items to return per page. - in: query - name: per_page - required: false - schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: asc - type: string - - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: | - Filters the returned results according to the value of the specified field, - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' - responses: - '200': - content: - application/json: - examples: - ip: - value: - cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:59:06.154Z' - created_at: '2025-01-08T04:59:06.154Z' - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: '2025-01-08T04:59:06.154Z' - updated_by: elastic - value: 127.0.0.1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/items/_import: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/lists/items/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. - - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. - - Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. - - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: Determines when changes made by the request are made visible to search. - in: query - name: refresh - required: false - schema: - enum: - - 'true' - - 'false' - - wait_for - example: true - type: string - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: A `.txt` or `.csv` file containing newline separated list items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': '2025-01-08T04:47:34.273Z' - created_at: '2025-01-08T04:47:34.273Z' - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: '2025-01-08T04:47:34.273Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - /api/lists/privileges: - get: - operationId: ReadListPrivileges - responses: - '200': - content: - application/json: - examples: - privileges: - value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges - tags: - - Security Lists API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/logstash/pipeline/{id}: - delete: - description: | - Delete a centrally-managed Logstash pipeline. - If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: delete-logstash-pipeline - parameters: - - description: An identifier for the pipeline. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call - summary: Delete a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - Get information for a centrally-managed Logstash pipeline. - To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipeline - parameters: - - description: An identifier for the pipeline. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getLogstashPipelineResponseExample1: - value: |- - { - "id": "hello-world", - "description": "Just a simple pipeline", - "username": "elastic", - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persistent" - } - } - schema: - type: object - description: Indicates a successful call - summary: Get a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - Create a centrally-managed Logstash pipeline or update a pipeline. - To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: put-logstash-pipeline - parameters: - - description: | - An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putLogstashPipelineRequestExample1: - value: |- - { - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persisted" - } - } - schema: - type: object - properties: - description: - description: A description of the pipeline. - type: string - pipeline: - description: A definition for the pipeline. - type: string - settings: - description: | - Supported settings, represented as object keys, include the following: - - - `pipeline.workers` - - `pipeline.batch.size` - - `pipeline.batch.delay` - - `pipeline.ecs_compatibility` - - `pipeline.ordered` - - `queue.type` - - `queue.max_bytes` - - `queue.checkpoint.writes` - type: object - required: - - pipeline - responses: - '204': - description: Indicates a successful call - summary: Create or update a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/logstash/pipelines: - get: - description: | - Get a list of all centrally-managed Logstash pipelines. - - To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. - > info - > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. - - The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipelines - responses: - '200': - content: - application/json: - examples: - getLogstashPipelinesResponseExample1: - value: |- - { - "pipelines": [ - { - "id": "hello-world", - "description": "Just a simple pipeline", - "last_modified": "2018-04-14T12:23:29.772Z", - "username": "elastic" - }, - { - "id": "sleepy-pipeline", - "description": "", - "last_modified": "2018-03-24T03:41:30.554Z" - } - ] - } - schema: - type: object - description: Indicates a successful call - summary: Get all Logstash pipelines - tags: - - logstash - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/maintenance_window: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/maintenance_window
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: post-maintenance-window - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - createMaintenanceWindowRequest: - description: | - Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. - summary: Create a maintenance window - value: - enabled: true - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - title: Weekly Maintenance Window - schema: - additionalProperties: false - type: object - properties: - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. - type: string - required: - - kql - required: - - query - required: - - alerting - title: - description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. - type: string - required: - - title - - schedule - responses: - '200': - content: - application/json: - examples: - createMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully created. - summary: Create a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Create a maintenance window. - tags: - - maintenance-window - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/maintenance_window/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/maintenance_window/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: read-maintenance-window. - operationId: get-maintenance-window-find - parameters: - - description: The title of the maintenance window. - in: query - name: title - required: false - schema: - type: string - - description: The user who created the maintenance window. - in: query - name: created_by - required: false - schema: - type: string - - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". - in: query - name: status - required: false - schema: - items: - enum: - - running - - finished - - upcoming - - archived - - disabled - type: string - type: array - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - maximum: 100 - minimum: 1 - type: number - - description: The number of maintenance windows to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - maximum: 100 - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - findMaintenanceWindowsResponse: - description: | - The response returned when maintenance windows are successfully found. - summary: Find maintenance windows response - value: - maintenanceWindows: - - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - - created_at: '2025-03-10T09:00:00.000Z' - created_by: elastic - enabled: true - id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 - schedule: - custom: - duration: 1h - recurring: - end: '2025-12-31T00:00:00.000Z' - every: 2w - onWeekDay: - - FR - start: '2025-04-01T10:00:00.000Z' - timezone: US/Eastern - scope: - alerting: - query: - kql: 'kibana.alert.tags: "database"' - status: upcoming - title: Database Upgrade Window - updated_at: '2025-03-15T14:30:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 2 - schema: - additionalProperties: false - type: object - properties: - maintenanceWindows: - description: The list of maintenance windows. - items: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - type: array - page: - description: The current page number. - type: number - per_page: - description: The number of maintenance windows returned per page. - type: number - total: - description: The total number of maintenance windows that match the query. - type: number - required: - - page - - per_page - - total - - maintenanceWindows - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Search for a maintenance window. - tags: - - maintenance-window - x-state: Generally available; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/maintenance_window/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/maintenance_window/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: delete-maintenance-window-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window to be deleted. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Delete a maintenance window. - tags: - - maintenance-window - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/maintenance_window/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: read-maintenance-window. - operationId: get-maintenance-window-id - parameters: - - description: The identifier for the maintenance window. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully retrieved. - summary: Get a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Get maintenance window details. - tags: - - maintenance-window - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/maintenance_window/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: patch-maintenance-window-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateMaintenanceWindowRequest: - description: | - Update a maintenance window to change its title, schedule, and scope. - summary: Update a maintenance window - value: - enabled: true - schedule: - custom: - duration: 1h - recurring: - end: '2025-12-31T00:00:00.000Z' - every: 2w - onWeekDay: - - FR - start: '2025-04-01T10:00:00.000Z' - timezone: US/Eastern - scope: - alerting: - query: - kql: 'kibana.alert.tags: "database"' - title: Updated maintenance window - schema: - additionalProperties: false - type: object - properties: - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - minimum: 1 - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - maximum: 12 - minimum: 1 - type: number - minItems: 1 - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - maximum: 31 - minimum: 1 - type: number - minItems: 1 - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - minItems: 1 - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. - type: string - required: - - kql - required: - - query - required: - - alerting - title: - description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. - type: string - responses: - '200': - content: - application/json: - examples: - updateMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully updated. - summary: Update a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 1h - recurring: - end: '2025-12-31T00:00:00.000Z' - every: 2w - onWeekDay: - - FR - start: '2025-04-01T10:00:00.000Z' - timezone: US/Eastern - scope: - alerting: - query: - kql: 'kibana.alert.tags: "database"' - status: upcoming - title: Updated maintenance window - updated_at: '2025-03-15T14:30:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - '409': - description: Indicates that the maintenance window has already been updated by another user. - summary: Update a maintenance window. - tags: - - maintenance-window - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/maintenance_window/{id}/_archive: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/maintenance_window/{id}/_archive
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: post-maintenance-window-id-archive - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window to be archived. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - archiveMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully archived. - summary: Archive a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: archived - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Archive a maintenance window. - tags: - - maintenance-window - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/maintenance_window/{id}/_unarchive: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - [Required authorization] Route required privileges: write-maintenance-window. - operationId: post-maintenance-window-id-unarchive - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the maintenance window to be unarchived. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - unarchiveMaintenanceWindowResponse: - description: | - The response returned when a maintenance window is successfully unarchived. - summary: Unarchive a maintenance window response - value: - created_at: '2025-02-25T10:00:00.000Z' - created_by: elastic - enabled: true - id: f0cb1780-537a-4e34-8adf-3b4336862858 - schedule: - custom: - duration: 2h - recurring: - every: 1w - occurrences: 10 - onWeekDay: - - MO - - WE - start: '2025-03-01T08:00:00.000Z' - timezone: Europe/Amsterdam - scope: - alerting: - query: - kql: 'kibana.alert.tags: "infra"' - status: upcoming - title: Weekly Maintenance Window - updated_at: '2025-02-25T10:00:00.000Z' - updated_by: elastic - schema: - additionalProperties: false - type: object - properties: - created_at: - description: The date and time when the maintenance window was created. - type: string - created_by: - description: The identifier for the user that created the maintenance window. - nullable: true - type: string - enabled: - description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. - type: boolean - id: - description: The identifier for the maintenance window. - type: string - schedule: - additionalProperties: false - type: object - properties: - custom: - additionalProperties: false - type: object - properties: - duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' - type: string - recurring: - additionalProperties: false - type: object - properties: - end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' - type: string - every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' - type: string - occurrences: - description: The total number of recurrences of the schedule. - type: number - onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. - items: - type: number - type: array - onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. - items: - type: number - type: array - onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. - items: - type: string - type: array - start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' - type: string - timezone: - description: The timezone of the schedule. The default timezone is UTC. - type: string - required: - - start - - duration - required: - - custom - scope: - additionalProperties: false - type: object - properties: - alerting: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - required: - - query - required: - - alerting - status: - description: The current status of the maintenance window. - enum: - - running - - upcoming - - finished - - archived - - disabled - type: string - title: - description: The name of the maintenance window. - type: string - updated_at: - description: The date and time when the maintenance window was last updated. - type: string - updated_by: - description: The identifier for the user that last updated this maintenance window. - nullable: true - type: string - required: - - id - - title - - enabled - - created_by - - updated_by - - created_at - - updated_at - - status - - schedule - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a maintenance window with the given ID does not exist. - summary: Unarchive a maintenance window. - tags: - - maintenance-window - x-state: Generally available; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/ml/saved_objects/sync: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/ml/saved_objects/sync
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space - tags: - - ml - x-metaTags: - - content: Kibana - name: product_name - /api/ml/saved_objects/update_jobs_spaces: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces - requestBody: - content: - application/json: - examples: - updateADJobSpacesRequest: - value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: - value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' - responses: - '200': - content: - application/json: - examples: - successADResponse: - value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: - value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces - tags: - - ml - x-metaTags: - - content: Kibana - name: product_name - /api/ml/saved_objects/update_trained_models_spaces: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a list of trained models to add and/or remove them from given spaces. - operationId: mlUpdateTrainedModelsSpaces - requestBody: - content: - application/json: - examples: - updateTrainedModelsSpacesRequest: - value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' - responses: - '200': - content: - application/json: - examples: - successTMResponse: - value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces - tags: - - ml - x-metaTags: - - content: Kibana - name: product_name - /api/note: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/note
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. - - The response has HTTP 200 with an empty body on success. - - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote - requestBody: - content: - application/json: - examples: - deleteOne: - summary: Delete a single note by id - value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: - type: string - nullable: true - type: array - required: - - noteIds - description: | - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. - `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. - required: true - responses: - '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/note
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Returns Security Timeline notes as saved objects. - - **Query modes (mutually exclusive branches on the server):** - - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). - - 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. - - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. - - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes - parameters: - - description: | - Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: | - Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: | - Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. - example: '1' - in: query - name: page - schema: - nullable: true - type: string - - description: | - Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. - example: '20' - in: query - name: perPage - schema: - nullable: true - type: string - - description: Search string for saved-objects find (list mode only). - in: query - name: search - schema: - nullable: true - type: string - - description: Field to sort by for saved-objects find (list mode only). - in: query - name: sortField - schema: - nullable: true - type: string - - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). - example: desc - in: query - name: sortOrder - schema: - nullable: true - type: string - - description: | - Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). - in: query - name: filter - schema: - nullable: true - type: string - - description: | - Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 - in: query - name: createdByFilter - schema: - nullable: true - type: string - - description: | - Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' - responses: - '200': - content: - application/json: - examples: - notesPage: - summary: Paged notes for a timeline - value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 - schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - patch: - description: | - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/note
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates a new note or updates an existing one. - - **Create:** Send `note` and omit `noteId` to create a new saved object. - - **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. - - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute - requestBody: - content: - application/json: - examples: - addNote: - summary: Add a note on an event - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: Note payload (timeline, text, optional event linkage, metadata). - noteId: - description: The `savedObjectId` of the note to update. Omit when creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: Saved object version string from a previous read; optional on update. - example: WzQ2LDFd - nullable: true - type: string - required: - - note - description: | - Body must include the `note` object. For updates, include `noteId` (and optionally `version`). - To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. - required: true - responses: - '200': - content: - application/json: - examples: - persisted: - summary: Persisted note wrapper - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/observability_ai_assistant/chat/complete: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/observability_ai_assistant/chat/complete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new chat completion by using the Observability AI Assistant. - - The API returns the model's response based on the current conversation context. - - It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). - - This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - operationId: observability-ai-assistant-chat-complete - requestBody: - content: - application/json: - examples: - chatCompleteRequestExample: - $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' - schema: - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: A unique identifier for the conversation if you are continuing an existing conversation. - type: string - disableFunctions: - description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. - type: boolean - instructions: - description: An array of instruction objects, which can be either simple strings or detailed objects. - items: - $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' - type: array - messages: - description: An array of message objects containing the conversation history. - items: - $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' - type: array - persist: - description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. - type: boolean - title: - description: A title for the conversation. - type: string - required: - - messages - - connectorId - - persist - responses: - '200': - content: - application/json: - examples: - chatCompleteResponseExample: - $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' - schema: - type: object - description: Successful response - summary: Generate a chat completion - tags: - - observability_ai_assistant - x-codeSamples: - - lang: cURL - source: | - curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - }' - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/history: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/history
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory - parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - in: query - name: nextPage - required: false - schema: - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - type: string - - description: A search string to filter history entries by pack name, query text, or query ID. - in: query - name: kuery - required: false - schema: - description: A search string to filter history entries by pack name, query text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false - schema: - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false - schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' - type: string - responses: - '200': - content: - application/json: - examples: - unifiedHistoryExample: - summary: Example unified history response - value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' - description: Indicates a successful call. - summary: Get unified query history - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/live_queries: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/live_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all live queries. - operationId: OsqueryFindLiveQueries - parameters: - - description: A KQL search string to filter live queries. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' - description: Indicates a successful call. - summary: Get live queries - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/live_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create and run a live query. - operationId: OsqueryCreateLiveQuery - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' - description: Indicates a successful call. - summary: Create a live query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/live_queries/{id}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/live_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails - parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' - description: Indicates a successful call. - summary: Get live query details - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults - parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - - description: The ID of the query action. - in: path - name: actionId - required: true - schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' - description: Indicates a successful call. - summary: Get live query results - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/packs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/packs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all query packs. - operationId: OsqueryFindPacks - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/packs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' - description: Indicates a successful call. - summary: Create a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/packs/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/osquery/packs/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - schema: - example: {} - type: object - properties: {} - description: Indicates a successful call. - summary: Delete a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/packs/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/osquery/packs/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/packs/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/packs/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. - operationId: OsqueryCopyPacks - parameters: - - description: The ID of the pack to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - examples: - copyPackExample: - summary: Example response for copying a pack - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: Indicates a successful call. - summary: Copy a pack - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/saved_queries: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/saved_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' - description: Indicates a successful call. - summary: Get saved queries - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/saved_queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create and save a query for later use. - operationId: OsqueryCreateSavedQuery - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' - description: Indicates a successful call. - summary: Create a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/saved_queries/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/osquery/saved_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' - description: Indicates a successful call. - summary: Delete a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/saved_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' - description: Indicates a successful call. - summary: Get saved query details - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/osquery/saved_queries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' - description: Indicates a successful call. - summary: Update a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/saved_queries/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - description: The ID of the saved query to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - examples: - copySavedQueryExample: - summary: Example response for copying a saved query - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' - description: Indicates a successful call. - summary: Copy a saved query - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - examples: - scheduledActionResultsExample: - summary: Example scheduled action results response - value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' - description: Indicates a successful call. - summary: Get scheduled action results - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string - responses: - '200': - content: - application/json: - examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response - value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' - description: Indicates a successful call. - summary: Get scheduled query results - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/pinned_event: - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/pinned_event
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute - requestBody: - content: - application/json: - examples: - pinEvent: - summary: Pin an event - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true - type: string - timelineId: - description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. - required: true - responses: - '200': - content: - application/json: - examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response - value: - unpinned: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' - description: Indicates a successful call. - summary: Pin/unpin an event - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/risk_score/engine/dangerously_delete_data: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cleaning up the the Risk Engine by removing the indices, mapping and transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json: - examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response - value: - cleanup_successful: true - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/risk_score/engine/saved_object/configure: - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject - requestBody: - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object - value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d - schema: - type: object - properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: - items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter - type: array - range: - type: object - properties: - end: - type: string - start: - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response - value: - risk_engine_saved_object_configured: true - schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' - description: Unexpected error - summary: Configure the Risk Engine Saved Object - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/risk_score/engine/schedule_now: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/risk_score/engine/schedule_now
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json: {} - responses: - '200': - content: - application/json: - examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response - value: - success: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' - description: Unexpected error - summary: Run the risk scoring engine - tags: - - Security Entity Analytics API - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_bulk_create: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_bulk_create
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create multiple Kibana saved objects. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. - NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. - operationId: bulkCreateSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: When true, overwrites the document with the same identifier. - in: query - name: overwrite - schema: - type: boolean - requestBody: - content: - application/json: - schema: - items: - type: object - properties: - coreMigrationVersion: - description: | - The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. - type: string - typeMigrationVersion: - description: | - The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. - type: string - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Create saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_bulk_delete: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_bulk_delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - WARNING: When you delete a saved object, it cannot be recovered. - - WARNING: This API is intended to be removed in a future Elastic stack version. There is currently no alternative API for all use cases supported by this API. Once alternative APIs are provided in a future Elastic version, it will be possible to migrate away from this API. - operationId: bulkDeleteSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: | - When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. - in: query - name: force - schema: - type: boolean - requestBody: - content: - application/json: - schema: - items: - type: object - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: | - Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Delete saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_bulk_get: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve multiple Kibana saved objects by identifier. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. - operationId: bulkGetSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - content: - application/json: - schema: - items: - type: object - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Get saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_bulk_resolve: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_bulk_resolve
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. - operationId: bulkResolveSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - content: - application/json: - schema: - items: - type: object - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: | - Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Resolve saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_bulk_update: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_bulk_update
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the attributes for multiple Kibana saved objects. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. - operationId: bulkUpdateSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - content: - application/json: - schema: - items: - type: object - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: | - Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Update saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. - - Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. - - NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. - - NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. - operationId: post-saved-objects-export - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - exportSavedObjectsRequest: - summary: Export a specific saved object. - value: - excludeExportDetails: true - includeReferencesDeep: false - objects: - - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - type: map - schema: - additionalProperties: false - type: object - properties: - excludeExportDetails: - default: false - description: Do not add export details entry at the end of the stream. - type: boolean - hasReference: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - maxItems: 100 - type: array - includeReferencesDeep: - default: false - description: Includes all of the referenced objects in the exported objects. - type: boolean - objects: - description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - maxItems: 10000 - type: array - search: - description: Search for documents to export using the Elasticsearch Simple Query String syntax. - type: string - type: - anyOf: - - type: string - - items: - type: string - maxItems: 100 - type: array - description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. - responses: - '200': - content: - application/x-ndjson: - examples: - exportSavedObjectsResponse: - summary: The export objects API response contains a JSON record for each exported object. - value: - attributes: - description: '' - layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' - mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - schema: {} - description: Indicates a successfull call. - '400': - content: - application/json: - schema: - additionalProperties: false - description: Indicates an unsuccessful response. - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: integer - required: - - error - - message - - statusCode - description: Bad request. - summary: Export saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_find: - get: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/saved_objects/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated set of Kibana saved objects. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. - operationId: findSavedObjects - parameters: - - description: | - An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. - in: query - name: aggs - schema: - type: string - - description: The default operator to use for the `simple_query_string`. - in: query - name: default_search_operator - schema: - type: string - - description: The fields to return in the attributes key of the response. - in: query - name: fields - schema: - oneOf: - - type: string - - type: array - - description: | - The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. - in: query - name: filter - schema: - type: string - - description: Filters to objects that do not have a relationship with the type and identifier combination. - in: query - name: has_no_reference - schema: - type: object - - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. - in: query - name: has_no_reference_operator - schema: - type: string - - description: Filters to objects that have a relationship with the type and ID combination. - in: query - name: has_reference - schema: - type: object - - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. - in: query - name: has_reference_operator - schema: - type: string - - description: The page of objects to return. - in: query - name: page - schema: - type: integer - - description: The number of objects to return per page. - in: query - name: per_page - schema: - type: integer - - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. - in: query - name: search - schema: - type: string - - description: The fields to perform the `simple_query_string` parsed query against. - in: query - name: search_fields - schema: - oneOf: - - type: string - - type: array - - description: | - Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. - in: query - name: sort_field - schema: - type: string - - description: The saved object types to include. - in: query - name: type - required: true - schema: - oneOf: - - type: string - - type: array - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Search for saved objects - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. - - Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. - - NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. - operationId: post-saved-objects-import - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' - in: query - name: createNewCopies - required: false - schema: - default: false - type: boolean - - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' - in: query - name: compatibilityMode - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - importObjectsRequest: - value: - file: file.ndjson - schema: - additionalProperties: false - type: object - properties: - file: - description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' - type: object - required: - - file - responses: - '200': - content: - application/json: - examples: - importObjectsResponse: - summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. - value: - success: true - successCount: 1 - successResults: - - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - managed: false - meta: - icon: indexPatternApp - title: Kibana Sample Data Logs - type: index-pattern - schema: - additionalProperties: false - type: object - properties: - errors: - description: |- - Indicates the import was unsuccessful and specifies the objects that failed to import. - - NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. - items: - additionalProperties: true - type: object - properties: {} - type: array - success: - description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. - type: boolean - successCount: - description: Indicates the number of successfully imported records. - type: number - successResults: - description: |- - Indicates the objects that are successfully imported, with any metadata if applicable. - - NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. - items: - additionalProperties: true - type: object - properties: {} - type: array - required: - - success - - successCount - - errors - - successResults - description: Indicates a successful call. - '400': - content: - application/json: - schema: - additionalProperties: false - description: Indicates an unsuccessful response. - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: integer - required: - - error - - message - - statusCode - description: Bad request. - summary: Import saved objects - tags: - - saved objects - x-codeSamples: - - label: Import with createNewCopies - lang: cURL - source: | - curl \ - -X POST api/saved_objects/_import?createNewCopies=true - -H "kbn-xsrf: true" - --form file=@file.ndjson - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/_resolve_import_errors: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/_resolve_import_errors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - To resolve errors from the Import objects API, you can: - - * Retry certain saved objects - * Overwrite specific saved objects - * Change references to different saved objects - operationId: resolveImportErrors - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: | - Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. - in: query - name: compatibilityMode - required: false - schema: - type: boolean - - description: | - Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. - in: query - name: createNewCopies - required: false - schema: - type: boolean - requestBody: - content: - multipart/form-data: - examples: - resolveImportErrorsRequest: - $ref: '#/components/examples/Saved_objects_resolve_missing_reference_request' - schema: - type: object - properties: - file: - description: The same file given to the import API. - format: binary - type: string - retries: - description: The retry operations, which can specify how to resolve different types of errors. - items: - type: object - properties: - destinationId: - description: Specifies the destination ID that the imported object should have, if different from the current ID. - type: string - id: - description: The saved object ID. - type: string - ignoreMissingReferences: - description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. - type: boolean - overwrite: - description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. - type: boolean - replaceReferences: - description: A list of `type`, `from`, and `to` used to change the object references. - items: - type: object - properties: - from: - type: string - to: - type: string - type: - type: string - type: array - type: - description: The saved object type. - type: string - required: - - type - - id - type: array - required: - - retries - required: true - responses: - '200': - content: - application/json: - examples: - resolveImportErrorsResponse: - $ref: '#/components/examples/Saved_objects_resolve_missing_reference_response' - schema: - type: object - properties: - errors: - description: | - Specifies the objects that failed to resolve. - - NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. - items: - type: object - type: array - success: - description: | - Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. - type: boolean - successCount: - description: | - Indicates the number of successfully resolved records. - type: number - successResults: - description: | - Indicates the objects that are successfully imported, with any metadata if applicable. - - NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Resolve import errors - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/{type}: - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/{type}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a Kibana saved object with a randomly generated identifier. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. - NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. - operationId: createSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: If true, overwrites the document with the same identifier. - in: query - name: overwrite - schema: - type: boolean - requestBody: - content: - application/json: - schema: - type: object - properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - coreMigrationVersion: - description: | - The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. - type: string - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_references' - typeMigrationVersion: - description: | - The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. - type: string - required: - - attributes - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '409': - content: - application/json: - schema: - type: object - description: Indicates a conflict error. - summary: Create a saved object - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/{type}/{id}: - get: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/saved_objects/{type}/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a single Kibana saved object by identifier. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. - operationId: getSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Get a saved object - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - post: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/saved_objects/{type}/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. - NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. - operationId: createSavedObjectId - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: If true, overwrites the document with the same identifier. - in: query - name: overwrite - schema: - type: boolean - requestBody: - content: - application/json: - schema: - type: object - properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - coreMigrationVersion: - description: | - The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. - type: string - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_references' - typeMigrationVersion: - description: | - The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. - type: string - required: - - attributes - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '409': - content: - application/json: - schema: - type: object - description: Indicates a conflict error. - summary: Create a saved object - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - put: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/saved_objects/{type}/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the attributes for Kibana saved objects. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. - operationId: updateSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - requestBody: - content: - application/json: - schema: - type: object - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '404': - content: - application/json: - schema: - type: object - description: Indicates the object was not found. - '409': - content: - application/json: - schema: - type: object - description: Indicates a conflict error. - summary: Update a saved object - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/saved_objects/resolve/{type}/{id}: - get: - deprecated: true - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/saved_objects/resolve/{type}/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. - - WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. - operationId: resolveSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Resolve a saved object - tags: - - saved objects - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json: - schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 - type: object - properties: - create: - description: Array of anonymization fields to create. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' - type: array - delete: - description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: Array of anonymization fields to update. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' - type: array - responses: - '200': - content: - application/json: - example: - anonymization_fields_count: 5 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 1 - skipped: 1 - succeeded: 2 - total: 5 - message: Bulk action completed successfully - status_code: 200 - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request body - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. - type: string - statusCode: - description: Status code of the response. - type: number - description: Generic Error - summary: Apply a bulk action to anonymization fields - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/anonymization_fields/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all anonymization fields. - operationId: FindAnonymizationFields - parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - example: 'field: "user.name"' - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - example: created_at - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' - - description: Sort order - example: asc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page - in: query - name: all_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - example: - aggregations: - anonymized: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' - type: array - data: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get anonymization fields - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/chat/complete: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/chat/complete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a model response for the given chat conversation. - operationId: ChatComplete - parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - example: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: sk-abc123 - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream: - schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Generic Error - summary: Create a model response - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/current_user/conversations: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations - requestBody: - content: - application/json: - schema: - type: object - properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 - items: - type: string - type: array - required: false - responses: - '200': - content: - application/json: - example: - success: true - schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: Indicates a successful call. The conversations were deleted successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete conversations - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. - operationId: CreateConversation - requestBody: - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' - required: true - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was created successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. - summary: Create a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. - operationId: FindConversations - parameters: - - description: A list of fields to include in the response. If omitted, all fields are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: - type: string - type: array - - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. - in: query - name: filter - required: false - schema: - example: Security Issue - type: string - - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' - example: created_at - - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: The number of conversations to return per page. Default is 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. - in: query - name: is_owner - required: false - schema: - default: false - example: true - type: boolean - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: A list of conversations. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: The total number of conversations matching the filter criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response, returns a paginated list of conversations matching the specified criteria. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid filter query parameter - type: string - statusCode: - example: 400 - type: number - description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. - summary: Get conversations - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/current_user/conversations/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was deleted successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. - operationId: ReadConversation - parameters: - - description: The conversation's `id` value, a unique identifier for the conversation. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation details are returned. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. The request could not be processed due to an error. - summary: Get a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' - required: true - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was updated successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required field: title' - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. - summary: Update a conversation - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/knowledge_base: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Read a single KB - operationId: GetKnowledgeBase - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example2: - summary: A response that returns information about the knowledge base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Read a KnowledgeBase - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - post: - operationId: PostKnowledgeBase - parameters: - - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: A response for a request that failed due to an invalid query parameter value. - value: | - statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Create a KnowledgeBase - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - /api/security_ai_assistant/knowledge_base/{resource}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example1: - summary: A response that returns information about the knowledge base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Read a KnowledgeBase for a resource - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: - type: string - - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: A response for a request that failed due to an invalid query parameter value. - value: | - statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' - description: Generic Error - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/knowledge_base/entries: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry - requestBody: - content: - application/json: - example: - content: To reset your password, go to the settings page and click 'Reset Password'. - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' - required: true - responses: - '200': - content: - application/json: - example: - content: To reset your password, go to the settings page and click 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - description: Successful request returning Knowledge Base Entries - '400': - content: - application/json: - example: - error: Invalid input - message: The 'title' field is required. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as invalid input or missing required fields. - summary: Create a Knowledge Base Entry - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction - requestBody: - content: - application/json: - schema: - type: object - properties: - create: - description: List of Knowledge Base Entries to create. - example: - - content: This is the content of the new entry. - title: New Entry - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' - type: array - delete: - type: object - properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - content: Updated content. - id: '123' - title: Updated Entry - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' - type: array - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' - description: Successful bulk operation request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: Generic Error - summary: Applies a bulk action to multiple Knowledge Base Entries - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: A list of fields to include in the response. If not provided, all fields will be included. - in: query - name: fields - required: false - schema: - example: - - title - - created_at - items: - type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' - type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Generic Error indicating an issue with the request. - summary: Finds Knowledge Base Entries that match the given query. - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/knowledge_base/entries/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' - description: Successful request returning the `id` of the deleted Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as an invalid `id` or the entry not being found. - summary: Deletes a single Knowledge Base Entry using the `id` field - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - content: To reset your password, go to the settings page and click 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as an invalid `id` or the entry not being found. - summary: Read a Knowledge Base Entry - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - example: - content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' - required: true - responses: - '200': - content: - application/json: - example: - content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. - id: '12345' - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' - description: Successful request returning the updated Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Invalid input - message: The 'content' field cannot be empty. - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as invalid input or the entry not being found. - summary: Update a Knowledge Base Entry - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json: - example: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 - schema: - type: object - properties: - create: - description: List of prompts to be created. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' - type: array - delete: - description: Criteria for deleting prompts in bulk. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' - type: array - responses: - '200': - content: - application/json: - examples: - success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. - type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Indicates a generic error due to a bad request. - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security_ai_assistant/prompts/_find: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security_ai_assistant/prompts/_find
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all prompts based on optional filters, sorting, and pagination. - operationId: FindPrompts - parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: - type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: The list of prompts returned based on the search query, sorting, and pagination. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. - type: string - statusCode: - description: HTTP status code for the error. - example: 400 - type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts - tags: - - Security AI Assistant API - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - updateLogExtractionExample: - description: Update the log extraction configuration with a new lookback period and frequency. - summary: Update log extraction settings - value: - logExtraction: - fieldHistoryLength: 15 - frequency: 10m - lookbackPeriod: 6h - schema: - additionalProperties: false - type: object - properties: - logExtraction: - additionalProperties: false - type: object - properties: - additionalIndexPatterns: - items: - type: string - type: array - delay: - pattern: '[smdh]$' - type: string - docsLimit: - maximum: 9007199254740991 - minimum: 1 - type: integer - fieldHistoryLength: - maximum: 9007199254740991 - minimum: -9007199254740991 - type: integer - filter: - type: string - frequency: - pattern: '[smdh]$' - type: string - lookbackPeriod: - pattern: '[smdh]$' - type: string - maxLogsPerPage: - maximum: 9007199254740991 - minimum: 1 - type: integer - required: - - logExtraction - responses: - '200': - content: - application/json: - examples: - updateSuccessExample: - description: The Entity Store configuration was successfully updated. - summary: Entity Store updated - value: - ok: true - description: Indicates a successful response. - '400': - content: - application/json: - examples: - invalidDurationExample: - description: A log extraction parameter has an invalid duration format. - summary: Invalid duration parameter - value: - error: Bad Request - message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: The Entity Store has not been installed yet. - summary: Entity Store not installed - value: - error: Not Found - message: Entity store is not installed - statusCode: 404 - description: Entity Store not found. - summary: Update the Entity Store - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ - "${KIBANA_URL}/api/security/entity_store" - - lang: Console - source: | - PUT kbn://api/security/entity_store - { - "logExtraction": { - "lookbackPeriod": "6h", - "frequency": "10m", - "fieldHistoryLength": 15 - } - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/entities: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security/entity_store/entities
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. - operationId: get-security-entity-store-entities - parameters: - - description: A Kibana Query Language (KQL) filter for the search-after mode. - in: query - name: filter - required: false - schema: - type: string - - description: Number of entities to return in search-after mode. - in: query - name: size - required: false - schema: - maximum: 9007199254740991 - minimum: 1 - type: integer - - description: JSON-encoded search_after value for cursor-based pagination. - in: query - name: searchAfter - required: false - schema: - type: string - - description: Fields to include in the response source. - in: query - name: source - required: false - schema: - items: - type: string - type: array - - description: Fields to include in the response. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Field to sort results by in page mode. - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order in page mode. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed) in page mode. - in: query - name: page - required: false - schema: - maximum: 9007199254740991 - minimum: 1 - type: integer - - description: Number of entities per page in page mode. - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An Elasticsearch query string to filter entities in page mode. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: false - schema: - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - emptyResultExample: - description: No entities matched the query. - summary: Empty result - value: - page: 1 - per_page: 10 - records: [] - total: 0 - pageModeExample: - description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. - summary: Page mode response with host entities - value: - inspect: - dsl: - - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' - response: - - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' - page: 1 - per_page: 10 - records: - - '@timestamp': '2026-04-10T08:30:00.000Z' - asset: - criticality: high_impact - environment: production - entity: - attributes: - asset: true - managed: true - id: host:web-server-prod-01 - lifecycle: - first_seen: '2026-01-15T10:00:00.000Z' - last_activity: '2026-04-10T08:30:00.000Z' - name: web-server-prod-01 - risk: - calculated_level: Moderate - calculated_score: 47.5 - calculated_score_norm: 47.5 - source: - - logs - type: host - host: - hostname: - - web-server-prod-01.example.com - ip: - - 10.0.1.42 - name: web-server-prod-01 - os: - name: Ubuntu - type: linux - total: 1 - searchAfterModeExample: - description: A cursor-based response with entities and a search_after token for the next page. - summary: Search-after mode response - value: - entities: - - '@timestamp': '2026-04-10T08:30:00.000Z' - entity: - id: user:jane.doe@example.com - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - nextSearchAfter: - - 1712736600000 - - 1 - description: Indicates a successful response. - '400': - content: - application/json: - examples: - invalidFilterExample: - description: The provided Kibana Query Language filter could not be parsed. - summary: Invalid filter - value: - error: Bad Request - message: |- - Invalid filter: Expected "(", "{", value, whitespace but ":" found. - invalid :: query - ---------^ - statusCode: 400 - mixedModesExample: - description: Cannot combine page-based pagination with cursor-based pagination in the same request. - summary: Mixed pagination modes - value: - error: Bad Request - message: '[request query]: Cannot combine page/per_page with searchAfter' - statusCode: 400 - description: Bad request. - summary: List entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ - "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" - - lang: Console - source: | - GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/entities/: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/security/entity_store/entities/
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. - operationId: delete-security-entity-store-entities - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - deleteEntityExample: - description: Delete a single entity from the Entity Store using its entity identifier. - summary: Delete an entity by identifier - value: - entityId: host:web-server-prod-01 - schema: - additionalProperties: false - type: object - properties: - entityId: - description: The identifier of the entity to delete. - type: string - required: - - entityId - responses: - '200': - content: - application/json: - examples: - deleteSuccessExample: - description: The entity was found and successfully removed from the latest index. - summary: Entity deleted - value: - deleted: true - description: Indicates the entity was successfully deleted. - '404': - content: - application/json: - examples: - notFoundExample: - description: No entity with the specified identifier exists in the Entity Store. - summary: Entity not found - value: - error: Not Found - message: Entity ID 'host:web-server-prod-01' not found - statusCode: 404 - description: Entity not found. - summary: Delete an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityId":"host:web-server-prod-01"}' \ - "${KIBANA_URL}/api/security/entity_store/entities/" - - lang: Console - source: | - DELETE kbn://api/security/entity_store/entities/ - { - "entityId": "host:web-server-prod-01" - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/entities/{entityType}: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. - operationId: post-security-entity-store-entities-entitytype - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The entity type to create. - in: path - name: entityType - required: true - schema: - enum: - - user - - host - - service - - generic - type: string - requestBody: - content: - application/json: - examples: - createHostEntityExample: - description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. - summary: Create a host entity - value: - asset: - business_unit: Engineering - criticality: high_impact - environment: production - entity: - attributes: - asset: true - managed: true - id: host:web-server-prod-01 - name: web-server-prod-01 - source: - - manual - type: host - host: - hostname: - - web-server-prod-01.example.com - ip: - - 10.0.1.42 - name: web-server-prod-01 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - user: - additionalProperties: false - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - roles: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - host: - additionalProperties: false - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - os: - additionalProperties: false - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - anyOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - anyOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - type: - items: - type: string - type: array - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - service: - additionalProperties: false - type: object - properties: - address: - type: string - environment: - type: string - ephemeral_id: - type: string - id: - type: string - name: - type: string - node: - additionalProperties: false - type: object - properties: - name: - type: string - role: - type: string - roles: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - state: - type: string - type: - type: string - version: - type: string - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - cloud: - additionalProperties: false - type: object - properties: - account: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - availability_zone: - type: string - instance: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - machine: - additionalProperties: false - type: object - properties: - type: - type: string - project: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - provider: - type: string - region: - type: string - service: - additionalProperties: false - type: object - properties: - name: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - orchestrator: - additionalProperties: false - type: object - properties: - api_version: - type: string - cluster: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - url: - type: string - version: - type: string - namespace: - type: string - organization: - type: string - resource: - additionalProperties: false - type: object - properties: - annotation: - type: string - id: - type: string - ip: - type: string - label: - type: string - name: - type: string - parent: - additionalProperties: false - type: object - properties: - type: - type: string - type: - type: string - type: - type: string - tags: - items: - type: string - type: array - responses: - '200': - content: - application/json: - examples: - createSuccessExample: - description: The entity record was successfully created in the Entity Store. - summary: Entity created - value: - ok: true - description: Indicates the entity was successfully created. - '400': - content: - application/json: - examples: - euidMismatchExample: - description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. - summary: Entity identifier mismatch - value: - error: Bad Request - message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' - statusCode: 400 - description: Bad request. - '409': - content: - application/json: - examples: - conflictExample: - description: An entity with the specified identifier already exists. - summary: Entity already exists - value: - error: Conflict - message: Entity ID 'host:web-server-prod-01' already exists - statusCode: 409 - description: Conflict. - summary: Create an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ - "${KIBANA_URL}/api/security/entity_store/entities/host" - - lang: Console - source: | - POST kbn://api/security/entity_store/entities/host - { - "entity": { - "id": "host:web-server-prod-01", - "name": "web-server-prod-01", - "type": "host", - "source": ["manual"], - "attributes": { "asset": true } - }, - "host": { - "name": "web-server-prod-01", - "ip": ["10.0.1.42"] - } - } - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-entities-entitytype - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The entity type to update. - in: path - name: entityType - required: true - schema: - enum: - - user - - host - - service - - generic - type: string - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - anyOf: - - enum: - - 'true' - - 'false' - type: string - - type: boolean - default: false - requestBody: - content: - application/json: - examples: - updateEntityAttributesExample: - description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. - summary: Update entity attributes - value: - entity: - attributes: - managed: true - mfa_enabled: true - id: user:jane.doe@example.com - lifecycle: - last_activity: '2026-04-10T14:30:00.000Z' - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - roles: - - admin - - analyst - schema: - anyOf: - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - user: - additionalProperties: false - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - roles: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - host: - additionalProperties: false - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - os: - additionalProperties: false - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - anyOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - anyOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - type: - items: - type: string - type: array - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - service: - additionalProperties: false - type: object - properties: - address: - type: string - environment: - type: string - ephemeral_id: - type: string - id: - type: string - name: - type: string - node: - additionalProperties: false - type: object - properties: - name: - type: string - role: - type: string - roles: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - state: - type: string - type: - type: string - version: - type: string - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - cloud: - additionalProperties: false - type: object - properties: - account: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - availability_zone: - type: string - instance: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - machine: - additionalProperties: false - type: object - properties: - type: - type: string - project: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - provider: - type: string - region: - type: string - service: - additionalProperties: false - type: object - properties: - name: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - orchestrator: - additionalProperties: false - type: object - properties: - api_version: - type: string - cluster: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - url: - type: string - version: - type: string - namespace: - type: string - organization: - type: string - resource: - additionalProperties: false - type: object - properties: - annotation: - type: string - id: - type: string - ip: - type: string - label: - type: string - name: - type: string - parent: - additionalProperties: false - type: object - properties: - type: - type: string - type: - type: string - type: - type: string - tags: - items: - type: string - type: array - responses: - '200': - content: - application/json: - examples: - updateSuccessExample: - description: The entity record was successfully updated. - summary: Entity updated - value: - ok: true - description: Indicates the entity was successfully updated. - '400': - content: - application/json: - examples: - protectedFieldsExample: - description: The request attempts to update protected fields without the force query parameter. - summary: Protected fields without force - value: - error: Bad Request - message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: No entity with the specified identifier exists. - summary: Entity not found - value: - error: Not Found - message: Entity ID 'user:jane.doe@example.com' not found - statusCode: 404 - description: Entity not found. - summary: Update an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ - "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" - - lang: Console - source: | - PUT kbn://api/security/entity_store/entities/user?force=true - { - "entity": { - "id": "user:jane.doe@example.com", - "name": "jane.doe", - "type": "user", - "attributes": { "managed": true, "mfa_enabled": true } - }, - "user": { "name": "jane.doe" } - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/entities/bulk: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/entities/bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-entities-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - anyOf: - - enum: - - 'true' - - 'false' - type: string - - type: boolean - default: false - requestBody: - content: - application/json: - examples: - bulkUpdateExample: - description: Update a host entity and a user entity in a single request. - summary: Bulk update multiple entities - value: - entities: - - doc: - entity: - attributes: - asset: true - id: host:web-server-prod-01 - name: web-server-prod-01 - type: host - host: - name: web-server-prod-01 - type: host - - doc: - entity: - attributes: - managed: true - id: user:jane.doe@example.com - name: jane.doe - type: user - user: - name: jane.doe - type: user - schema: - additionalProperties: false - type: object - properties: - entities: - description: The entities to update. - items: - type: object - properties: - doc: - anyOf: - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - user: - additionalProperties: false - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - roles: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - host: - additionalProperties: false - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - os: - additionalProperties: false - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - anyOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - anyOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - type: - items: - type: string - type: array - labels: - additionalProperties: {} - type: object - properties: {} - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - service: - additionalProperties: false - type: object - properties: - address: - type: string - environment: - type: string - ephemeral_id: - type: string - id: - type: string - name: - type: string - node: - additionalProperties: false - type: object - properties: - name: - type: string - role: - type: string - roles: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - state: - type: string - type: - type: string - version: - type: string - tags: - items: - type: string - type: array - - additionalProperties: false - type: object - properties: - '@timestamp': - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - asset: - additionalProperties: false - type: object - properties: - business_unit: - type: string - criticality: - anyOf: - - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - - nullable: true - environment: - type: string - id: - type: string - model: - type: string - name: - type: string - owner: - type: string - serial_number: - type: string - vendor: - type: string - cloud: - additionalProperties: false - type: object - properties: - account: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - availability_zone: - type: string - instance: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - machine: - additionalProperties: false - type: object - properties: - type: - type: string - project: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - provider: - type: string - region: - type: string - service: - additionalProperties: false - type: object - properties: - name: - type: string - entity: - additionalProperties: false - type: object - properties: - attributes: - additionalProperties: false - type: object - properties: - asset: - type: boolean - known_redirects: - items: - type: string - type: array - managed: - type: boolean - mfa_enabled: - type: boolean - oauth_consent_restriction: - type: string - permissions: - items: - type: string - type: array - storage_class: - type: string - watchlists: - items: - type: string - type: array - behaviors: - additionalProperties: false - type: object - properties: - anomaly_job_ids: - items: - type: string - type: array - rule_names: - items: - type: string - type: array - EngineMetadata: - additionalProperties: false - type: object - properties: - Type: - type: string - id: - type: string - lifecycle: - additionalProperties: false - type: object - properties: - first_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_activity: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - last_seen: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - name: - type: string - relationships: - additionalProperties: false - type: object - properties: - accesses_frequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - accesses_infrequently: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - administers: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - communicates_with: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - depends_on: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - owns_inferred: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - resolution: - additionalProperties: false - type: object - properties: - resolved_to: - type: string - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - supervises: - additionalProperties: false - type: object - properties: - ids: - items: - type: string - type: array - raw_identifiers: - additionalProperties: false - type: object - properties: - entity.id: - items: - type: string - type: array - host.id: - items: - type: string - type: array - host.name: - items: - type: string - type: array - service.name: - items: - type: string - type: array - user.email: - items: - type: string - type: array - user.id: - items: - type: string - type: array - user.name: - items: - type: string - type: array - risk: - additionalProperties: false - type: object - properties: - calculated_level: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - calculated_score: - type: number - calculated_score_norm: - maximum: 100 - minimum: 0 - type: number - schema_version: - type: string - source: - items: - type: string - type: array - sub_type: - type: string - type: - type: string - url: - type: string - event: - additionalProperties: false - type: object - properties: - ingested: - format: date-time - pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ - type: string - labels: - additionalProperties: {} - type: object - properties: {} - orchestrator: - additionalProperties: false - type: object - properties: - api_version: - type: string - cluster: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - url: - type: string - version: - type: string - namespace: - type: string - organization: - type: string - resource: - additionalProperties: false - type: object - properties: - annotation: - type: string - id: - type: string - ip: - type: string - label: - type: string - name: - type: string - parent: - additionalProperties: false - type: object - properties: - type: - type: string - type: - type: string - type: - type: string - tags: - items: - type: string - type: array - type: - description: The entity type of this record. - enum: - - user - - host - - service - - generic - type: string - required: - - type - - doc - type: array - required: - - entities - responses: - '200': - content: - application/json: - examples: - bulkUpdatePartialExample: - description: Some entities were updated but others encountered Elasticsearch-level errors. - summary: Partial success with errors - value: - errors: - - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf - reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' - status: 404 - type: document_missing_exception - ok: true - bulkUpdateSuccessExample: - description: All entities were successfully updated with no errors. - summary: All entities updated - value: - errors: [] - ok: true - description: Indicates a successful response. - '400': - content: - application/json: - examples: - protectedFieldsExample: - description: The request attempts to update protected fields without the force query parameter. - summary: Protected fields without force - value: - error: Bad Request - message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' - statusCode: 400 - description: Bad request. - summary: Bulk update entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ - "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" - - lang: Console - source: | - PUT kbn://api/security/entity_store/entities/bulk?force=true - { - "entities": [ - { - "type": "host", - "doc": { - "entity": { - "id": "host:web-server-prod-01", - "name": "web-server-prod-01", - "type": "host", - "attributes": { "asset": true } - }, - "host": { "name": "web-server-prod-01" } - } - } - ] - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/install: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/install
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install the Entity Store, creating engines for the specified entity types and configuring log extraction.

[Required authorization] Route required privileges: securitySolution. - operationId: post-security-entity-store-install - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - installDefaultExample: - description: Install the Entity Store for all entity types with default log extraction settings. - summary: Install with default entity types - value: - entityTypes: - - user - - host - - service - - generic - logExtraction: {} - installWithCustomSettingsExample: - description: Install the Entity Store for host entities only with a custom lookback period and field history length. - summary: Install with custom log extraction - value: - entityTypes: - - host - logExtraction: - delay: 2m - fieldHistoryLength: 20 - filter: 'host.os.type: linux' - frequency: 5m - lookbackPeriod: 12h - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - items: - enum: - - user - - host - - service - - generic - type: string - type: array - historySnapshot: - additionalProperties: false - type: object - properties: - frequency: - default: 24h - pattern: '[smdh]$' - type: string - logExtraction: - additionalProperties: false - type: object - properties: - additionalIndexPatterns: - default: [] - items: - type: string - type: array - delay: - default: 1m - pattern: '[smdh]$' - type: string - docsLimit: - default: 10000 - maximum: 9007199254740991 - minimum: 1 - type: integer - fieldHistoryLength: - default: 10 - maximum: 9007199254740991 - minimum: -9007199254740991 - type: integer - filter: - default: '' - type: string - frequency: - default: 30s - pattern: '[smdh]$' - type: string - lookbackPeriod: - default: 3h - pattern: '[smdh]$' - type: string - maxLogsPerPage: - default: 40000 - maximum: 9007199254740991 - minimum: 1 - type: integer - responses: - '200': - content: - application/json: - examples: - alreadyInstalledExample: - description: All requested entity types were already installed. - summary: Already installed - value: - ok: true - description: Indicates all requested entity types are already installed. - '201': - content: - application/json: - examples: - installSuccessExample: - description: The Entity Store was installed and engines are being created. - summary: Entity Store installed - value: - ok: true - description: Indicates the Entity Store was successfully installed. - '403': - content: - application/json: - examples: - forbiddenExample: - description: The user does not have the required Elasticsearch privileges. - summary: Insufficient privileges - value: - error: Forbidden - message: User 'analyst' has insufficient privileges - statusCode: 403 - description: Insufficient privileges. - summary: Install the Entity Store - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ - "${KIBANA_URL}/api/security/entity_store/install" - - lang: Console - source: | - POST kbn://api/security/entity_store/install - { - "entityTypes": ["user", "host", "service", "generic"], - "logExtraction": {} - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/resolution/group: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security/entity_store/resolution/group
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. - operationId: get-security-entity-store-resolution-group - parameters: - - description: The entity identifier to look up the resolution group for. - in: query - name: entity_id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - resolutionGroupExample: - description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. - summary: Resolution group with linked entities - value: - aliases: - - '@timestamp': '2026-04-10T08:25:00.000Z' - entity: - id: user:jdoe@example.com - name: jdoe - relationships: - resolution: - resolved_to: user:jane.doe@example.com - type: user - user: - name: jdoe - group_size: 2 - target: - '@timestamp': '2026-04-10T08:30:00.000Z' - entity: - id: user:jane.doe@example.com - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - description: Indicates a successful response. - '400': - content: - application/json: - examples: - truncatedSearchExample: - description: The resolution search returned too many results and was truncated. - summary: Search results truncated - value: - error: Bad Request - message: Resolution search truncated - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: The specified entity does not exist or has no resolution group. - summary: Entity not found - value: - error: Not Found - message: 'Entities not found: [user:nonexistent@example.com]' - statusCode: 404 - description: Entity not found. - summary: Get resolution group - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ - "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" - - lang: Console - source: | - GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/resolution/link: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/resolution/link
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Link one or more entities to a target entity, creating a resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. - operationId: post-security-entity-store-resolution-link - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - linkEntitiesExample: - description: Link two user entities to a target entity, creating a resolution group. - summary: Link entities to a target - value: - entity_ids: - - user:jdoe@example.com - - user:j.doe@example.com - target_id: user:jane.doe@example.com - schema: - additionalProperties: false - type: object - properties: - entity_ids: - description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - target_id: - description: The entity identifier to resolve the linked entities to. - type: string - required: - - target_id - - entity_ids - responses: - '200': - content: - application/json: - examples: - linkSuccessExample: - description: The entities were successfully linked to the target entity. - summary: Entities linked - value: - linked: - - user:jdoe@example.com - - user:j.doe@example.com - skipped: [] - target_id: user:jane.doe@example.com - description: Indicates a successful response. - '400': - content: - application/json: - examples: - mixedTypesExample: - description: All entities in a resolution group must be of the same type. - summary: Mixed entity types - value: - error: Bad Request - message: Cannot link entities of different types - statusCode: 400 - selfLinkExample: - description: Cannot link an entity to itself. - summary: Self-link error - value: - error: Bad Request - message: Cannot link entity 'user:jane.doe@example.com' to itself. - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more of the specified entity identifiers were not found. - summary: Entities not found - value: - error: Not Found - message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' - statusCode: 404 - description: Entities not found. - summary: Link entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ - "${KIBANA_URL}/api/security/entity_store/resolution/link" - - lang: Console - source: | - POST kbn://api/security/entity_store/resolution/link - { - "target_id": "user:jane.doe@example.com", - "entity_ids": ["user:jdoe@example.com"] - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/resolution/unlink: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/resolution/unlink
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Remove one or more entities from their resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. - operationId: post-security-entity-store-resolution-unlink - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - unlinkEntitiesExample: - description: Remove entities from their resolution group, restoring them as standalone entities. - summary: Unlink entities from their resolution group - value: - entity_ids: - - user:jdoe@example.com - - user:j.doe@example.com - schema: - additionalProperties: false - type: object - properties: - entity_ids: - description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - required: - - entity_ids - responses: - '200': - content: - application/json: - examples: - unlinkSuccessExample: - description: The entities were successfully removed from their resolution group. - summary: Entities unlinked - value: - skipped: [] - unlinked: - - user:jdoe@example.com - - user:j.doe@example.com - description: Indicates a successful response. - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more of the specified entity identifiers were not found. - summary: Entities not found - value: - error: Not Found - message: 'Entities not found: [user:nonexistent@example.com]' - statusCode: 404 - description: Entities not found. - summary: Unlink entities - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity_ids":["user:jdoe@example.com"]}' \ - "${KIBANA_URL}/api/security/entity_store/resolution/unlink" - - lang: Console - source: | - POST kbn://api/security/entity_store/resolution/unlink - { - "entity_ids": ["user:jdoe@example.com"] - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/start: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/start
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-start - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - startAllExample: - description: Start all stopped entity engines. - summary: Start all entity engines - value: - entityTypes: - - user - - host - - service - - generic - startSingleExample: - description: Start only the host entity engine. - summary: Start a single entity engine - value: - entityTypes: - - host - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - description: Entity types to start. Defaults to all installed types. - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - startSuccessExample: - description: The specified entity engines were successfully started. - summary: Engines started - value: - ok: true - description: Indicates a successful response. - summary: Start Entity Store engines - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"]}' \ - "${KIBANA_URL}/api/security/entity_store/start" - - lang: Console - source: | - PUT kbn://api/security/entity_store/start - { - "entityTypes": ["user", "host", "service", "generic"] - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/status: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/security/entity_store/status
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. - operationId: get-security-entity-store-status - parameters: - - description: If true, returns a detailed status of each engine including all its components. - in: query - name: include_components - required: false - schema: - anyOf: - - enum: - - 'true' - - 'false' - type: string - - type: boolean - default: false - responses: - '200': - content: - application/json: - examples: - notInstalledExample: - description: The Entity Store has not been installed. - summary: Entity Store not installed - value: - engines: [] - status: not_installed - runningStatusExample: - description: The Entity Store is running with two started engines using default settings. - summary: Entity Store running - value: - engines: - - delay: 1m - docsPerSecond: -1 - enrichPolicyExecutionInterval: null - fieldHistoryLength: 10 - filter: '' - frequency: 30s - indexPattern: '' - lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' - lookbackPeriod: 3h - maxPageSearchSize: 10000 - status: started - timeout: 25s - timestampField: '@timestamp' - type: host - - delay: 1m - docsPerSecond: -1 - enrichPolicyExecutionInterval: null - fieldHistoryLength: 10 - filter: '' - frequency: 30s - indexPattern: '' - lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' - lookbackPeriod: 3h - maxPageSearchSize: 10000 - status: started - timeout: 25s - timestampField: '@timestamp' - type: user - status: running - description: Indicates a successful response. - summary: Get Entity Store status - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ - "${KIBANA_URL}/api/security/entity_store/status?include_components=false" - - lang: Console - source: | - GET kbn://api/security/entity_store/status?include_components=false - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/stop: - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/stop
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-stop - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - stopAllExample: - description: Stop all running entity engines. - summary: Stop all entity engines - value: - entityTypes: - - user - - host - - service - - generic - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - description: Entity types to stop. Defaults to all running types. - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - stopSuccessExample: - description: The specified entity engines were successfully stopped. - summary: Engines stopped - value: - ok: true - description: Indicates a successful response. - summary: Stop Entity Store engines - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"]}' \ - "${KIBANA_URL}/api/security/entity_store/stop" - - lang: Console - source: | - PUT kbn://api/security/entity_store/stop - { - "entityTypes": ["user", "host", "service", "generic"] - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/entity_store/uninstall: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/security/entity_store/uninstall
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. - operationId: post-security-entity-store-uninstall - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - uninstallAllExample: - description: Uninstall all entity engines from the Entity Store. - summary: Uninstall all entity types - value: - entityTypes: - - user - - host - - service - - generic - uninstallSingleExample: - description: Uninstall only the host engine from the Entity Store. - summary: Uninstall a single entity type - value: - entityTypes: - - host - schema: - additionalProperties: false - type: object - properties: - entityTypes: - default: - - user - - host - - service - - generic - description: Entity types to uninstall. Defaults to all installed types. - items: - enum: - - user - - host - - service - - generic - type: string - type: array - responses: - '200': - content: - application/json: - examples: - uninstallSuccessExample: - description: The specified entity engines were successfully uninstalled. - summary: Entity Store uninstalled - value: - ok: true - description: Indicates a successful response. - summary: Uninstall the Entity Store - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entityTypes":["user","host","service","generic"]}' \ - "${KIBANA_URL}/api/security/entity_store/uninstall" - - lang: Console - source: | - POST kbn://api/security/entity_store/uninstall - { - "entityTypes": ["user", "host", "service", "generic"] - } - x-metaTags: - - content: Kibana - name: product_name - /api/security/role: - get: - operationId: get-security-role - parameters: - - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. - in: query - name: replaceDeprecatedPrivileges - required: false - schema: - type: boolean - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getRolesResponse1: - $ref: '#/components/examples/get_roles_response1' - summary: Get all roles - tags: - - roles - x-metaTags: - - content: Kibana - name: product_name - /api/security/role/_query: - post: - operationId: post-security-role-query - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - filters: - additionalProperties: false - type: object - properties: - showReservedRoles: - type: boolean - from: - type: number - query: - type: string - size: - type: number - sort: - additionalProperties: false - type: object - properties: - direction: - enum: - - asc - - desc - type: string - field: - type: string - required: - - field - - direction - responses: - '200': - description: Indicates a successful call. - summary: Query roles - tags: [] - x-metaTags: - - content: Kibana - name: product_name - /api/security/role/{name}: - delete: - operationId: delete-security-role-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - minLength: 1 - type: string - responses: - '204': - description: Indicates a successful call. - summary: Delete a role - tags: - - roles - x-metaTags: - - content: Kibana - name: product_name - get: - operationId: get-security-role-name - parameters: - - description: The role name. - in: path - name: name - required: true - schema: - minLength: 1 - type: string - - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. - in: query - name: replaceDeprecatedPrivileges - required: false - schema: - type: boolean - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getRoleResponse1: - $ref: '#/components/examples/get_role_response1' - summary: Get a role - tags: - - roles - x-metaTags: - - content: Kibana - name: product_name - put: - description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. - operationId: put-security-role-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The role name. - in: path - name: name - required: true - schema: - maxLength: 1024 - minLength: 1 - type: string - - description: When true, a role is not overwritten if it already exists. - in: query - name: createOnly - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - description: - description: A description for the role. - maxLength: 2048 - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - cluster: - items: - description: Cluster privileges that define the cluster level actions that users can perform. - type: string - maxItems: 100 - type: array - indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. - type: boolean - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that the role members have for the data streams and indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. - type: string - required: - - names - - privileges - maxItems: 1000 - type: array - remote_cluster: - items: - additionalProperties: false - type: object - properties: - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. - type: string - maxItems: 100 - minItems: 1 - type: array - required: - - privileges - - clusters - maxItems: 100 - type: array - remote_indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. - type: boolean - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that role members have for the specified indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' - type: string - required: - - clusters - - names - - privileges - maxItems: 1000 - type: array - run_as: - items: - description: A user name that the role member can impersonate. - type: string - maxItems: 100 - type: array - kibana: - items: - additionalProperties: false - type: object - properties: - base: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - items: - description: A base privilege that grants applies to all spaces. - type: string - maxItems: 50 - type: array - - items: - description: A base privilege that applies to specific spaces. - type: string - maxItems: 50 - type: array - feature: - additionalProperties: - items: - description: The privileges that the role member has for the feature. - type: string - maxItems: 100 - type: array - type: object - spaces: - anyOf: - - items: - enum: - - '*' - type: string - maxItems: 1 - minItems: 1 - type: array - - items: - description: A space that the privilege applies to. - type: string - maxItems: 1000 - type: array - default: - - '*' - required: - - base - type: array - metadata: - additionalProperties: - nullable: true - type: object - required: - - elasticsearch - examples: - createRoleRequest1: - $ref: '#/components/examples/create_role_request1' - createRoleRequest2: - $ref: '#/components/examples/create_role_request2' - createRoleRequest3: - $ref: '#/components/examples/create_role_request3' - createRoleRequest4: - $ref: '#/components/examples/create_role_request4' - responses: - '204': - description: Indicates a successful call. - summary: Create or update a role - tags: - - roles - x-metaTags: - - content: Kibana - name: product_name - /api/security/roles: - post: - operationId: post-security-roles - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - roles: - additionalProperties: - additionalProperties: false - type: object - properties: - description: - description: A description for the role. - maxLength: 2048 - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - cluster: - items: - description: Cluster privileges that define the cluster level actions that users can perform. - type: string - maxItems: 100 - type: array - indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. - type: boolean - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that the role members have for the data streams and indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. - type: string - required: - - names - - privileges - maxItems: 1000 - type: array - remote_cluster: - items: - additionalProperties: false - type: object - properties: - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. - type: string - maxItems: 100 - minItems: 1 - type: array - required: - - privileges - - clusters - maxItems: 100 - type: array - remote_indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. - type: boolean - clusters: - items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. - type: string - maxItems: 100 - minItems: 1 - type: array - field_security: - additionalProperties: - items: - description: The document fields that the role members have read access to. - type: string - maxItems: 1000 - type: array - type: object - names: - items: - description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). - type: string - maxItems: 100 - minItems: 1 - type: array - privileges: - items: - description: The index level privileges that role members have for the specified indices. - type: string - maxItems: 100 - minItems: 1 - type: array - query: - description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' - type: string - required: - - clusters - - names - - privileges - maxItems: 1000 - type: array - run_as: - items: - description: A user name that the role member can impersonate. - type: string - maxItems: 100 - type: array - kibana: - items: - additionalProperties: false - type: object - properties: - base: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - items: - description: A base privilege that grants applies to all spaces. - type: string - maxItems: 50 - type: array - - items: - description: A base privilege that applies to specific spaces. - type: string - maxItems: 50 - type: array - feature: - additionalProperties: - items: - description: The privileges that the role member has for the feature. - type: string - maxItems: 100 - type: array - type: object - spaces: - anyOf: - - items: - enum: - - '*' - type: string - maxItems: 1 - minItems: 1 - type: array - - items: - description: A space that the privilege applies to. - type: string - maxItems: 1000 - type: array - default: - - '*' - required: - - base - type: array - metadata: - additionalProperties: - nullable: true - type: object - required: - - elasticsearch - type: object - required: - - roles - responses: - '200': - description: Indicates a successful call. - summary: Create or update roles - tags: - - roles - x-metaTags: - - content: Kibana - name: product_name - /api/security/session/_invalidate: - post: - description: | - Invalidate user sessions that match a query. To use this API, you must be a superuser. - operationId: post-security-session-invalidate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - invalidateRequestExample1: - description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. - summary: Invalidate all sessions - value: |- - { - "match" : "all" - } - invalidateRequestExample2: - description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. - summary: Invalidate all SAML sessions - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml" } - } - } - invalidateRequestExample3: - description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. - summary: Invalidate sessions for a provider - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml", "name": "saml1" } - } - } - invalidateRequestExample4: - description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. - summary: Invalidate sessions for a user - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "oidc" }, - "username": "user@my-oidc-sso.com" - } - } - schema: - type: object - properties: - match: - description: | - The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. - enum: - - all - - query - type: string - query: - description: | - The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. - type: object - properties: - provider: - description: The authentication providers that will have their user sessions invalidated. - type: object - properties: - name: - description: The authentication provider name. - type: string - type: - description: | - The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. - type: string - required: - - type - username: - description: The username that will have its sessions invalidated. - type: string - required: - - provider - required: - - match - responses: - '200': - content: - application/json: - schema: - type: object - properties: - total: - description: The number of sessions that were successfully invalidated. - type: integer - description: Indicates a successful call - '403': - description: Indicates that the user may not be authorized to invalidate sessions for other users. - summary: Invalidate user sessions - tags: - - user session - x-metaTags: - - content: Kibana - name: product_name - /api/short_url: - post: - description: | - Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. - Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. - operationId: post-url - requestBody: - content: - application/json: - schema: - type: object - properties: - humanReadableSlug: - description: | - When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. - type: boolean - locatorId: - description: The identifier for the locator. - type: string - params: - description: | - An object which contains all necessary parameters for the given locator to resolve to a Kibana location. - > warn - > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. - type: object - slug: - description: | - A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. - type: string - required: - - locatorId - - params - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Create a short URL - tags: - - short url - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/short_url/_slug/{slug}: - get: - description: | - Resolve a Kibana short URL by its slug. - operationId: resolve-url - parameters: - - description: The slug of the short URL. - in: path - name: slug - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Resolve a short URL - tags: - - short url - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/short_url/{id}: - delete: - description: | - Delete a Kibana short URL. - operationId: delete-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' - responses: - '200': - description: Indicates a successful call. - summary: Delete a short URL - tags: - - short url - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - Get a single Kibana short URL. - operationId: get-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Get a short URL - tags: - - short url - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/_copy_saved_objects: - post: - description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' - operationId: post-spaces-copy-saved-objects - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - compatibilityMode: - default: false - description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. - type: boolean - createNewCopies: - default: true - description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. - type: boolean - includeReferences: - default: false - description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. - type: boolean - objects: - items: - additionalProperties: false - type: object - properties: - id: - description: The identifier of the saved object to copy. - type: string - type: - description: The type of the saved object to copy. - type: string - required: - - type - - id - maxItems: 1000 - type: array - overwrite: - default: false - description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. - type: boolean - spaces: - items: - description: The identifiers of the spaces where you want to copy the specified objects. - type: string - maxItems: 100 - type: array - required: - - spaces - - objects - examples: - copySavedObjectsRequestExample1: - $ref: '#/components/examples/copy_saved_objects_request1' - copySavedObjectsRequestExample2: - $ref: '#/components/examples/copy_saved_objects_request2' - responses: - '200': - description: 'OK: A successful request.' - content: - application/json: - examples: - copySavedObjectsResponseExample1: - $ref: '#/components/examples/copy_saved_objects_response1' - copySavedObjectsResponseExample2: - $ref: '#/components/examples/copy_saved_objects_response2' - copySavedObjectsResponseExample3: - $ref: '#/components/examples/copy_saved_objects_response3' - copySavedObjectsResponseExample4: - $ref: '#/components/examples/copy_saved_objects_response4' - summary: Copy saved objects between spaces - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/_disable_legacy_url_aliases: - post: - description: Disable one or more legacy URL aliases so that they no longer resolve to their target saved objects. - operationId: post-spaces-disable-legacy-url-aliases - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - aliases: - items: - additionalProperties: false - type: object - properties: - sourceId: - description: The alias source object identifier. This is the legacy object identifier. - type: string - targetSpace: - description: The space where the alias target object exists. - type: string - targetType: - description: 'The type of alias target object. ' - type: string - required: - - targetSpace - - targetType - - sourceId - maxItems: 1000 - type: array - required: - - aliases - examples: - disableLegacyURLRequestExample1: - $ref: '#/components/examples/disable_legacy_url_request1' - responses: - '204': - description: Indicates a successful call. - summary: Disable legacy URL aliases - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/_get_shareable_references: - post: - description: Collect references and space contexts for saved objects. - operationId: post-spaces-get-shareable-references - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - objects: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - maxItems: 1000 - type: array - required: - - objects - examples: - getShareableReferencesRequestExample1: - $ref: '#/components/examples/get_shareable_references_request1' - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getShareableReferencesResponseExample1: - $ref: '#/components/examples/get_shareable_references_response1' - summary: Get shareable references - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/_resolve_copy_saved_objects_errors: - post: - description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' - operationId: post-spaces-resolve-copy-saved-objects-errors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - compatibilityMode: - default: false - type: boolean - createNewCopies: - default: true - type: boolean - includeReferences: - default: false - type: boolean - objects: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - maxItems: 1000 - type: array - retries: - additionalProperties: - items: - additionalProperties: false - type: object - properties: - createNewCopy: - description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. - type: boolean - destinationId: - description: Specifies the destination identifier that the copied object should have, if different from the current identifier. - type: string - id: - description: The saved object identifier. - type: string - ignoreMissingReferences: - description: When set to true, any missing references errors are ignored. - type: boolean - overwrite: - default: false - description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. - type: boolean - type: - description: The saved object type. - type: string - required: - - type - - id - maxItems: 1000 - type: array - type: object - required: - - retries - - objects - examples: - resolveCopySavedObjectsRequestExample1: - $ref: '#/components/examples/resolve_copy_saved_objects_request1' - resolveCopySavedObjectsRequestExample2: - $ref: '#/components/examples/resolve_copy_saved_objects_request2' - responses: - '200': - description: 'OK: A successful request.' - content: - application/json: - examples: - resolveCopySavedObjectsResponseExample1: - $ref: '#/components/examples/copy_saved_objects_response1' - resolveCopySavedObjectsResponseExample2: - $ref: '#/components/examples/copy_saved_objects_response2' - summary: Resolve conflicts copying saved objects - tags: [] - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/_update_objects_spaces: - post: - description: Update one or more saved objects to add or remove them from some spaces. - operationId: post-spaces-update-objects-spaces - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - objects: - items: - additionalProperties: false - type: object - properties: - id: - description: The identifier of the saved object to update. - type: string - type: - description: The type of the saved object to update. - type: string - required: - - type - - id - maxItems: 1000 - type: array - spacesToAdd: - items: - description: The identifiers of the spaces the saved objects should be added to or removed from. - type: string - maxItems: 1000 - type: array - spacesToRemove: - items: - description: The identifiers of the spaces the saved objects should be added to or removed from. - type: string - maxItems: 1000 - type: array - required: - - objects - - spacesToAdd - - spacesToRemove - examples: - updateObjectSpacesRequestExample1: - $ref: '#/components/examples/update_saved_objects_spaces_request1' - responses: - '200': - description: 'OK: A successful request.' - content: - application/json: - examples: - updateObjectSpacesResponseExample1: - $ref: '#/components/examples/update_saved_objects_spaces_response1' - summary: Update saved objects in spaces - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/space: - get: - description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. - operationId: get-spaces-space - parameters: - - description: Specifies which authorization checks are applied to the API call. The default value is `any`. - in: query - name: purpose - required: false - schema: - enum: - - any - - copySavedObjectsIntoSpace - - shareSavedObjectsIntoSpace - type: string - - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. - in: query - name: include_authorized_purposes - required: false - schema: - type: boolean - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getSpacesResponseExample1: - $ref: '#/components/examples/get_spaces_response1' - getSpacesResponseExample2: - $ref: '#/components/examples/get_spaces_response2' - summary: Get all spaces - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - post: - description: Create a new Kibana space. - operationId: post-spaces-space - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - maxItems: 100 - type: array - id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. - type: string - imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - type: string - initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - projectRouting: - description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. - type: string - solution: - enum: - - security - - oblt - - es - - classic - type: string - required: - - id - - name - examples: - createSpaceRequest: - $ref: '#/components/examples/create_space_request' - responses: - '200': - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - maxItems: 100 - type: array - id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. - type: string - imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - type: string - initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - projectRouting: - description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. - type: string - solution: - enum: - - security - - oblt - - es - - classic - type: string - required: - - id - - name - examples: - createSpaceResponseExample: - $ref: '#/components/examples/get_space_response' - description: Indicates a successful call. - summary: Create a space - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - /api/spaces/space/{id}: - delete: - description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. - operationId: delete-spaces-space-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The space identifier. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '404': - description: Indicates that the request failed. - summary: Delete a space - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - get: - description: Retrieve a single Kibana space by its identifier. - operationId: get-spaces-space-id - parameters: - - description: The space identifier. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getSpaceResponseExample: - $ref: '#/components/examples/get_space_response' - summary: Get a space - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - put: - description: Update an existing Kibana space. - operationId: put-spaces-space-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The space identifier. You are unable to change the ID with the update operation. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - maxItems: 100 - type: array - id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. - type: string - imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - type: string - initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - projectRouting: - description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. - type: string - solution: - enum: - - security - - oblt - - es - - classic - type: string - required: - - id - - name - examples: - updateSpaceRequest: - $ref: '#/components/examples/update_space_request' - responses: - '200': - description: Indicates a successful call. - summary: Update a space - tags: - - spaces - x-metaTags: - - content: Kibana - name: product_name - /api/status: - get: - operationId: get-status - parameters: - - description: Set to "true" to get the response in v7 format. - in: query - name: v7format - required: false - schema: - type: boolean - - description: Set to "true" to get the response in v8 format. - in: query - name: v8format - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' - description: Kibana's operational status. A minimal response is sent for unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': - content: - application/json: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' - description: Kibana's operational status. A minimal response is sent for unauthorized users. - description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. - summary: Get Kibana's current status - tags: - - system - x-metaTags: - - content: Kibana - name: product_name - /api/streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches list of all streams

[Required authorization] Route required privileges: read_stream. - operationId: get-streams - parameters: [] - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - listStreams: - value: - streams: - - description: Root logs stream - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - updated_at: '2025-01-10T08:00:00.000Z' - settings: {} - wired: - fields: - '@timestamp': - type: date - log.level: - type: keyword - message: - type: match_only_text - routing: - - destination: logs.nginx - status: enabled - where: - eq: nginx - field: host.name - name: logs - type: wired - updated_at: '2025-01-10T08:00:00.000Z' - - description: Web server access logs, routed by severity - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - updated_at: '2025-01-15T10:30:00.000Z' - settings: {} - wired: - fields: - host.name: - type: keyword - http.response.status_code: - type: long - message: - type: match_only_text - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - name: logs.nginx - type: wired - updated_at: '2025-01-15T10:30:00.000Z' - - description: Legacy application logs - ingest: - classic: {} - failure_store: - disabled: {} - lifecycle: - dsl: - data_retention: 30d - processing: - steps: - - action: grok - from: message - ignore_missing: true - patterns: - - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' - updated_at: '2024-12-01T09:00:00.000Z' - settings: {} - name: logs-myapp-default - type: classic - updated_at: '2024-12-01T09:00:00.000Z' - - description: All error-level logs across every stream - name: logs.errors - query: - esql: FROM logs* | WHERE log.level == "error" - view: logs.errors-view - type: query - updated_at: '2025-01-20T14:00:00.000Z' - summary: Get stream list - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/_disable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/_disable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-disable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Disable streams - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/_enable: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/_enable
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Enables wired streams

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-enable - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Enable streams - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/_resync: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/_resync
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-resync - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Resync streams - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/streams/{name}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. - operationId: delete-streams-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Delete a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - getWiredStream: - value: - dashboards: [] - data_stream_exists: true - effective_failure_store: - disabled: {} - from: logs - effective_lifecycle: - dsl: - data_retention: 7d - from: logs - effective_settings: {} - inherited_fields: - '@timestamp': - from: logs - type: date - log.level: - from: logs - type: keyword - privileges: - create_snapshot_repository: false - lifecycle: true - manage: true - manage_failure_store: true - monitor: true - read_failure_store: true - simulate: true - text_structure: true - view_index_metadata: true - queries: [] - rules: [] - stream: - description: Web server access logs, routed by severity - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - updated_at: '2025-01-15T10:30:00.000Z' - settings: {} - wired: - fields: - host.name: - type: keyword - http.response.status_code: - type: long - message: - type: match_only_text - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - name: logs.nginx - type: wired - updated_at: '2025-01-15T10:30:00.000Z' - summary: Get a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - createQueryStream: - value: - dashboards: [] - queries: [] - rules: [] - stream: - description: All error-level logs across every stream - query: - esql: FROM logs* | WHERE log.level == "error" - view: logs.errors-view - type: query - createWiredStream: - value: - dashboards: [] - queries: [] - rules: [] - stream: - description: Web server access logs, routed by severity - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: [] - settings: {} - wired: - fields: - host.name: - type: keyword - http.response.status_code: - type: long - message: - type: match_only_text - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - type: wired - updateClassicStream: - value: - dashboards: [] - queries: [] - rules: [] - stream: - description: Legacy application logs managed as a classic data stream - ingest: - classic: {} - failure_store: - disabled: {} - lifecycle: - dsl: - data_retention: 30d - processing: - steps: - - action: grok - from: message - ignore_missing: true - patterns: - - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' - settings: {} - type: classic - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' - responses: {} - summary: Create or update a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/_fork: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/_fork
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-fork - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - forkStream: - value: - status: enabled - stream: - name: logs.nginx.errors - where: - eq: '500' - field: http.response.status_code - schema: - additionalProperties: false - type: object - properties: - draft: - type: boolean - status: - enum: - - enabled - - disabled - type: string - stream: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - required: - - stream - - where - responses: {} - summary: Fork a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/_ingest: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/_ingest
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-ingest - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - getWiredIngest: - value: - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: - - action: grok - from: message - ignore_missing: false - patterns: - - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' - updated_at: '2025-01-15T10:30:00.000Z' - settings: {} - wired: - fields: - client.ip: - type: ip - http.method: - type: keyword - http.response.body.bytes: - type: long - http.response.status_code: - type: long - url.original: - type: wildcard - routing: - - destination: logs.nginx.errors - status: enabled - where: - field: http.response.status_code - gte: 500 - summary: Get ingest stream settings - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}/_ingest
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name-ingest - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - upsertWiredIngest: - value: - ingest: - failure_store: - inherit: {} - lifecycle: - inherit: {} - processing: - steps: - - action: grok - from: message - ignore_missing: false - patterns: - - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' - settings: {} - wired: - fields: - client.ip: - type: ip - http.method: - type: keyword - http.response.body.bytes: - type: long - http.response.status_code: - type: long - url.original: - type: wildcard - routing: - - destination: logs.nginx.errors - status: enabled - where: - eq: '500' - field: http.response.status_code - schema: - additionalProperties: false - type: object - properties: - ingest: - anyOf: - - additionalProperties: false - type: object - properties: - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - wired: - additionalProperties: false - type: object - properties: - draft: - type: boolean - fields: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' - routing: - items: - type: object - properties: - destination: - description: A non-empty string. - minLength: 1 - type: string - draft: - type: boolean - status: - enum: - - enabled - - disabled - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - required: - - destination - - where - type: array - required: - - fields - - routing - required: - - lifecycle - - processing - - settings - - failure_store - - wired - - additionalProperties: false - type: object - properties: - classic: - additionalProperties: false - type: object - properties: - field_overrides: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - required: - - lifecycle - - processing - - settings - - failure_store - - classic - required: - - ingest - responses: {} - summary: Update ingest stream settings - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/_query: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/_query
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-query - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Get query stream settings - tags: - - streams - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}/_query
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name-query - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - upsertQueryStream: - value: - query: - esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level - schema: - additionalProperties: false - type: object - properties: - field_descriptions: - additionalProperties: - type: string - type: object - query: - additionalProperties: false - type: object - properties: - esql: - type: string - required: - - esql - required: - - query - responses: {} - summary: Upsert query stream settings - tags: - - streams - x-state: Technical Preview; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/content/export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/content/export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-content-export - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - description: - type: string - include: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' - name: - type: string - version: - type: string - required: - - name - - description - - version - - include - responses: {} - summary: Export stream content - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/content/import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/content/import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-content-import - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - multipart/form-data: - schema: - additionalProperties: false - type: object - properties: - content: {} - include: - type: string - required: - - include - - content - responses: {} - summary: Import content into a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/queries: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/queries
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-queries - parameters: - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Get stream queries - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/queries/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/queries/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-name-queries-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - operations: - items: - anyOf: - - type: object - properties: - index: - type: object - properties: - description: - default: '' - type: string - esql: - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - required: - - title - - esql - - id - required: - - index - - type: object - properties: - delete: - type: object - properties: - id: - type: string - required: - - id - required: - - delete - type: array - required: - - operations - responses: {} - summary: Bulk update queries - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/queries/{queryId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: delete-streams-name-queries-queryid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - in: path - name: queryId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Remove a query from a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{name}/queries/{queryId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-name-queries-queryid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - in: path - name: queryId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - description: - default: '' - type: string - esql: - additionalProperties: false - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - required: - - title - - esql - responses: {} - summary: Upsert a query to a stream - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/significant_events: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{name}/significant_events
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Read the significant events

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-name-significant-events - parameters: - - in: path - name: name - required: true - schema: - type: string - - in: query - name: from - required: true - schema: - type: string - - in: query - name: to - required: true - schema: - type: string - - in: query - name: bucketSize - required: true - schema: - type: string - - description: Query string to filter significant events on metadata fields - in: query - name: query - required: false - schema: - type: string - - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). Defaults to hybrid when inference is available.' - in: query - name: searchMode - required: false - schema: - enum: - - keyword - - semantic - - hybrid - type: string - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Read the significant events - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/significant_events/_generate: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/significant_events/_generate
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. - operationId: post-streams-name-significant-events-generate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - description: Optional connector ID. If not provided, the default AI connector from settings will be used. - in: query - name: connectorId - required: false - schema: - type: string - - in: query - name: from - required: true - schema: - type: string - - in: query - name: to - required: true - schema: - type: string - - description: Number of sample documents to use for generation from the current data of stream - in: query - name: sampleDocsSize - required: false - schema: - type: number - requestBody: - content: - application/json: - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: {} - summary: Generate significant events - tags: - - streams - x-state: Technical Preview; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{name}/significant_events/_preview: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{name}/significant_events/_preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. - operationId: post-streams-name-significant-events-preview - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - type: string - - in: query - name: from - required: true - schema: - type: string - - in: query - name: to - required: true - schema: - type: string - - in: query - name: bucketSize - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - esql: - additionalProperties: false - type: object - properties: - query: - type: string - required: - - query - required: - - esql - required: - - query - responses: {} - summary: Preview significant events - tags: - - streams - x-state: Technical Preview; added in 9.1.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{streamName}/attachments: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/streams/{streamName}/attachments
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. - operationId: get-streams-streamname-attachments - parameters: - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - - description: Search query to filter attachments by title - in: query - name: query - required: false - schema: - type: string - - description: Filter by attachment types (single value or array) - in: query - name: attachmentTypes - required: false - schema: - items: - enum: - - dashboard - - rule - - slo - type: string - type: array - - description: Filter by tags (single value or array) - in: query - name: tags - required: false - schema: - items: - type: string - type: array - requestBody: - content: - application/json: - examples: - listAttachmentsExample: - value: {} - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - listAttachmentsResponse: - value: - attachments: - - createdAt: '2023-02-23T16:15:47.275Z' - description: Dashboard for monitoring production services - id: dashboard-123 - streamNames: - - logs.awsfirehose - - logs.nginx - tags: - - monitoring - - production - title: My Dashboard - type: dashboard - updatedAt: '2023-03-24T14:39:17.636Z' - description: Successfully retrieved attachments - summary: Get stream attachments - tags: - - streams - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{streamName}/attachments/_bulk: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. - operationId: post-streams-streamname-attachments-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - bulkAttachmentsExample: - value: - operations: - - index: - id: dashboard-123 - type: dashboard - - delete: - id: rule-456 - type: rule - schema: - additionalProperties: false - type: object - properties: - operations: - items: - anyOf: - - type: object - properties: - index: - type: object - properties: - id: - type: string - type: - enum: - - dashboard - - rule - - slo - type: string - required: - - id - - type - required: - - index - - type: object - properties: - delete: - type: object - properties: - id: - type: string - type: - enum: - - dashboard - - rule - - slo - type: string - required: - - id - - type - required: - - delete - type: array - required: - - operations - responses: - '200': - content: - application/json: - examples: - bulkAttachmentsResponse: - value: - acknowledged: true - description: Successfully performed bulk operations - summary: Bulk update attachments - tags: - - streams - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - - description: The type of the attachment - in: path - name: attachmentType - required: true - schema: - enum: - - dashboard - - rule - - slo - type: string - - description: The ID of the attachment - in: path - name: attachmentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - unlinkAttachmentExample: - value: {} - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - unlinkAttachmentResponse: - value: - acknowledged: true - description: Successfully unlinked attachment - summary: Unlink an attachment from a stream - tags: - - streams - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. - operationId: put-streams-streamname-attachments-attachmenttype-attachmentid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The name of the stream - in: path - name: streamName - required: true - schema: - type: string - - description: The type of the attachment - in: path - name: attachmentType - required: true - schema: - enum: - - dashboard - - rule - - slo - type: string - - description: The ID of the attachment - in: path - name: attachmentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - linkAttachmentExample: - value: {} - schema: - anyOf: - - additionalProperties: false - type: object - properties: {} - - nullable: true - - {} - responses: - '200': - content: - application/json: - examples: - linkAttachmentResponse: - value: - acknowledged: true - description: Successfully linked attachment - summary: Link an attachment to a stream - tags: - - streams - x-state: Technical Preview; added in 9.3.0 - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/monitor/test/{monitorId}: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/synthetics/monitor/test/{monitorId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures. - operationId: post-synthetics-monitor-test - parameters: - - description: The ID (config_id) of the monitor to test. - in: path - name: monitorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - testNowMonitorResponseExample1: - value: |- - { - "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", - "errors": [ - { - "locationId": "us_central_staging", - "error": { - "status": 401, - "reason": "no auth credentials provided", - "failed_monitors": null - } - } - ] - } - schema: - type: object - properties: - errors: - description: Array of errors encountered while triggering the test, one per service location. - items: - type: object - properties: - error: - type: object - properties: - failed_monitors: - description: Optional list of monitors that failed at the location. - items: - type: object - nullable: true - type: array - reason: - description: Human-readable explanation of the failure. - type: string - status: - description: HTTP status code returned by the agent. - type: integer - required: - - status - - reason - - failed_monitors - locationId: - description: Identifier of the service location where the error occurred. - type: string - required: - - locationId - - error - type: array - testRunId: - description: Unique identifier for the triggered test run. - type: string - required: - - testRunId - description: Test run triggered successfully. - '404': - description: Monitor not found. - summary: Trigger an on-demand test run for a monitor - tags: - - synthetics - x-state: Generally available; added in 9.2.0 - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/monitors: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/synthetics/monitors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of monitors. - You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: get-synthetic-monitors - parameters: - - description: Additional filtering criteria. - in: query - name: filter - schema: - type: string - - description: The locations to filter by. - in: query - name: locations - schema: - oneOf: - - type: string - - type: array - - description: The monitor types to filter. - in: query - name: monitorTypes - schema: - oneOf: - - enum: - - browser - - http - - icmp - - tcp - type: string - - type: array - - description: The page number for paginated results. - in: query - name: page - schema: - type: integer - - description: The number of items to return per page. - in: query - name: per_page - schema: - type: integer - - description: The projects to filter by. - in: query - name: projects - schema: - oneOf: - - type: string - - type: array - - description: A free-text query string. - in: query - name: query - schema: - type: string - - description: The schedules to filter by. - in: query - name: schedules - schema: - oneOf: - - type: array - - type: string - - description: The field to sort the results by. - in: query - name: sortField - schema: - enum: - - name - - createdAt - - updatedAt - - status - type: string - - description: The sort order. - in: query - name: sortOrder - schema: - enum: - - asc - - desc - type: string - - description: The status to filter by. - in: query - name: status - schema: - oneOf: - - type: array - - type: string - - description: Tags to filter monitors. - in: query - name: tags - schema: - oneOf: - - type: string - - type: array - - description: | - Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. - in: query - name: useLogicalAndFor - schema: - oneOf: - - enum: - - tags - - locations - type: string - - items: - enum: - - tags - - locations - type: string - type: array - responses: - '200': - content: - application/json: - examples: - getSyntheticMonitorsResponseExample1: - description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. - value: |- - { - "page": 1, - "total": 24, - "monitors": [ - { - "type": "icmp", - "enabled": false, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "timeout": "16", - "name": "8.8.8.8:80", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "max_attempts": 2, - "wait": "7", - "revision": 3, - "mode": "all", - "ipv4": true, - "ipv6": true, - "created_at": "2023-11-07T09:57:04.152Z", - "updated_at": "2023-12-04T19:19:34.039Z", - "host": "8.8.8.8:80" - } - ], - "absoluteTotal": 24, - "perPage": 10, - } - schema: - type: object - description: A successful response. - summary: Get monitors - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/synthetics/monitors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: post-synthetic-monitors - requestBody: - content: - application/json: - examples: - postSyntheticMonitorsRequestExample1: - description: Create an HTTP monitor to check a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample2: - description: Create a TCP monitor to monitor a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - postSyntheticMonitorsRequestExample3: - description: Create an ICMP monitor to perform ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample4: - description: Create a browser monitor to check a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } - schema: - description: | - The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' - required: true - responses: - '200': - content: - application/json: - examples: - postSyntheticMonitorsResponseWithWarning: - description: A response when a browser monitor specifies a timeout but has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } - schema: - type: object - properties: - warnings: - description: | - An optional array of warnings about the monitor configuration. - items: - $ref: '#/components/schemas/Synthetics_monitorWarning' - type: array - description: | - A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. For example, if a browser monitor specifies a timeout but has no private locations configured, a warning is returned indicating the timeout will have no effect. - '400': - content: - application/json: - examples: - invalidBrowserTimeout: - description: A 400 error when a browser monitor timeout is below 30 seconds. - summary: Invalid browser timeout - value: |- - { - "statusCode": 400, - "error": "Bad Request", - "message": "Browser Monitor timeout is invalid", - "attributes": { - "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." - } - } - schema: - type: object - properties: - attributes: - type: object - properties: - details: - example: Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds. - type: string - error: - example: Bad Request - type: string - message: - example: Browser Monitor timeout is invalid - type: string - statusCode: - example: 400 - type: integer - description: | - Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. - summary: Create a monitor - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/monitors/_bulk_delete: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/synthetics/monitors/_bulk_delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete multiple monitors by sending a list of config IDs. - operationId: delete-synthetic-monitors - requestBody: - content: - application/json: - examples: - bulkDeleteRequestExample1: - description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. - value: |- - { - "ids": [ - "monitor1-id", - "monitor2-id" - ] - } - schema: - type: object - properties: - ids: - description: An array of monitor IDs to delete. - items: - type: string - type: array - required: - - ids - required: true - responses: - '200': - content: - application/json: - examples: - deleteMonitorsResponseExample1: - description: A response from successfully deleting multiple monitors. - value: |- - [ - { - "id": "monitor1-id", - "deleted": true - }, - { - "id": "monitor2-id", - "deleted": true - } - ] - schema: - items: - description: The API response includes information about the deleted monitors. - type: object - properties: - deleted: - description: | - If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. - type: boolean - ids: - description: The unique identifier of the deleted monitor. - type: string - type: array - description: A successful response. - summary: Delete monitors - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/monitors/{id}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/synthetics/monitors/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a monitor from the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: delete-synthetic-monitor - parameters: - - description: The identifier for the monitor that you want to delete. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: OK - summary: Delete a monitor - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - get: - operationId: get-synthetic-monitor - parameters: - - description: The ID of the monitor. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getSyntheticMonitorResponseExample1: - description: A successful response from `GET /api/synthetics/monitors/`. - value: |- - { - "type": "http", - "enabled": true, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "timeout": "16", - "name": "am i something", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "max_attempts": 2, - "__ui": { - "is_tls_enabled": false - }, - "max_redirects": "0", - "response.include_body": "on_error", - "response.include_headers": true, - "check.request.method": "GET", - "mode": "any", - "response.include_body_max_bytes": "1024", - "ipv4": true, - "ipv6": true, - "ssl.verification_mode": "full", - "ssl.supported_protocols": [ - "TLSv1.1", - "TLSv1.2", - "TLSv1.3" - ], - "revision": 13, - "created_at": "2023-11-08T08:45:29.334Z", - "updated_at": "2023-12-18T20:31:44.770Z", - "url": "https://fast.com" - } - schema: - type: object - description: A successful response. - '404': - description: If the monitor is not found, the API returns a 404 error. - summary: Get a monitor - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/synthetics/monitors/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/synthetics/monitors/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. - operationId: put-synthetic-monitor - parameters: - - description: The identifier for the monitor that you want to update. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putSyntheticMonitorsRequestExample1: - description: Update an HTTP monitor that checks a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample2: - description: Update a TCP monitor that monitors a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - putSyntheticMonitorsRequestExample3: - description: Update an ICMP monitor that performs ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample4: - description: Update a browser monitor that checks a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } - schema: - description: | - The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' - type: object - required: true - responses: - '200': - content: - application/json: - examples: - putSyntheticMonitorResponseWithWarning: - description: A response when a browser monitor specifies a timeout but has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } - schema: - type: object - properties: - warnings: - description: | - An optional array of warnings about the monitor configuration. - items: - $ref: '#/components/schemas/Synthetics_monitorWarning' - type: array - description: | - A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. - '400': - description: | - Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. - summary: Update a monitor - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/params: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/synthetics/params
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: get-parameters - responses: - '200': - content: - application/json: - examples: - getParametersResponseExample1: - description: A successful response for a user with read-only permissions to get a list of parameters. - summary: Read access - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"] - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"] - } - ] - getParametersResponseExample2: - description: A successful response for a user with write permissions to get a list of parameters. - summary: Write access - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"], - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"], - "value": "value2" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - type: array - description: A successful response. - summary: Get parameters - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/synthetics/params
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Add one or more parameters to the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: post-parameters - requestBody: - content: - application/json: - examples: - postParametersRequestExample1: - description: Add a single parameter. - summary: Single parameter - value: |- - { - "key": "your-key-name", - "value": "your-parameter-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersRequestExample2: - description: Add multiple parameters. - summary: Multiple parameters - value: |- - [ - { - "key": "param1", - "value": "value1" - }, - { - "key": "param2", - "value": "value2" - } - ] - schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_parameterRequest' - type: array - - $ref: '#/components/schemas/Synthetics_parameterRequest' - description: The request body can contain either a single parameter object or an array of parameter objects. - required: true - responses: - '200': - content: - application/json: - examples: - postParametersResponseExample1: - description: A successful response for a single added parameter. - summary: Single parameter - value: |- - { - "id": "unique-parameter-id", - "key": "your-key-name", - "value": "your-param-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersResponseExample2: - description: A successful response for multiple added parameters. - summary: Multiple parameters - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "value": "value2" - } - ] - schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_postParameterResponse' - type: array - - $ref: '#/components/schemas/Synthetics_postParameterResponse' - description: A successful response. - summary: Add parameters - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/params/_bulk_delete: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/synthetics/params/_bulk_delete
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete parameters from the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: delete-parameters - requestBody: - content: - application/json: - examples: - deleteParametersRequestExample1: - description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. - value: |- - { - "ids": ["param1-id", "param2-id"] - } - schema: - type: object - properties: - ids: - description: An array of parameter IDs to delete. - items: - type: string - type: array - required: true - responses: - '200': - content: - application/json: - examples: - deleteParametersResponseExample1: - value: |- - [ - { - "id": "param1-id", - "deleted": true - } - ] - schema: - items: - type: object - properties: - deleted: - description: | - Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. - type: boolean - id: - description: The unique identifier for the deleted parameter. - type: string - type: array - description: A successful response. - summary: Delete parameters - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/params/{id}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/synthetics/params/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a parameter from the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: delete-parameter - parameters: - - description: The ID for the parameter to delete. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: OK - summary: Delete a parameter - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/synthetics/params/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a parameter from the Synthetics app. - You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: get-parameter - parameters: - - description: The unique identifier for the parameter. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getParameterResponseExample1: - description: A successful response for a user with read-only permissions to get a single parameter. - summary: Read access - value: |- - { - "id": "unique-parameter-id", - "key": "your-api-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"] - } - getParameterResponseExample2: - description: A successful response for a user with write permissions to get a single parameter. - summary: Write access - value: |- - { - "id": "unique-parameter-id", - "key": "your-param-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"], - "value": "your-param-value" - } - schema: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - description: A successful response. - summary: Get a parameter - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/synthetics/params/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a parameter in the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - operationId: put-parameter - parameters: - - description: The unique identifier for the parameter. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putParameterRequestExample1: - value: |- - { - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } - schema: - type: object - properties: - description: - description: The updated description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - tags: - description: An array of updated tags to categorize the parameter. - items: - type: string - type: array - value: - description: The updated value associated with the parameter. - type: string - description: The request body cannot be empty; at least one attribute is required. - required: true - responses: - '200': - content: - application/json: - examples: - putParameterResponseExample1: - value: |- - { - "id": "param_id1", - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } - schema: - type: object - description: A successful response. - summary: Update a parameter - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/private_locations: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/synthetics/private_locations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of private locations. - You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. - operationId: get-private-locations - responses: - '200': - content: - application/json: - examples: - getPrivateLocationsResponseExample1: - value: |- - [ - { - "label": "Test private location", - "id": "fleet-server-policy", - "agentPolicyId": "fleet-server-policy", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - }, - { - "label": "Test private location 2", - "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "test" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - type: array - description: A successful response. - summary: Get private locations - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/synthetics/private_locations
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. - operationId: post-private-location - requestBody: - content: - application/json: - examples: - postPrivateLocationRequestExample1: - description: Run `POST /api/private_locations` to create a private location. - value: |- - { - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - "spaces": ["default"] - } - schema: - type: object - properties: - agentPolicyId: - description: The ID of the agent policy associated with the private location. - type: string - geo: - description: Geographic coordinates (WGS84) for the location. - type: object - properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - label: - description: A label for the private location. - type: string - spaces: - description: | - An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. - items: - type: string - type: array - tags: - description: An array of tags to categorize the private location. - items: - type: string - type: array - required: - - agentPolicyId - - label - required: true - responses: - '200': - content: - application/json: - examples: - postPrivateLocationResponseExample1: - value: |- - { - "id": "abcd1234", - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - } - schema: - type: object - description: A successful response. - '400': - description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. - summary: Create a private location - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/synthetics/private_locations/{id}: - delete: - description: | - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/synthetics/private_locations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. - The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. - A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. - operationId: delete-private-location - parameters: - - description: The unique identifier of the private location to be deleted. - in: path - name: id - required: true - schema: - maxLength: 1024 - minLength: 1 - type: string - responses: - '200': - description: OK - summary: Delete a private location - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/synthetics/private_locations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. - operationId: get-private-location - parameters: - - description: A private location identifier or label. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPrivateLocationResponseExample1: - value: |- - { - "label": "Test private location", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - summary: Get a private location - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/synthetics/private_locations/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing private location's label. - You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. - When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. - operationId: put-private-location - parameters: - - description: The unique identifier of the private location to be updated. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putPrivateLocationRequestExample1: - description: Update a private location's label. - value: |- - { - "label": "Updated Private Location Name" - } - schema: - type: object - properties: - label: - description: A new label for the private location. Must be at least 1 character long. - minLength: 1 - type: string - required: - - label - required: true - responses: - '200': - content: - application/json: - examples: - putPrivateLocationResponseExample1: - value: |- - { - "label": "Updated Private Location Name", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "tags": ["private", "testing", "updated"], - "geo": { - "lat": 37.7749, - "lon": -122.4194 - }, - "spaces": ["*"] - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - '400': - description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. - '404': - description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. - summary: Update a private location - tags: - - synthetics - x-metaTags: - - content: Kibana - name: product_name - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health - responses: - '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: '#/components/examples/Task_manager_health_APIs_health_200response' - schema: - $ref: '#/components/schemas/Task_manager_health_APIs_health_response' - description: Indicates a successful call - summary: Get the task manager health - tags: - - task manager - x-metaTags: - - content: Kibana - name: product_name - /api/timeline: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: - type: object - properties: - savedObjectIds: - description: The list of IDs of the Timelines or Timeline templates to delete - items: - type: string - maxItems: 100 - type: array - searchIds: - description: Saved search IDs that should be deleted alongside the timelines - items: - type: string - maxItems: 100 - type: array - required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true - responses: - '200': - content: - application/json: - examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline - parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. - in: query - name: template_timeline_id - schema: - type: string - - description: The `savedObjectId` of the Timeline to retrieve. - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - timelineDetail: - summary: Timeline detail - value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. - operationId: PatchTimeline - requestBody: - content: - application/json: - examples: - patchTitle: - summary: Update title - value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: The timeline object of the Timeline or Timeline template that you’re updating. - timelineId: - description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: The version of the Timeline or Timeline template that you’re updating. - example: WzE0LDFd - nullable: true - type: string - required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true - responses: - '200': - content: - application/json: - examples: - patched: - summary: Updated timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that the user does not have the required access to create a Timeline. - summary: Update a Timeline - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Timeline or Timeline template. - operationId: CreateTimelines - requestBody: - content: - application/json: - examples: - createDefault: - summary: Create a default timeline - value: - timeline: - status: active - timelineType: default - title: Malware containment - schema: - type: object - properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string - required: - - timeline - description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/_copy: - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json: - examples: - copyWithTitle: - summary: Copy with a new title - value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: The `savedObjectId` of the timeline or template to duplicate. - type: string - required: - - timeline - - timelineIdToCopy - description: Source timeline id to copy plus timeline fields for the new saved object. - required: true - responses: - '200': - content: - application/json: - examples: - copied: - summary: Newly saved timeline - value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/_draft: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timeline/_draft
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. - operationId: GetDraftTimelines - parameters: - - description: Which draft to load (`default` investigation timeline or `template` timeline template). - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json: - examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_draft
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a clean draft Timeline or Timeline template for the current user. - > info - > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: The type of Timeline to create. Valid values are `default` and `template`. - required: true - responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: Indicates that the user does not have the required permissions to create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: Indicates that there is already a draft Timeline with the given `timelineId`. - summary: Create a clean draft Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/_export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export Timelines as an NDJSON file. - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - exportIds: - summary: Export by timeline ids - value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - ids: - items: - type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true - responses: - '200': - content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: - examples: - badRequest: - summary: Export error - value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/_favorite: - patch: - description: |- - **Spaces method and path for this operation:** - -
patch /s/{space_id}/api/timeline/_favorite
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute - requestBody: - content: - application/json: - examples: - favoriteDefault: - summary: Favorite a default timeline - value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true - responses: - '200': - content: - application/json: - examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden - value: - body: Forbidden - statusCode: 403 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates the user does not have the required permissions to persist the favorite status. - summary: Favorite a Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/_import: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_import
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Import Timelines. - operationId: ImportTimelines - requestBody: - content: - application/json: - examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) - value: - file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' - isImmutable: 'false' - schema: - type: object - properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The Timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json: - examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message - example: Invalid file extension - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing - value: - body: Unable to find saved object client - statusCode: 404 - schema: - type: object - properties: - body: - description: The error message - example: Unable to find saved object client - type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': - content: - application/json: - examples: - conflict: - summary: Import conflict - value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines - type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/_prepackaged: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/timeline/_prepackaged
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json: - examples: - emptyArrays: - summary: Installer payload shape - value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] - schema: - type: object - properties: - prepackagedTimelines: - items: - $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true - responses: - '200': - content: - application/json: - examples: - installResult: - summary: Install result counts - value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' - description: Indicates a successful call. - '500': - content: - application/json: - examples: - serverError: - summary: Server error - value: - body: Internal error - statusCode: 500 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates the installation of prepackaged Timelines was unsuccessful. - summary: Install prepackaged Timelines - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timeline/resolve: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timeline/resolve
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome - value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/timelines: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/timelines
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines - parameters: - - description: If `true`, only Timelines that the current user has marked as favorite are returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true - type: string - - description: Restrict results to `default` investigation timelines or `template` timeline templates. - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` - in: query - name: sort_order - schema: - enum: - - asc - - desc - type: string - - description: How many results should returned at once - in: query - name: page_size - schema: - nullable: true - type: string - - description: How many pages should be skipped - in: query - name: page_index - schema: - nullable: true - type: string - - description: Allows to search for timelines by their title - in: query - name: search - schema: - nullable: true - type: string - - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json: - examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: - type: object - properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body - value: - body: get timeline error - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message. - example: get timeline error - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates - tags: - - Security Timeline API - x-metaTags: - - content: Kibana - name: product_name - /api/upgrade_assistant/status: - get: - description: Check the status of your cluster. - operationId: get-upgrade-status - responses: - '200': - content: - application/json: - examples: - getUpgradeStatusResponseExample1: - value: |- - { - "readyForUpgrade": false, - "cluster": [ - { - "message": "Cluster deprecated issue", - "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." - } - ] - } - description: Indicates a successful call. - summary: Get the upgrade readiness status - tags: - - upgrade - x-state: Technical Preview - x-metaTags: - - content: Kibana - name: product_name - /api/uptime/settings: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/uptime/settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. - operationId: get-uptime-settings - responses: - '200': - content: - application/json: - examples: - getUptimeSettingsResponseExample1: - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Get uptime settings - tags: - - uptime - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/uptime/settings
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. - operationId: put-uptime-settings - requestBody: - content: - application/json: - examples: - putUptimeSettingsRequestExample1: - description: Run `PUT api/uptime/settings` to update multiple Uptime settings. - summary: Update multiple settings - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - putUptimeSettingsRequestExample2: - description: Run `PUT api/uptime/settings` to update a single Uptime setting. - summary: Update a setting - value: |- - { - "heartbeatIndices": "heartbeat-8*", - } - schema: - type: object - properties: - certAgeThreshold: - default: 730 - description: The number of days after a certificate is created to trigger an alert. - type: number - certExpirationThreshold: - default: 30 - description: The number of days before a certificate expires to trigger an alert. - type: number - defaultConnectors: - default: [] - description: A list of connector IDs to be used as default connectors for new alerts. - type: array - defaultEmail: - description: | - The default email configuration for new alerts. - type: object - properties: - bcc: - default: [] - items: - type: string - type: array - cc: - default: [] - items: - type: string - type: array - to: - default: [] - items: - type: string - type: array - heartbeatIndices: - default: heartbeat-* - description: | - An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. - type: string - responses: - '200': - content: - application/json: - examples: - putUptimeSettingsResponseExample1: - description: A successful response from `PUT api/uptime/settings`. - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Update uptime settings - tags: - - uptime - x-metaTags: - - content: Kibana - name: product_name - /api/workflows: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/workflows
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. - operationId: delete-workflows - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - bulkDeleteWorkflowsRequestExample: - description: Example request for deleting multiple workflows - value: - ids: - - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 - - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 - schema: - additionalProperties: false - type: object - properties: - ids: - description: Array of workflow IDs to delete. - items: - description: Workflow ID to delete. - type: string - maxItems: 1000 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - bulkDeleteWorkflowsResponseExample: - description: Example response after deleting multiple workflows - value: - deleted: 2 - failures: [] - total: 2 - description: Indicates a successful response - summary: Bulk delete workflows - tags: - - workflows - x-codeSamples: - - label: Soft delete (default) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] - }' - - label: Hard delete (permanent) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] - }' - - lang: Console - source: | - DELETE kbn://api/workflows - { - "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. - operationId: get-workflows - parameters: - - description: Free-text search query. - in: query - name: query - required: false - schema: - type: string - - description: Number of results per page. - in: query - name: size - required: false - schema: - minimum: 1 - type: number - - description: Page number. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: Filter by enabled state. - in: query - name: enabled - required: false - schema: - items: - type: boolean - maxItems: 2 - type: array - - description: Filter by creator. - in: query - name: createdBy - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - description: Filter by tags. - in: query - name: tags - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - responses: - '200': - content: - application/json: - examples: - getWorkflowsResponseExample: - description: Example response returning a paginated list of workflows - value: - page: 1 - results: - - createdAt: '2025-11-20T10:30:00.000Z' - definition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: true - history: - - duration: 5000 - finishedAt: '2025-11-20T12:00:05.000Z' - id: exec-001 - startedAt: '2025-11-20T12:00:00.000Z' - status: completed - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowName: Example definition - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - name: Example definition - tags: - - example - valid: true - size: 20 - total: 1 - description: Indicates a successful response - summary: Get workflows - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows?size=20&page=1 - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. - operationId: post-workflows - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Whether to overwrite existing workflows. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - bulkCreateWorkflowsRequestExample: - description: Example request for creating multiple workflows at once - value: - workflows: - - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - yaml: | - name: Second workflow - enabled: false - description: Another workflow - triggers: - - type: manual - steps: - - name: log_step - type: console - with: - message: "Hello from second workflow" - schema: - additionalProperties: false - type: object - properties: - workflows: - items: - type: object - properties: - id: - maxLength: 255 - minLength: 3 - pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ - type: string - yaml: - maxLength: 1048576 - type: string - required: - - yaml - maxItems: 500 - type: array - required: - - workflows - responses: - '200': - content: - application/json: - examples: - bulkCreateWorkflowsResponseExample: - description: Example response after creating multiple workflows - value: - created: - - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - name: Example definition - - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - name: Second workflow - failures: [] - total: 2 - description: Indicates a successful response - summary: Bulk create workflows - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "workflows": [ - { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, - { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } - ] - }' - - lang: Console - source: | - POST kbn://api/workflows?overwrite=false - { - "workflows": [ - { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, - { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } - ] - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/aggs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/aggs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-aggs - parameters: - - description: Field or fields to aggregate on. - in: query - name: fields - required: true - schema: - description: Fields to aggregate on. - items: - description: Field name to aggregate. - type: string - maxItems: 25 - type: array - responses: - '200': - content: - application/json: - examples: - getAggsResponseExample: - description: Example response with tag and createdBy aggregations - value: - createdBy: - - doc_count: 2 - key: elastic - tags: - - doc_count: 1 - key: reporting - - doc_count: 1 - key: security - - doc_count: 1 - key: triage - description: Indicates a successful response - summary: Get workflow aggregations - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/aggs?fields=tags&fields=createdBy - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/connectors: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/connectors
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-connectors - parameters: [] - responses: - '200': - content: - application/json: - examples: - getConnectorsResponseExample: - description: Example response with available connector types and their instances - value: - connectorTypes: - .email: - actionTypeId: .email - displayName: Email - enabled: true - enabledInConfig: true - enabledInLicense: true - instances: [] - minimumLicenseRequired: gold - subActions: - - displayName: Send - name: send - .slack_api: - actionTypeId: .slack_api - displayName: Slack - enabled: true - enabledInConfig: true - enabledInLicense: true - instances: - - id: slack-connector-1 - isDeprecated: false - isPreconfigured: false - name: Team Notifications - minimumLicenseRequired: gold - subActions: - - displayName: Post Message - name: postMessage - totalConnectors: 1 - description: Indicates a successful response - summary: Get available connectors - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/connectors" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/connectors - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/executions/{executionId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid - parameters: - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - - description: Include execution input data. - in: query - name: includeInput - required: false - schema: - default: false - type: boolean - - description: Include execution output data. - in: query - name: includeOutput - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getExecutionResponseExample: - description: Example response returning a workflow execution with step details - value: - duration: 3000 - executedBy: elastic - finishedAt: '2025-11-20T12:00:03.000Z' - id: exec-a1b2c3d4-e5f6-7890 - input: - message: hello world - isTestRun: false - output: hello world - spaceId: default - startedAt: '2025-11-20T12:00:00.000Z' - status: completed - stepExecutions: - - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:02.000Z' - globalExecutionIndex: 0 - id: step-exec-001 - isTestRun: false - scopeStack: [] - spaceId: default - startedAt: '2025-11-20T12:00:01.000Z' - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowRunId: exec-a1b2c3d4-e5f6-7890 - triggeredBy: manual - workflowDefinition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Get a workflow execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/executions/{executionId}/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. - operationId: post-workflows-executions-executionid-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful response - summary: Cancel a workflow execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - POST kbn://api/workflows/executions/{executionId}/cancel - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/executions/{executionId}/children: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}/children
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid-children - parameters: - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getChildrenExecutionsResponseExample: - description: Example response returning child workflow executions spawned by sub-workflow steps - value: - - executionId: child-exec-001 - parentStepExecutionId: step-exec-003 - status: completed - stepExecutions: - - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:07.000Z' - globalExecutionIndex: 0 - id: child-step-001 - isTestRun: false - scopeStack: [] - startedAt: '2025-11-20T12:00:06.000Z' - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 - workflowRunId: child-exec-001 - workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 - workflowName: Child Workflow - description: Indicates a successful response - summary: Get child executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}/children - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/executions/{executionId}/logs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}/logs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid-logs - parameters: - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - - description: Filter logs by a specific step execution ID. - in: query - name: stepExecutionId - required: false - schema: - type: string - - description: Number of log entries per page. - in: query - name: size - required: false - schema: - default: 100 - maximum: 100 - minimum: 1 - type: number - - description: Page number. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: Field to sort by. - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order. - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - responses: - '200': - content: - application/json: - examples: - getExecutionLogsResponseExample: - description: Example response returning paginated execution logs - value: - logs: - - additionalData: - executionId: exec-a1b2c3d4-e5f6-7890 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - connectorType: console - duration: 150 - id: log-001 - level: info - message: Workflow execution started - stepId: hello_world_step - stepName: Hello World - timestamp: '2025-11-20T12:00:01.000Z' - - additionalData: - executionId: exec-a1b2c3d4-e5f6-7890 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - connectorType: console - duration: 200 - id: log-002 - level: info - message: Step completed successfully - stepId: hello_world_step - stepName: Hello World - timestamp: '2025-11-20T12:00:02.000Z' - page: 1 - size: 100 - total: 2 - description: Indicates a successful response - summary: Get execution logs - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/executions/{executionId}/resume: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/executions/{executionId}/resume
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. - operationId: post-workflows-executions-executionid-resume - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow execution ID - in: path - name: executionId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - resumeExecutionRequestExample: - description: Example request to resume a paused workflow execution - value: - input: - approved: true - comment: Approved by analyst - schema: - additionalProperties: false - type: object - properties: - input: - additionalProperties: - nullable: true - description: Input data to resume the execution with. - type: object - required: - - input - responses: - '200': - content: - application/json: - examples: - resumeExecutionResponseExample: - description: Example response confirming the resume was scheduled - value: - executionId: exec-a1b2c3d4-e5f6-7890 - message: Workflow resume scheduled - success: true - description: Indicates a successful response - summary: Resume a workflow execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "input": { - "approved": true, - "comment": "Approved by analyst" - } - }' - - lang: Console - source: | - POST kbn://api/workflows/executions/{executionId}/resume - { - "input": { - "approved": true, - "comment": "Approved by analyst" - } - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/executions/{executionId}/step/{stepExecutionId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-executions-executionid-step-stepexecutionid - parameters: - - description: Workflow execution ID. - in: path - name: executionId - required: true - schema: - type: string - - description: Step execution ID. - in: path - name: stepExecutionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getStepExecutionResponseExample: - description: Example response returning a single step execution - value: - error: null - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:02.000Z' - globalExecutionIndex: 0 - id: step-exec-001 - input: - message: hello world - isTestRun: false - output: hello world - scopeStack: [] - spaceId: default - startedAt: '2025-11-20T12:00:01.000Z' - state: null - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowRunId: exec-a1b2c3d4-e5f6-7890 - description: Indicates a successful response - summary: Get a step execution - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/export: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/export
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: post-workflows-export - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - exportWorkflowsRequestExample: - description: Example request to export workflows - value: - ids: - - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - schema: - additionalProperties: false - type: object - properties: - ids: - description: Array of workflow IDs to export. - items: - description: Workflow ID to export. - maxLength: 255 - type: string - maxItems: 500 - minItems: 1 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - exportWorkflowsResponseExample: - description: Workflow entries with YAML content and export manifest - value: - entries: - - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - yaml: |- - name: My Workflow - steps: - - type: http.request - with: - url: https://example.com - - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - yaml: |- - name: Another Workflow - steps: - - type: http.request - with: - url: https://example.com - manifest: - exportedAt: '2026-03-26T12:00:00.000Z' - exportedCount: 2 - version: '1' - description: JSON containing exported workflow YAML entries and manifest metadata - summary: Export workflows - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/export" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] - }' - - lang: Console - source: | - POST kbn://api/workflows/export - { - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/mget: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/mget
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: post-workflows-mget - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - mgetWorkflowsRequestExample: - description: Example request to retrieve multiple workflows by their IDs - value: - ids: - - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - source: - - name - - enabled - schema: - additionalProperties: false - type: object - properties: - ids: - description: Array of workflow IDs to look up. - items: - description: Workflow ID. - maxLength: 255 - type: string - maxItems: 500 - minItems: 1 - type: array - source: - description: Array of source fields to include. - items: - description: Source field. - maxLength: 255 - type: string - maxItems: 10 - minItems: 1 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - mgetWorkflowsResponseExample: - description: Example response returning the requested workflows with projected fields - value: - - enabled: true - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - name: Example definition - - enabled: false - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - name: Second workflow - description: Indicates a successful response - summary: Get workflows by IDs - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/mget" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], - "source": ["name", "enabled"] - }' - - lang: Console - source: | - POST kbn://api/workflows/mget - { - "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], - "source": ["name", "enabled"] - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/schema: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/schema
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-schema - parameters: - - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. - in: query - name: loose - required: true - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getSchemaResponseExample: - description: Example response returning the workflow JSON schema (truncated) - value: - $schema: http://json-schema.org/draft-07/schema# - type: object - properties: - description: - type: string - enabled: - default: true - type: boolean - name: - minLength: 1 - type: string - tags: - items: - type: string - type: array - version: - const: '1' - default: '1' - description: The version of the workflow schema - type: string - required: - - name - - triggers - - steps - description: Indicates a successful response - summary: Get workflow JSON schema - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/schema?loose=false - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/stats: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/stats
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. - operationId: get-workflows-stats - parameters: [] - responses: - '200': - content: - application/json: - examples: - getStatsResponseExample: - description: Example response with workflow counts and 30-day execution history - value: - executions: - - cancelled: 1 - completed: 45 - date: '2025-11-20' - failed: 2 - timestamp: '2025-11-20T00:00:00.000Z' - - cancelled: 0 - completed: 50 - date: '2025-11-21' - failed: 0 - timestamp: '2025-11-21T00:00:00.000Z' - workflows: - disabled: 3 - enabled: 12 - description: Indicates a successful response - summary: Get workflow statistics - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/stats" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/stats - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/step/test: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/step/test
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. - operationId: post-workflows-step-test - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - testStepRequestExample: - description: Example request to test a single workflow step - value: - contextOverride: - inputs: - message: override message - stepId: hello_world_step - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowYaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - contextOverride: - additionalProperties: - nullable: true - description: Context overrides for the step execution. - type: object - executionContext: - additionalProperties: - nullable: true - description: Execution context for the step execution. - type: object - stepId: - description: ID of the step to test. - type: string - workflowId: - description: ID of the workflow containing the step. - type: string - workflowYaml: - description: YAML definition of the workflow containing the step. - type: string - required: - - stepId - - contextOverride - - workflowYaml - responses: - '200': - content: - application/json: - examples: - testStepResponseExample: - description: Example response returning the step test execution ID - value: - workflowExecutionId: step-test-exec-a1b2c3d4 - description: Indicates a successful response - summary: Test a workflow step - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/step/test" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "stepId": "hello_world_step", - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", - "contextOverride": { "inputs": { "message": "override message" } } - }' - - lang: Console - source: | - POST kbn://api/workflows/step/test - { - "stepId": "hello_world_step", - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", - "contextOverride": { "inputs": { "message": "override message" } } - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/test: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/test
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. - operationId: post-workflows-test - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - testWorkflowByIdRequestExample: - description: Example request to test a saved workflow by its ID - value: - inputs: - message: test message - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - testWorkflowByYamlRequestExample: - description: Example request to test an unsaved workflow YAML draft - value: - inputs: - message: test message - workflowYaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - inputs: - additionalProperties: - nullable: true - description: Key-value inputs for the test execution. - type: object - workflowId: - description: ID of an existing workflow to test. - type: string - workflowYaml: - description: YAML definition to test. - type: string - required: - - inputs - responses: - '200': - content: - application/json: - examples: - testWorkflowResponseExample: - description: Example response returning the test execution ID - value: - workflowExecutionId: test-exec-a1b2c3d4-e5f6 - description: Indicates a successful response - summary: Test a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/test" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "inputs": { "message": "test message" } - }' - - lang: Console - source: | - POST kbn://api/workflows/test - { - "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "inputs": { "message": "test message" } - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. - operationId: post-workflows-workflow - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - createWorkflowRequestExample: - description: Example request for creating a workflow from a YAML definition - value: - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - createWorkflowWithIdRequestExample: - description: Example request for creating a workflow with a custom ID - value: - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - minLength: 3 - pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ - type: string - yaml: - maxLength: 1048576 - type: string - required: - - yaml - responses: - '200': - content: - application/json: - examples: - createWorkflowResponseExample: - description: Example response returning the created workflow - value: - createdAt: '2025-11-20T10:30:00.000Z' - createdBy: elastic - definition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: true - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - lastUpdatedAt: '2025-11-20T10:30:00.000Z' - lastUpdatedBy: elastic - name: Example definition - valid: true - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Create a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" - }' - - lang: Console - source: | - POST kbn://api/workflows/workflow - { - "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow/{id}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/workflows/workflow/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. - operationId: delete-workflows-workflow-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. - in: query - name: force - required: false - schema: - default: false - type: boolean - responses: - '200': - description: Indicates a successful response - summary: Delete a workflow - tags: - - workflows - x-codeSamples: - - label: Soft delete (default) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - label: Hard delete (permanent) - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/workflows/workflow/{id} - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/workflow/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. - operationId: get-workflows-workflow-id - parameters: - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getWorkflowResponseExample: - description: Example response returning a single workflow - value: - createdAt: '2025-11-20T10:30:00.000Z' - createdBy: elastic - definition: - description: This is a workflow example - enabled: true - inputs: - - default: hello world - name: message - type: string - name: Example definition - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: true - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - lastUpdatedAt: '2025-11-21T14:00:00.000Z' - lastUpdatedBy: elastic - name: Example definition - valid: true - yaml: | - name: Example definition - enabled: true - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Get a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/workflow/{id} - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/workflows/workflow/{id}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. - operationId: put-workflows-workflow-id - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateWorkflowEnableExample: - description: Example request to enable a workflow and update its tags - value: - enabled: true - tags: - - production - updateWorkflowFullExample: - description: Example request to update multiple workflow fields - value: - description: Updated workflow description - enabled: true - name: Updated example - tags: - - example - - updated - yaml: | - name: Updated example - enabled: true - description: Updated workflow description - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - schema: - additionalProperties: false - type: object - properties: - description: - type: string - enabled: - type: boolean - name: - type: string - tags: - items: - type: string - type: array - yaml: - type: string - responses: - '200': - content: - application/json: - examples: - updateWorkflowResponseExample: - description: Example response returning the updated workflow - value: - enabled: false - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - lastUpdatedAt: '2026-03-23T13:38:59.568Z' - lastUpdatedBy: elastic - valid: true - validationErrors: [] - description: Indicates a successful response - summary: Update a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "enabled": true, - "tags": ["production"] - }' - - lang: Console - source: | - PUT kbn://api/workflows/workflow/{id} - { - "enabled": true, - "tags": ["production"] - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow/{id}/clone: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow/{id}/clone
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. - operationId: post-workflows-workflow-id-clone - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - cloneWorkflowResponseExample: - description: Example response returning the cloned workflow with a new ID - value: - createdAt: '2025-11-22T11:00:00.000Z' - createdBy: elastic - definition: - description: This is a workflow example - enabled: false - inputs: - - default: hello world - name: message - type: string - name: Example definition (copy) - steps: - - name: hello_world_step - type: console - with: - message: '{{ inputs.message }}' - triggers: - - type: manual - description: This is a workflow example - enabled: false - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 - lastUpdatedAt: '2025-11-22T11:00:00.000Z' - lastUpdatedBy: elastic - name: Example definition (copy) - valid: true - yaml: | - name: Example definition (copy) - enabled: false - description: This is a workflow example - triggers: - - type: manual - inputs: - - name: message - type: string - default: "hello world" - steps: - - name: hello_world_step - type: console - with: - message: "{{ inputs.message }}" - description: Indicates a successful response - summary: Clone a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - POST kbn://api/workflows/workflow/{id}/clone - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow/{id}/run: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow/{id}/run
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. - operationId: post-workflows-workflow-id-run - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - runWorkflowRequestExample: - description: Example request to execute a workflow with inputs - value: - inputs: - message: hello from the API - schema: - additionalProperties: false - type: object - properties: - inputs: - additionalProperties: - nullable: true - description: Key-value inputs for the workflow execution. - type: object - metadata: - additionalProperties: - nullable: true - description: Optional metadata for the execution. - type: object - required: - - inputs - responses: - '200': - content: - application/json: - examples: - runWorkflowResponseExample: - description: Example response returning the execution ID - value: - workflowExecutionId: exec-a1b2c3d4-e5f6-7890 - description: Indicates a successful response - summary: Run a workflow - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{ - "inputs": { - "message": "hello from the API" - } - }' - - lang: Console - source: | - POST kbn://api/workflows/workflow/{id}/run - { - "inputs": { - "message": "hello from the API" - } - } - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow/{workflowId}/executions: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-workflow-workflowid-executions - parameters: - - description: Workflow ID - in: path - name: workflowId - required: true - schema: - type: string - - description: Filter by execution status. - in: query - name: statuses - required: false - schema: - items: - enum: - - pending - - waiting - - waiting_for_input - - running - - completed - - failed - - cancelled - - timed_out - - skipped - type: string - maxItems: 9 - type: array - - description: Filter by execution type. - in: query - name: executionTypes - required: false - schema: - items: - enum: - - test - - production - type: string - maxItems: 2 - type: array - - description: Filter by the user who triggered the execution. - in: query - name: executedBy - required: false - schema: - items: - type: string - maxItems: 100 - type: array - - description: Whether to exclude step-level execution data. - in: query - name: omitStepRuns - required: false - schema: - type: boolean - - description: Page number. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: Number of results per page. - in: query - name: size - required: false - schema: - maximum: 100 - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getWorkflowExecutionsResponseExample: - description: Example response returning a paginated list of executions for a workflow - value: - page: 1 - results: - - duration: 3000 - error: null - executedBy: elastic - finishedAt: '2025-11-20T12:00:03.000Z' - id: exec-001 - isTestRun: false - spaceId: default - startedAt: '2025-11-20T12:00:00.000Z' - status: completed - triggeredBy: manual - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - - duration: 2000 - error: - message: Step 'hello_world_step' failed - executedBy: elastic - finishedAt: '2025-11-20T13:00:02.000Z' - id: exec-002 - isTestRun: false - spaceId: default - startedAt: '2025-11-20T13:00:00.000Z' - status: failed - triggeredBy: manual - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - size: 20 - total: 2 - description: Indicates a successful response - summary: Get workflow executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20 - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow/{workflowId}/executions/cancel: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. - operationId: post-workflows-workflow-workflowid-executions-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Workflow ID - in: path - name: workflowId - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful response - summary: Cancel all active workflow executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - POST kbn://api/workflows/workflow/{workflowId}/executions/cancel - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/workflows/workflow/{workflowId}/executions/steps: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. - operationId: get-workflows-workflow-workflowid-executions-steps - parameters: - - description: Workflow ID - in: path - name: workflowId - required: true - schema: - type: string - - description: Filter by step ID. - in: query - name: stepId - required: false - schema: - type: string - - description: Include step input data. - in: query - name: includeInput - required: false - schema: - type: boolean - - description: Include step output data. - in: query - name: includeOutput - required: false - schema: - type: boolean - - description: Page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: Number of results per page. - in: query - name: size - required: false - schema: - maximum: 100 - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getWorkflowStepExecutionsResponseExample: - description: Example response returning step execution records for a workflow - value: - results: - - executionTimeMs: 1000 - finishedAt: '2025-11-20T12:00:02.000Z' - globalExecutionIndex: 0 - id: step-exec-001 - input: - message: hello world - isTestRun: false - scopeStack: [] - spaceId: default - startedAt: '2025-11-20T12:00:01.000Z' - status: completed - stepExecutionIndex: 0 - stepId: hello_world_step - stepType: console - topologicalIndex: 0 - workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflowRunId: exec-001 - total: 1 - description: Indicates a successful response - summary: Get workflow step executions - tags: - - workflows - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos: - get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: The page size to use for cursor-based pagination, must be greater or equal than 1 - example: 1 - in: query - name: size - schema: - default: 1 - type: integer - - description: The cursor to use for fetching the results from, when using a cursor-base pagination. - in: query - name: searchAfter - schema: - items: - type: string - type: array - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - findSloResponse: - summary: A paginated list of SLOs - value: - page: 1 - perPage: 25 - results: - - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - total: 42 - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''invalid'' supplied to: sortBy' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_read] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - post: - description: | - You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - createSloKqlExample: - summary: Create an SLO with a KQL indicator - value: - budgetingMethod: occurrences - description: Availability of my web service measured by successful HTTP responses - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - createSloResponse: - summary: Create SLO response - value: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '409': - content: - application/json: - examples: - conflictExample: - summary: Conflict - value: - error: Conflict - message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - statusCode: 409 - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - summary: Create an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/_bulk_delete: - post: - description: | - Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. - operationId: bulkDeleteOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - bulkDeleteRequest: - summary: Bulk delete two SLOs - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkDeleteResponse: - summary: Bulk delete response with task ID - value: - taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Bulk delete SLO definitions and their associated summary and rollup data. - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: - get: - description: | - Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. - operationId: bulkDeleteStatusOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: The task id of the bulk delete operation - in: path - name: taskId - required: true - schema: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - responses: - '200': - content: - application/json: - examples: - bulkDeleteStatusComplete: - summary: Completed bulk deletion - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - id: d077e940-1515-11ee-9c50-9d096392f520 - success: true - bulkDeleteStatusPartialFailure: - summary: Completed with partial failure - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found - id: d077e940-1515-11ee-9c50-9d096392f520 - success: false - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_status_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: taskId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Retrieve the status of the bulk deletion - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: - post: - description: | - The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: deleteRollupDataOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - purgeByAgeExample: - summary: Purge rollup data older than 7 days - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - purgePolicy: - age: 7d - purgeType: fixed-age - purgeByTimestampExample: - summary: Purge rollup data before a specific date - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - purgePolicy: - purgeType: fixed-time - timestamp: '2024-12-31T00:00:00.000Z' - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkPurgeResponse: - summary: Bulk purge response with task ID - value: - taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/_delete_instances: - post: - description: | - The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - deleteInstancesExample: - summary: Delete specific SLO instances - value: - list: - - instanceId: host-abc123 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - - instanceId: host-def456 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list/0/sloId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getSloResponse: - summary: Get SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_read] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - put: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json: - examples: - updateSloNameExample: - summary: Update the SLO name and tags - value: - name: Updated Service Availability - tags: - - production - - updated - updateSloObjectiveExample: - summary: Update the SLO objective - value: - objective: - target: 0.995 - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - updateSloResponse: - summary: Update SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: Updated Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - updated - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}/_reset: - post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - content: - application/json: - examples: - resetSloResponse: - summary: Reset SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: 'field.environment : "production" and service.name : "my-service"' - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}/disable: - post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/api/observability/slos/{sloId}/enable: - post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: 'security_exception: action [slo_write] is unauthorized for user' - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name - /s/{spaceId}/internal/observability/slos/_definitions: - get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. - operationId: getDefinitionsOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: Indicates if the API returns only outdated SLO or all SLO definitions - in: query - name: includeOutdatedOnly - schema: - type: boolean - - description: Indicates if the API returns SLO health data with definitions - example: true - in: query - name: includeHealth - schema: - type: boolean - - description: Filters the SLOs by tag - in: query - name: tags - schema: - type: string - - description: Filters the SLOs by name - example: my service availability - in: query - name: search - schema: - type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - type: number - - description: Number of SLOs returned by page - example: 100 - in: query - name: perPage - schema: - default: 100 - maximum: 1000 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_find_slo_definitions_response' - description: Successful request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Get the SLO definitions - tags: - - slo - x-metaTags: - - content: Kibana - name: product_name -components: - examples: - Alerting_401_health_response: - summary: Unauthorized response for the get alerting health API. - value: - error: Unauthorized - message: '[security_exception] missing authentication credentials for REST request' - statusCode: 401 - Alerting_401_rule_types_response: - summary: Unauthorized response for the get rule types API. - value: - error: Unauthorized - message: '[security_exception] missing authentication credentials for REST request' - statusCode: 401 - Alerting_get_health_response: - summary: Retrieve information about the health of the alerting framework. - value: - alerting_framework_health: - decryption_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - execution_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - read_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - has_permanent_encryption_key: true - is_sufficiently_secure: true - Alerting_get_rule_types_response: - summary: Retrieve rule types associated with Kibana machine learning features - value: - - action_groups: - - id: anomaly_score_match - name: Anomaly score matched the condition - - id: recovered - name: Recovered - action_variables: - context: - - description: The bucket timestamp of the anomaly - name: timestamp - - description: The bucket time of the anomaly in ISO8601 format - name: timestampIso8601 - - description: List of job IDs that triggered the alert - name: jobIds - - description: Alert info message - name: message - - description: Indicate if top hits contain interim results - name: isInterim - - description: Anomaly score at the time of the notification action - name: score - - description: Top records - name: topRecords - - description: Top influencers - name: topInfluencers - - description: URL to open in the Anomaly Explorer - name: anomalyExplorerUrl - useWithTripleBracesInTemplates: true - params: [] - state: [] - alerts: - context: ml.anomaly-detection - mappings: - fieldMap: - kibana.alert.anomaly_score: - array: false - type: double - required: false - kibana.alert.anomaly_timestamp: - array: false - type: date - required: false - kibana.alert.is_interim: - array: false - type: boolean - required: false - kibana.alert.job_id: - array: false - type: keyword - required: true - kibana.alert.top_influencers: - array: true - dynamic: false - type: object - properties: - influencer_field_name: - type: keyword - influencer_field_value: - type: keyword - influencer_score: - type: double - initial_influencer_score: - type: double - is_interim: - type: boolean - job_id: - type: keyword - timestamp: - type: date - required: false - kibana.alert.top_records: - array: true - dynamic: false - type: object - properties: - actual: - type: double - by_field_name: - type: keyword - by_field_value: - type: keyword - detector_index: - type: integer - field_name: - type: keyword - function: - type: keyword - initial_record_score: - type: double - is_interim: - type: boolean - job_id: - type: keyword - over_field_name: - type: keyword - over_field_value: - type: keyword - partition_field_name: - type: keyword - partition_field_value: - type: keyword - record_score: - type: double - timestamp: - type: date - typical: - type: double - required: false - shouldWrite: true - authorized_consumers: - alerts: - all: true - read: true - apm: - all: true - read: true - discover: - all: true - read: true - infrastructure: - all: true - read: true - logs: - all: true - read: true - ml: - all: true - read: true - monitoring: - all: true - read: true - siem: - all: true - read: true - slo: - all: true - read: true - stackAlerts: - all: true - read: true - uptime: - all: true - read: true - category: management - default_action_group_id: anomaly_score_match - does_set_recovery_context: true - enabled_in_license: true - has_alerts_mappings: true - has_fields_for_a_a_d: true - id: xpack.ml.anomaly_detection_alert - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection alert - producer: ml - recovery_action_group: - id: recovered - name: Recovered - rule_task_timeout: 5m - - action_groups: - - id: anomaly_detection_realtime_issue - name: Issue detected - - id: recovered - name: Recovered - action_variables: - context: - - description: Results of the rule execution - name: results - - description: Alert info message - name: message - params: [] - state: [] - authorized_consumers: - alerts: - all: true - read: true - apm: - all: true - read: true - discover: - all: true - read: true - infrastructure: - all: true - read: true - logs: - all: true - read: true - ml: - all: true - read: true - monitoring: - all: true - read: true - siem: - all: true - read: true - slo: - all: true - read: true - stackAlerts: - all: true - read: true - uptime: - all: true - read: true - category: management - default_action_group_id: anomaly_detection_realtime_issue - does_set_recovery_context: true - enabled_in_license: true - has_alerts_mappings: false - has_fields_for_a_a_d: false - id: xpack.ml.anomaly_detection_jobs_health - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection jobs health - producer: ml - recovery_action_group: - id: recovered - name: Recovered - rule_task_timeout: 5m - APM_UI_agent_configuration_environments_200_response1: - description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. - value: - environments: - - alreadyConfigured: true - name: production - - alreadyConfigured: false - name: development - - alreadyConfigured: false - name: ALL_OPTION_VALUE - APM_UI_agent_configuration_intake_object_delete_200_response1: - description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. - value: - result: deleted - APM_UI_agent_configuration_intake_object_delete_request1: - description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. - value: - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_get_200_response1: - description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. - value: - - '@timestamp': 1581934104843 - agent_name: go - applied_by_agent: false - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '200' - transaction_sample_rate: '1' - - '@timestamp': 1581934111727 - agent_name: go - applied_by_agent: false - etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 - service: - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '300' - transaction_sample_rate: '1' - - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_put_200_response1: - description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. - value: {} - APM_UI_agent_configuration_intake_object_put_request1: - description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. - value: - agent_name: nodejs - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_configuration_intake_object_search_200_response1: - description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. - value: - _id: CIaqXXABmQCdPphWj8EJ - _index: .apm-agent-configuration - _score: 2 - _source: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_search_request1: - description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. - value: - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_view_200_response1: - description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. - value: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: true - etag: 5080ed25785b7b19f32713681e79f46996801a5b - id: CIaqXXABmQCdPphWj8EJ - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_keys_object_post_200_response1: - description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. - value: - agentKey: - api_key: PjGloCGOTzaZr8ilUPvkjA - encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== - id: 3DCLmn0B3ZMhLUa7WBG9 - name: apm-key - APM_UI_agent_keys_object_post_request1: - description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. - value: - name: apm-key - privileges: - - event:write - - config_agent:read - APM_UI_annotation_object_post_200_response1: - description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. - value: - _id: Lc9I93EBh6DbmkeV7nFX - _index: observability-annotations - _primary_term: 1 - _seq_no: 12 - _source: - '@timestamp': '2020-05-08T10:31:30.452Z' - annotation: - type: deployment - event: - created: '2020-05-09T02:34:43.937Z' - message: Deployment 1.2 - service: - name: opbeans-java - version: '1.2' - tags: - - apm - - elastic.co - - customer - _version: 1 - found: true - APM_UI_annotation_object_post_request1: - description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. - value: - '@timestamp': '2024-01-15T12:00:00.000Z' - message: Deployment 1.2.0 - service: - environment: production - version: 1.2.0 - tags: - - apm - - deployment - APM_UI_fleet_apm_server_schema_200_response1: - description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_delete_200_response1: - description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_get_200_response1: - description: A successful response from `GET /api/apm/sourcemaps`. - value: - artifacts: - - body: - bundleFilepath: /test/e2e/general-usecase/bundle.js - serviceName: foo - serviceVersion: 1.0.0 - sourceMap: - file: static/js/main.chunk.js - mappings: mapping - sourceRoot: '' - sources: - - fleet-source-map-client/src/index.css - - fleet-source-map-client/src/App.js - - webpack:///./src/index.css?bb0a - - fleet-source-map-client/src/index.js - - fleet-source-map-client/src/reportWebVitals.js - sourcesContent: - - content - version: 3 - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_200_response1: - description: A successful response from `POST /api/apm/sourcemaps`. - value: - body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - Cases_add_comment_request: - summary: Adds a comment to a case. - value: - comment: A new comment. - owner: cases - type: user - Cases_add_comment_response: - summary: The add comment to case API returns a JSON object that contains details about the case and its comments. - value: - assignees: [] - category: null - closed_at: null - closed_by: null - comments: - - comment: A new comment. - created_at: '2022-10-02T00:49:47.716Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - owner: cases - pushed_at: null - pushed_by: null - type: user - updated_at: null - updated_by: null - version: WzIwNDMxLDFd - connector: - fields: null - id: none - name: none - type: .none - created_at: '2022-03-24T00:37:03.906Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: Field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: true - description: A case description. - duration: null - external_service: null - id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 - observables: [] - owner: cases - settings: - syncAlerts: false - severity: low - status: open - tags: - - tag 1 - title: Case title 1 - total_observables: 0 - totalAlerts: 0 - totalComment: 1 - totalEvents: 0 - updated_at: '2022-06-03T00:49:47.716Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzIzMzgsMV0= - Cases_create_case_request: - summary: Create a security case that uses a Jira connector. - value: - connector: - fields: - issueType: '10006' - parent: null - priority: High - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - description: A case description. - owner: cases - settings: - extractObservables: false - syncAlerts: true - tags: - - tag-1 - title: Case title 1 - Cases_create_case_response: - summary: The create case API returns a JSON object that contains details about the case. - value: - assignees: [] - closed_at: null - closed_by: null - comments: [] - connector: - fields: - issueType: '10006' - parent: null - priority: High - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - created_at: '2022-10-13T15:33:50.604Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - description: A case description. - duration: null - external_service: null - id: 66b9aa00-94fa-11ea-9f74-e7e108796192 - observables: [] - owner: cases - settings: - extractObservables: false - syncAlerts: true - severity: low - status: open - tags: - - tag 1 - title: Case title 1 - total_observables: 0 - totalAlerts: 0 - totalComment: 0 - totalEvents: 0 - updated_at: null - updated_by: null - version: WzUzMiwxXQ== - Cases_find_case_activity_response: - summary: Retrieves all activity for a case - value: - page: 1 - perPage: 20 - total: 3 - userActions: - - action: create - comment_id: null - created_at: '2023-10-20T01:17:22.150Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: b4cd0770-07c9-11ed-a5fd-47154cb8767e - owner: cases - payload: - assignees: [] - category: null - connector: - fields: null - id: none - name: none - type: .none - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - description: A case description. - owner: cases - settings: - syncAlerts: false - severity: low - status: open - tags: - - tag 1 - title: Case title 1 - type: create_case - version: WzM1ODg4LDFd - - action: create - comment_id: 578608d0-03b1-11ed-920c-974bfa104448 - created_at: '2023-10-14T20:12:53.354Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: 57af14a0-03b1-11ed-920c-974bfa104448 - owner: cases - payload: - comment: - comment: A new comment - owner: cases - type: user - type: comment - version: WzM1ODg4LDFa - - action: add - comment_id: null - created_at: '2023-10-20T01:10:28.238Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: 573c6980-6123-11ed-aa41-81a0a61fe447 - owner: cases - payload: - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - type: assignees - version: WzM1ODg4LDFb - Cases_find_case_comments_response: - summary: Paginated list of user comments for a case - value: - comments: - - comment: A new comment - created_at: '2023-10-07T19:32:13.104Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 - owner: cases - pushed_at: null - pushed_by: null - type: user - updated_at: null - updated_by: null - version: WzIzLDFd - page: 1 - per_page: 20 - total: 1 - Cases_find_case_response: - summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. - value: - cases: - - assignees: [] - category: null - closed_at: null - closed_by: null - comments: [] - connector: - fields: null - id: none - name: none - type: .none - created_at: '2023-10-12T00:16:36.371Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - description: Case description - duration: null - external_service: null - id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 - incremental_id: 1 - observables: [] - owner: cases - settings: - extractObservables: false - syncAlerts: true - severity: low - status: open - tags: - - tag-1 - title: Case title - total_observables: 0 - totalAlerts: 0 - totalComment: 1 - totalEvents: 0 - updated_at: '2023-10-12T00:27:58.162Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzExMCwxXQ== - count_closed_cases: 0 - count_in_progress_cases: 0 - count_open_cases: 1 - page: 1 - per_page: 5 - total: 1 - Cases_find_connector_response: - summary: Retrieve information about the connectors and their settings. - value: - - actionTypeId: .jira - config: - apiUrl: https://elastic.atlassian.net/ - projectKey: ES - id: 61787f53-4eee-4741-8df6-8fe84fa616f7 - isDeprecated: false - isMissingSecrets: false - isPreconfigured: false - name: my-Jira - referencedByCount: 0 - Cases_get_case_alerts_response: - summary: Retrieves all alerts attached to a case - value: - - attached_at: '2022-07-25T20:09:40.963Z' - id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d - index: .alerts-observability.logs.alerts-default - Cases_get_case_configuration_response: - summary: Get the case configuration. - value: - - closure_type: close-by-user - connector: - fields: null - id: none - name: none - type: .none - created_at: '2024-07-01T17:07:17.767Z' - created_by: - email: null - full_name: null - username: elastic - customFields: - - defaultValue: Custom text field value. - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - type: text - required: false - error: null - id: 856ee650-6c82-11ee-a20a-6164169afa58 - mappings: [] - observableTypes: [] - owner: cases - templates: - - caseFields: - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - category: Default-category - connector: - fields: null - id: none - name: none - type: .none - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: Default text field value. - description: A default description for cases. - settings: - syncAlerts: false - tags: - - Default case tag - title: Default case title - description: A description of the template. - key: 505932fe-ee3a-4960-a661-c781b5acdb05 - name: template-1 - tags: - - Template tag 1 - updated_at: null - updated_by: null - version: WzEyLDNd - Cases_get_case_observability_response: - summary: Get case response (Observability). Comments are not included; use the find case comments API. totalComment reflects the actual count. - value: - assignees: - - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - category: null - closed_at: null - closed_by: null - connector: - fields: null - id: none - name: none - type: .none - created_at: '2023-11-06T19:29:04.086Z' - created_by: - email: null - full_name: null - username: elastic - customFields: [] - description: An Observability case description. - duration: null - external_service: null - id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 - observables: [] - owner: observability - settings: - extractObservables: false - syncAlerts: false - severity: low - status: in-progress - tags: - - observability - - tag 1 - title: Observability case title 1 - total_observables: 0 - totalAlerts: 1 - totalComment: 1 - totalEvents: 0 - updated_at: '2023-11-06T19:47:55.662Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzI0NywyXQ== - Cases_get_case_response: - summary: Get case response. Comments are not included; use the find case comments API. totalComment reflects the actual count. - value: - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - category: null - closed_at: null - closed_by: null - connector: - fields: null - id: none - name: none - type: .none - created_at: '2023-10-13T15:33:50.604Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - description: A case description - duration: null - external_service: null - id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa - incremental_id: 1 - observables: [] - owner: cases - settings: - extractObservables: false - syncAlerts: true - severity: low - status: open - tags: - - tag 1 - title: Case title 1 - total_observables: 0 - totalAlerts: 1 - totalComment: 1 - totalEvents: 0 - updated_at: '2023-10-13T15:40:32.335Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzM2LDFd - Cases_get_comment_response: - summary: A single user comment retrieved from a case - value: - comment: A new comment - created_at: '2023-10-07T19:32:13.104Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 - owner: cases - pushed_at: null - pushed_by: null - type: user - updated_at: null - updated_by: null - version: WzIzLDFd - Cases_get_reporters_response: - summary: A list of two users that opened cases - value: - - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - - email: jdoe@example.com - full_name: Jane Doe - profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - username: jdoe - Cases_get_tags_response: - summary: A list of tags that are used in cases - value: - - observability - - security - - tag 1 - - tag 2 - Cases_push_case_response: - summary: The push case API returns a JSON object with details about the case and the external service. - value: - assignees: [] - category: null - closed_at: null - closed_by: null - comments: [] - connector: - fields: - issueType: '10006' - parent: null - priority: Low - id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 - name: My connector - type: .jira - created_at: '2022-07-29T00:59:39.444Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: [] - description: A case description. - duration: null - external_service: - connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 - connector_name: My connector - external_id: '71926' - external_title: ES-554 - external_url: https://cases.jira.com - pushed_at: '2022-07-29T01:20:58.436Z' - pushed_by: - email: null - full_name: null - username: elastic - id: b917f300-0ed9-11ed-bd18-65557fe66949 - observables: [] - owner: cases - settings: - extractObservables: false - syncAlerts: true - severity: low - status: open - tags: - - tag 1 - title: Case title 1 - total_observables: 0 - totalAlerts: 0 - totalComment: 0 - totalEvents: 0 - updated_at: '2022-07-29T01:20:58.436Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzE3NjgsM10= - Cases_response_401: - summary: Authorization information is missing or invalid. - value: - error: Unauthorized - message: Unable to authenticate with the provided credentials. - statusCode: 401 - Cases_set_case_configuration_request: - summary: Set the closure type, custom fields, and default connector for Stack Management cases. - value: - closure_type: close-by-user - connector: - fields: null - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - customFields: - - defaultValue: My custom field default value. - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - type: text - required: false - owner: cases - templates: - - caseFields: - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - category: Default-category - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: A text field value for the template. - description: A default description for cases. - tags: - - Default case tag - title: Default case title - description: A description of the template. - key: 505932fe-ee3a-4960-a661-c781b5acdb05 - name: template-1 - tags: - - Template tag 1 - Cases_set_case_configuration_response: - summary: This is an example response for case settings. - value: - closure_type: close-by-user - connector: - fields: null - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - created_at: '2024-07-01T17:07:17.767Z' - created_by: - email: null, - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - defaultValue: My custom field default value. - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - type: text - required: false - error: null - id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - mappings: - - action_type: overwrite - source: title - target: summary - - action_type: overwrite - source: description - target: description - - action_type: append - source: comments - target: comments - - action_type: overwrite - source: tags - target: labels - owner: cases - templates: - - caseFields: - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - category: Default-category - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: A text field value for the template. - description: A default description for cases. - tags: - - Default case tag - title: Default case title - description: A description of the template. - key: 505932fe-ee3a-4960-a661-c781b5acdb05 - name: template-1 - tags: - - Template tag 1 - updated_at: null - updated_by: null - version: WzIwNzMsMV0= - Cases_update_case_configuration_request: - summary: Update the case settings. - value: - closure_type: close-by-user - connector: - fields: null - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - customFields: - - defaultValue: A new default value. - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - type: text - required: true - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - label: my-toggle - type: toggle - required: false - version: WzExOSw0XQ== - Cases_update_case_configuration_response: - summary: This is an example response when the case configuration was updated. - value: - closure_type: close-by-user - connector: - fields: null - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - created_at: '2024-07-01T17:07:17.767Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - defaultValue: A new default value. - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - type: text - required: true - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - label: my-toggle - type: toggle - required: false - error: null - id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - mappings: - - action_type: overwrite - source: title - target: summary - - action_type: overwrite - source: description - target: description - - action_type: overwrite - source: tags - target: labels - - action_type: append - source: comments - target: comments - owner: cases - templates: [] - updated_at: '2024-07-19T00:52:42.401Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzI2LDNd - Cases_update_case_request: - summary: Update the case description, tags, and connector. - value: - cases: - - connector: - fields: - issueType: '10006' - parent: null - priority: null - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - customFields: - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: false - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My new field value - description: A case description. - id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 - settings: - extractObservables: false - syncAlerts: true - tags: - - tag-1 - version: WzIzLDFd - Cases_update_case_response: - summary: This is an example response when the case description, tags, and connector were updated. - value: - - assignees: [] - category: null - closed_at: null - closed_by: null - comments: [] - connector: - fields: - issueType: '10006' - parent: null - priority: null - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - created_at: '2023-10-13T09:16:17.416Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My new field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: false - description: A case description. - duration: null - external_service: - connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 - connector_name: Jira - external_id: '10003' - external_title: IS-4 - external_url: https://hms.atlassian.net/browse/IS-4 - pushed_at: '2023-10-13T09:20:40.672Z' - pushed_by: - email: null - full_name: null - username: elastic - id: 66b9aa00-94fa-11ea-9f74-e7e108796192 - observables: [] - owner: cases - settings: - extractObservables: false - syncAlerts: true - severity: low - status: open - tags: - - tag-1 - title: Case title 1 - total_observables: 0 - totalAlerts: 0 - totalComment: 0 - totalEvents: 0 - updated_at: '2023-10-13T09:48:33.043Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzU0OCwxXQ== - Cases_update_comment_request: - summary: Updates a comment of a case. - value: - comment: An updated comment. - id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - owner: cases - type: user - version: Wzk1LDFd - Cases_update_comment_response: - summary: The add comment to case API returns a JSON object that contains details about the case and its comments. - value: - assignees: [] - category: null - closed_at: null - closed_by: null - comments: - - comment: An updated comment. - created_at: '2023-10-24T00:37:10.832Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - owner: cases - pushed_at: null - pushed_by: null - type: user - updated_at: '2023-10-24T01:27:06.210Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzIwNjM3LDFd - connector: - fields: null - id: none - name: none - type: .none - created_at: '2023-10-24T00:37:03.906Z' - created_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My new field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: false - description: A case description. - duration: null - external_service: null - id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 - owner: cases - settings: - syncAlerts: false - severity: low - status: open - tags: - - tag 1 - title: Case title 1 - totalAlerts: 0 - totalComment: 1 - totalEvents: 0 - updated_at: '2023-10-24T01:27:06.210Z' - updated_by: - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - username: elastic - version: WzIwNjM2LDFd - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_get_data_view_response: - summary: The get data view API returns a JSON object that contains information about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - taxless_total_price: - id: number - params: - pattern: $0,0.00 - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category - type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name - type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name - type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name - type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer - type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id - type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category - type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer - type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name - type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSync401Example: - summary: Two anomaly detection jobs required synchronization in this example. - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" - statusCode: 401 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Observability_AI_Assistant_API_ChatCompleteRequestExample: - summary: Example of completing a chat interaction - value: | - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - } - Observability_AI_Assistant_API_ChatCompleteResponseExample: - summary: Get a chat completion from the Observability AI Assistant - value: | - data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - - data: [DONE] - Saved_objects_key_rotation_response: - summary: Encryption key rotation using default parameters. - value: - failed: 0 - successful: 300 - total: 1000 - Saved_objects_resolve_missing_reference_request: - value: - file: file.ndjson - retries: - - id: my-pattern - overwrite: true - type: index-pattern - - destinationId: another-vis - id: my-vis - overwrite: true - type: visualization - - destinationId: yet-another-canvas - id: my-canvas - overwrite: true - type: canvas - - id: my-dashboard - type: dashboard - Saved_objects_resolve_missing_reference_response: - summary: Resolve missing reference errors. - value: - success: true - successCount: 3 - successResults: - - id: my-vis - meta: - icon: visualizeApp - title: Look at my visualization - type: visualization - - id: my-search - meta: - icon: searchApp - title: Look at my search - type: search - - id: my-dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - type: dashboard - Security_Detections_API_SetAlertAssigneesBodyAdd: - value: - assignees: - add: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - remove: [] - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertAssigneesBodyRemove: - value: - assignees: - add: [] - remove: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertTagsBodyAdd: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e - tags: - tags_to_add: - - Duplicate - tags_to_remove: [] - Security_Detections_API_SetAlertTagsBodyRemove: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e - tags: - tags_to_add: [] - tags_to_remove: - - Duplicate - Task_manager_health_APIs_health_200response: - description: A successful response from `GET api/task_manager/_health`. - value: |- - { - "id": "330bbc6a-56cd-44d5-88e3-e3229f14d619", - "timestamp": "2025-03-21T21:30:04.780Z", - "status": "OK", - "last_update": "2025-03-21T21:30:04.455Z", - "stats": { - "configuration": { - "timestamp": "2025-03-21T21:26:10.002Z", - "value": { - "request_capacity": 1000, - "monitored_aggregated_stats_refresh_rate": 60000, - "monitored_stats_running_average_window": 50, - "monitored_task_execution_thresholds": { - "custom": {}, - "default": { - "error_threshold": 90, - "warn_threshold": 80 - } - }, - "claim_strategy": "mget", - "poll_interval": 500, - "capacity": { - "config": 10, - "as_workers": 10, - "as_cost": 20 - } - }, - "status": "OK" - }, - "runtime": { - "timestamp": "2025-03-21T21:30:04.455Z", - "value": { - "polling": { - "last_successful_poll": "2025-03-21T21:30:04.455Z", - "last_polling_delay": "2025-03-21T21:26:10.001Z", - "claim_duration": { - "p50": 17, - "p90": 22, - "p95": 25, - "p99": 27 - }, - "duration": { - "p50": 19, - "p90": 25.5, - "p95": 28, - "p99": 28 - }, - "claim_conflicts": { - "p50": 0, - "p90": 0, - "p95": 0, - "p99": 0 - }, - "claim_mismatches": { - "p50": 0, - "p90": 0, - "p95": 0, - "p99": 0 - }, - "claim_stale_tasks": { - "p50": 0, - "p90": 0, - "p95": 0, - "p99": 0 - }, - "result_frequency_percent_as_number": { - "Failed": 0, - "NoAvailableWorkers": 0, - "NoTasksClaimed": 100, - "RanOutOfCapacity": 0, - "RunningAtCapacity": 0, - "PoolFilled": 0 - }, - "persistence": { - "recurring": 88, - "non_recurring": 12 - } - }, - "drift": { - "p50": 2089, - "p90": 3037, - "p95": 3037, - "p99": 3037 - }, - "drift_by_type": { - "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { - "p50": 2082, - "p90": 2082, - "p95": 2082, - "p99": 2082 - }, - "fleet:check-deleted-files-task": { - "p50": 2080, - "p90": 2080, - "p95": 2080, - "p99": 2080 - }, - "osquery:telemetry-saved-queries": { - "p50": 2080, - "p90": 2080, - "p95": 2080, - "p99": 2080 - }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "p50": 2089, - "p90": 2089, - "p95": 2089, - "p99": 2089 - }, - "task_manager:delete_inactive_background_task_nodes": { - "p50": 336.5, - "p90": 2089, - "p95": 2089, - "p99": 2089 - }, - "alerts_invalidate_api_keys": { - "p50": 2086, - "p90": 2086, - "p95": 2086, - "p99": 2086 - }, - "fleet:unenroll-inactive-agents-task": { - "p50": 2080, - "p90": 2080, - "p95": 2080, - "p99": 2080 - }, - "alerting_health_check": { - "p50": 2086, - "p90": 2086, - "p95": 2086, - "p99": 2086 - }, - "Fleet-Usage-Sender": { - "p50": 2079, - "p90": 2079, - "p95": 2079, - "p99": 2079 - }, - "security:endpoint-diagnostics": { - "p50": 2525, - "p90": 2525, - "p95": 2525, - "p99": 2525 - }, - "security:telemetry-lists": { - "p50": 2525, - "p90": 2525, - "p95": 2525, - "p99": 2525 - }, - "security:telemetry-timelines": { - "p50": 2526, - "p90": 2526, - "p95": 2526, - "p99": 2526 - }, - "cases-telemetry-task": { - "p50": 2083, - "p90": 2083, - "p95": 2083, - "p99": 2083 - }, - "osquery:telemetry-packs": { - "p50": 2530, - "p90": 2530, - "p95": 2530, - "p99": 2530 - }, - "Fleet-Metrics-Task": { - "p50": 133.5, - "p90": 2530, - "p95": 2530, - "p99": 2530 - }, - "fleet:delete-unenrolled-agents-task": { - "p50": 2530, - "p90": 2530, - "p95": 2530, - "p99": 2530 - }, - "osquery:telemetry-configs": { - "p50": 2529, - "p90": 2529, - "p95": 2529, - "p99": 2529 - }, - "endpoint:complete-external-response-actions": { - "p50": 519, - "p90": 2526, - "p95": 2526, - "p99": 2526 - }, - "security:telemetry-detection-rules": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 - }, - "security:telemetry-prebuilt-rule-alerts": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 - }, - "security:endpoint-meta-telemetry": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 - }, - "security:telemetry-filterlist-artifact": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 - }, - "security:telemetry-diagnostic-timelines": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" }, - "security:telemetry-configuration": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" }, - "security:indices-metadata-telemetry": { - "p50": 3037, - "p90": 3037, - "p95": 3037, - "p99": 3037 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" }, - "Fleet-Usage-Logger": { - "p50": 2190, - "p90": 2190, - "p95": 2190, - "p99": 2190 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" }, - "obs-ai-assistant:knowledge-base-migration": { - "p50": 2189, - "p90": 2189, - "p95": 2189, - "p99": 2189 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" }, - "dashboard_telemetry": { - "p50": 2452, - "p90": 2452, - "p95": 2452, - "p99": 2452 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" }, - "session_cleanup": { - "p50": 2569, - "p90": 2569, - "p95": 2569, - "p99": 2569 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" }, - "ProductDocBase:EnsureUpToDate": { - "p50": 2452, - "p90": 2452, - "p95": 2452, - "p99": 2452 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" }, - "apm-telemetry-task": { - "p50": 2591, - "p90": 2591, - "p95": 2591, - "p99": 2591 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" }, - "ML:saved-objects-sync": { - "p50": 2475, - "p90": 2475, - "p95": 2475, - "p99": 2475 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" }, - "apm-source-map-migration-task": { - "p50": 1603.5, - "p90": 2987, - "p95": 2987, - "p99": 2987 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" }, - "actions_telemetry": { - "p50": 771, - "p90": 771, - "p95": 771, - "p99": 771 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" }, - "alerting_telemetry": { - "p50": 768, - "p90": 768, - "p95": 768, - "p99": 768 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" }, - "endpoint:metadata-check-transforms-task": { - "p50": 834, - "p90": 834, - "p95": 834, - "p99": 834 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" }, - "endpoint:user-artifact-packager": { - "p50": 529.5, - "p90": 835, - "p95": 835, - "p99": 835 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" }, - "fleet:bump_agent_policies": { - "p50": 361, - "p90": 361, - "p95": 361, - "p99": 361 - } - }, - "load": { - "p50": 10, - "p90": 100, - "p95": 100, - "p99": 100 - }, - "execution": { - "duration": { - "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { - "p50": 24, - "p90": 24, - "p95": 24, - "p99": 24 - }, - "fleet:check-deleted-files-task": { - "p50": 24, - "p90": 24, - "p95": 24, - "p99": 24 - }, - "osquery:telemetry-saved-queries": { - "p50": 25, - "p90": 25, - "p95": 25, - "p99": 25 - }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "p50": 28, - "p90": 28, - "p95": 28, - "p99": 28 - }, - "task_manager:delete_inactive_background_task_nodes": { - "p50": 7.5, - "p90": 29, - "p95": 29, - "p99": 29 - }, - "alerts_invalidate_api_keys": { - "p50": 34, - "p90": 34, - "p95": 34, - "p99": 34 - }, - "fleet:unenroll-inactive-agents-task": { - "p50": 39, - "p90": 39, - "p95": 39, - "p99": 39 - }, - "alerting_health_check": { - "p50": 42, - "p90": 42, - "p95": 42, - "p99": 42 - }, - "Fleet-Usage-Sender": { - "p50": 78, - "p90": 78, - "p95": 78, - "p99": 78 - }, - "security:endpoint-diagnostics": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "security:telemetry-lists": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "security:telemetry-timelines": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "cases-telemetry-task": { - "p50": 458, - "p90": 458, - "p95": 458, - "p99": 458 - }, - "osquery:telemetry-packs": { - "p50": 10, - "p90": 10, - "p95": 10, - "p99": 10 - }, - "Fleet-Metrics-Task": { - "p50": 5, - "p90": 10, - "p95": 10, - "p99": 10 - }, - "fleet:delete-unenrolled-agents-task": { - "p50": 11, - "p90": 11, - "p95": 11, - "p99": 11 - }, - "osquery:telemetry-configs": { - "p50": 12, - "p90": 12, - "p95": 12, - "p99": 12 - }, - "endpoint:complete-external-response-actions": { - "p50": 7, - "p90": 11, - "p95": 11, - "p99": 11 - }, - "security:telemetry-detection-rules": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "security:telemetry-prebuilt-rule-alerts": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "security:endpoint-meta-telemetry": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "security:telemetry-filterlist-artifact": { - "p50": 5, - "p90": 5, - "p95": 5, - "p99": 5 - }, - "security:telemetry-diagnostic-timelines": { - "p50": 5, - "p90": 5, - "p95": 5, - "p99": 5 - }, - "security:telemetry-configuration": { - "p50": 5, - "p90": 5, - "p95": 5, - "p99": 5 - }, - "security:indices-metadata-telemetry": { - "p50": 5, - "p90": 5, - "p95": 5, - "p99": 5 - }, - "Fleet-Usage-Logger": { - "p50": 18, - "p90": 18, - "p95": 18, - "p99": 18 - }, - "obs-ai-assistant:knowledge-base-migration": { - "p50": 8, - "p90": 8, - "p95": 8, - "p99": 8 - }, - "dashboard_telemetry": { - "p50": 12, - "p90": 12, - "p95": 12, - "p99": 12 - }, - "session_cleanup": { - "p50": 58, - "p90": 58, - "p95": 58, - "p99": 58 - }, - "ProductDocBase:EnsureUpToDate": { - "p50": 147, - "p90": 147, - "p95": 147, - "p99": 147 - }, - "apm-telemetry-task": { - "p50": 543, - "p90": 543, - "p95": 543, - "p99": 543 - }, - "ML:saved-objects-sync": { - "p50": 544, - "p90": 544, - "p95": 544, - "p99": 544 - }, - "apm-source-map-migration-task": { - "p50": 1649, - "p90": 3282, - "p95": 3282, - "p99": 3282 - }, - "actions_telemetry": { - "p50": 19, - "p90": 19, - "p95": 19, - "p99": 19 - }, - "alerting_telemetry": { - "p50": 64, - "p90": 64, - "p95": 64, - "p99": 64 - }, - "endpoint:metadata-check-transforms-task": { - "p50": 6, - "p90": 6, - "p95": 6, - "p99": 6 - }, - "endpoint:user-artifact-packager": { - "p50": 10, - "p90": 13, - "p95": 13, - "p99": 13 - }, - "fleet:bump_agent_policies": { - "p50": 9, - "p90": 9, - "p95": 9, - "p99": 9 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" }, - "duration_by_persistence": { - "recurring": { - "p50": 9, - "p90": 63.39999999999999, - "p95": 474.99999999999966, - "p99": 544 - }, - "non_recurring": { - "p50": 14, - "p90": 2968.500000000001, - "p95": 3282, - "p99": 3282 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" }, - "persistence": { - "recurring": 88, - "non_recurring": 12 + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" }, - "result_frequency_percent_as_number": { - "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "fleet:check-deleted-files-task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "osquery:telemetry-saved-queries": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "task_manager:delete_inactive_background_task_nodes": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "alerts_invalidate_api_keys": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "fleet:unenroll-inactive-agents-task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "alerting_health_check": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "Fleet-Usage-Sender": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:endpoint-diagnostics": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-lists": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-timelines": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "cases-telemetry-task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "osquery:telemetry-packs": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "Fleet-Metrics-Task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "fleet:delete-unenrolled-agents-task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "osquery:telemetry-configs": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "endpoint:complete-external-response-actions": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-detection-rules": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-prebuilt-rule-alerts": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:endpoint-meta-telemetry": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-filterlist-artifact": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-diagnostic-timelines": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:telemetry-configuration": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "security:indices-metadata-telemetry": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "Fleet-Usage-Logger": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "obs-ai-assistant:knowledge-base-migration": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "dashboard_telemetry": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "session_cleanup": { - "Success": 0, - "RetryScheduled": 100, - "Failed": 0, - "status": "OK" - }, - "ProductDocBase:EnsureUpToDate": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "apm-telemetry-task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "ML:saved-objects-sync": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "apm-source-map-migration-task": { - "Success": 50, - "RetryScheduled": 50, - "Failed": 0, - "status": "OK" - }, - "actions_telemetry": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "alerting_telemetry": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "endpoint:metadata-check-transforms-task": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "endpoint:user-artifact-packager": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - }, - "fleet:bump_agent_policies": { - "Success": 100, - "RetryScheduled": 0, - "Failed": 0, - "status": "OK" - } - } - } - }, - "status": "OK" - }, - "workload": { - "timestamp": "2025-03-21T21:29:10.367Z", - "value": { - "count": 35, - "cost": 70, - "task_types": { - "Fleet-Metrics-Task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "h6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iqiJW5gB4U27o8XO8oLg" }, - "Fleet-Usage-Logger": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "i6iJW5gB4U27o8XO8oLg" }, - "Fleet-Usage-Sender": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jKiJW5gB4U27o8XO8oLg" }, - "ML:saved-objects-sync": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jaiJW5gB4U27o8XO8oLg" }, - "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jqiJW5gB4U27o8XO8oLg" }, - "actions_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.severity", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "j6iJW5gB4U27o8XO8oLg" }, - "alerting_health_check": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.workflow_status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kKiJW5gB4U27o8XO8oLg" }, - "alerting_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "message", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kaiJW5gB4U27o8XO8oLg" }, - "alerts_invalidate_api_keys": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "network.protocol", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kqiJW5gB4U27o8XO8oLg" }, - "apm-telemetry-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.bytes_compressed_present", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nKiJW5gB4U27o8XO8oLg" }, - "cases-telemetry-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.all_names", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "naiJW5gB4U27o8XO8oLg" }, - "dashboard_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.matches", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nqiJW5gB4U27o8XO8oLg" }, - "endpoint:complete-external-response-actions": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.signature.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "n6iJW5gB4U27o8XO8oLg" }, - "endpoint:metadata-check-transforms-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.token.integrity_level_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oKiJW5gB4U27o8XO8oLg" }, - "endpoint:user-artifact-packager": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "k6iJW5gB4U27o8XO8oLg" }, - "fleet:check-deleted-files-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lKiJW5gB4U27o8XO8oLg" }, - "fleet:delete-unenrolled-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.signing_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "laiJW5gB4U27o8XO8oLg" }, - "fleet:unenroll-inactive-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lqiJW5gB4U27o8XO8oLg" }, - "osquery:telemetry-configs": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "l6iJW5gB4U27o8XO8oLg" }, - "osquery:telemetry-packs": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mKiJW5gB4U27o8XO8oLg" }, - "osquery:telemetry-saved-queries": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "maiJW5gB4U27o8XO8oLg" }, - "security:endpoint-diagnostics": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mqiJW5gB4U27o8XO8oLg" }, - "security:endpoint-meta-telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.exit_code", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "m6iJW5gB4U27o8XO8oLg" }, - "security:indices-metadata-telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.md5", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oaiJW5gB4U27o8XO8oLg" }, - "security:telemetry-configuration": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha1", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "o6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "paiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args_count", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "p6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "q6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "raiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pe.original_file_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pid", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "r6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.working_directory", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "u6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "source.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "v6iJW5gB4U27o8XO8oLg" }, - "security:telemetry-detection-rules": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wKiJW5gB4U27o8XO8oLg" }, - "security:telemetry-diagnostic-timelines": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "waiJW5gB4U27o8XO8oLg" }, - "security:telemetry-filterlist-artifact": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wqiJW5gB4U27o8XO8oLg" }, - "security:telemetry-lists": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "w6iJW5gB4U27o8XO8oLg" }, - "security:telemetry-prebuilt-rule-alerts": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xKiJW5gB4U27o8XO8oLg" }, - "security:telemetry-timelines": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xaiJW5gB4U27o8XO8oLg" }, - "session_cleanup": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xqiJW5gB4U27o8XO8oLg" }, - "task_manager:delete_inactive_background_task_nodes": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "x6iJW5gB4U27o8XO8oLg" }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - } - }, - "non_recurring": 1, - "non_recurring_cost": 2, - "schedule": [ - [ - "1m", - 2 - ], - [ - "60s", - 2 - ], - [ - "5m", - 2 - ], - [ - "10m", - 1 - ], - [ - "15m", - 1 - ], - [ - "45m", - 1 - ], - [ - "1h", - 9 - ], - [ - "3600s", - 1 - ], - [ - "60m", - 1 - ], - [ - "2h", - 1 - ], - [ - "720m", - 2 - ], - [ - "24h", - 7 - ], - [ - "1d", - 3 - ], - [ - "1440m", - 1 - ] - ], - "overdue": 0, - "overdue_cost": 0, - "overdue_non_recurring": 0, - "estimated_schedule_density": [ - 0, - 0, - 0, - 1, - 1, - 1, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0 - ], - "capacity_requirements": { - "per_minute": 4, - "per_hour": 46, - "per_day": 27 - } - }, - "status": "OK" - }, - "capacity_estimation": { - "status": "OK", - "reason": "Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) < capacityPerMinutePerKibana (1200)", - "timestamp": "2025-03-21T21:30:04.780Z", - "value": { - "observed": { - "observed_kibana_instances": 1, - "max_throughput_per_minute_per_kibana": 1200, - "max_throughput_per_minute": 1200, - "minutes_to_drain_overdue": 0, - "avg_recurring_required_throughput_per_minute": 5, - "avg_recurring_required_throughput_per_minute_per_kibana": 5, - "avg_required_throughput_per_minute": 149, - "avg_required_throughput_per_minute_per_kibana": 149 - }, - "proposed": { - "provisioned_kibana": 2, - "min_required_kibana": 1, - "avg_recurring_required_throughput_per_minute_per_kibana": 3, - "avg_required_throughput_per_minute_per_kibana": 75 - } - } - } - } - } - get_connector_types_generativeai_response: - summary: A list of connector types for the `generativeAI` feature. - value: - - id: .gen-ai - name: OpenAI - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .bedrock - name: AWS Bedrock - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .gemini - name: Google Gemini - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - is_system_action_type: false - get_connector_response: - summary: Get connector details. - value: - id: df770e30-8b8b-11ed-a780-3b746c987a81 - name: my_server_log_connector - config: {} - connector_type_id: .server-log - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - update_index_connector_request: - summary: Update an index connector. - value: - name: updated-connector - config: - index: updated-index - create_email_connector_request: - summary: Create an email connector. - value: - name: email-connector-1 - connector_type_id: .email - config: - from: tester@example.com - hasAuth: true - host: https://example.com - port: 1025 - secure: false - service: other - secrets: - user: username - password: password - create_index_connector_request: - summary: Create an index connector. - value: - name: my-connector - connector_type_id: .index - config: - index: test-index - create_webhook_connector_request: - summary: Create a webhook connector with SSL authentication. - value: - name: my-webhook-connector - connector_type_id: .webhook - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - secrets: - crt: QmFnIEF0dH... - key: LS0tLS1CRUdJ... - password: my-passphrase - create_xmatters_connector_request: - summary: Create an xMatters connector with URL authentication. - value: - name: my-xmatters-connector - connector_type_id: .xmatters - config: - usesBasic: false - secrets: - secretsUrl: https://example.com?apiKey=xxxxx - create_email_connector_response: - summary: A new email connector. - value: - id: 90a82c60-478f-11ee-a343-f98a117c727f - connector_type_id: .email - name: email-connector-1 - config: - from: tester@example.com - service: other - host: https://example.com - port: 1025 - secure: false - hasAuth: true - tenantId: null - clientId: null - oauthTokenUrl: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - create_index_connector_response: - summary: A new index connector. - value: - id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad - connector_type_id: .index - name: my-connector - config: - index: test-index - refresh: false - executionTimeField: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - create_webhook_connector_response: - summary: A new webhook connector. - value: - id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd - name: my-webhook-connector - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - verificationMode: full - headers: null - hasAuth: true - connector_type_id: .webhook - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - run_index_connector_request: - summary: Run an index connector. - value: - params: - documents: - - id: my_doc_id - name: my_doc_name - message: hello, world - run_jira_connector_request: - summary: Run a Jira connector to retrieve the list of issue types. - value: - params: - subAction: issueTypes - run_servicenow_itom_connector_request: - summary: Run a ServiceNow ITOM connector to retrieve the list of choices. - value: - params: - subAction: getChoices - subActionParams: - fields: - - severity - - urgency - run_slack_api_connector_request: - summary: Run a Slack connector that uses the web API method to post a message on a channel. - value: - params: - subAction: postMessage - subActionParams: - channelIds: - - C123ABC456 - text: A test message. - run_swimlane_connector_request: - summary: Run a Swimlane connector to create an incident. - value: - params: - subAction: pushToService - subActionParams: - comments: - - commentId: 1 - comment: A comment about the incident. - incident: - caseId: '1000' - caseName: Case name - description: Description of the incident. - run_index_connector_response: - summary: Response from running an index connector. - value: - connector_id: fd38c600-96a5-11ed-bb79-353b74189cba - data: - errors: false - items: - - create: - _id: 4JtvwYUBrcyxt2NnfW3y - _index: my-index - _primary_term: 1 - _seq_no: 0 - _shards: - failed: 0 - successful: 1 - total: 2 - _version: 1 - result: created - status: 201 - took: 135 - status: ok - run_jira_connector_response: - summary: Response from retrieving the list of issue types for a Jira connector. - value: - connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 - data: - - id: 10024 - name: Improvement - - id: 10006 - name: Task - - id: 10007 - name: Sub-task - - id: 10025 - name: New Feature - - id: 10023 - name: Bug - - id: 10000 - name: Epic - status: ok - run_server_log_connector_response: - summary: Response from running a server log connector. - value: - connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 - status: ok - run_servicenow_itom_connector_response: - summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. - value: - connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 - data: - - dependent_value: '' - element: severity - label: Critical - value: 1 - - dependent_value: '' - element: severity - label: Major - value: 2 - - dependent_value: '' - element: severity - label: Minor - value: 3 - - dependent_value: '' - element: severity - label: Warning - value: 4 - - dependent_value: '' - element: severity - label: OK - value: 5 - - dependent_value: '' - element: severity - label: Clear - value: 0 - - dependent_value: '' - element: urgency - label: 1 - High - value: 1 - - dependent_value: '' - element: urgency - label: 2 - Medium - value: 2 - - dependent_value: '' - element: urgency - label: 3 - Low - value: 3 - status: ok - run_slack_api_connector_response: - summary: Response from posting a message with a Slack connector. - value: - status: ok - data: - ok: true - channel: C123ABC456 - ts: '1234567890.123456' - message: - bot_id: B12BCDEFGHI - type: message - text: A test message - user: U12A345BC6D - ts: '1234567890.123456' - app_id: A01BC2D34EF - blocks: - - type: rich_text - block_id: /NXe - elements: - - type: rich_text_section - elements: - - type: text - text: A test message. - team: T01ABCDE2F - bot_profile: - id: B12BCDEFGHI - app_id: A01BC2D34EF - name: test - icons: - image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png - deleted: false - updated: 1672169705 - team_id: T01ABCDE2F - connector_id: .slack_api - run_swimlane_connector_response: - summary: Response from creating a Swimlane incident. - value: - connector_id: a4746470-2f94-11ed-b0e0-87533c532698 - data: - id: aKPmBHWzmdRQtx6Mx - title: TEST-457 - url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx - pushedDate: '2022-09-08T16:52:27.866Z' - comments: - - commentId: 1 - pushedDate: '2022-09-08T16:52:27.865Z' - status: ok - get_connectors_response: - summary: A list of connectors - value: - - id: preconfigured-email-connector - name: my-preconfigured-email-notification - connector_type_id: .email - is_preconfigured: true - is_deprecated: false - referenced_by_count: 0 - is_system_action: false - - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 - name: my-index-connector - config: - index: test-index - refresh: false - executionTimeField: null - connector_type_id: .index - is_preconfigured: false - is_deprecated: false - referenced_by_count: 2 - is_missing_secrets: false - is_system_action: false - get_roles_response1: - summary: Get all role details - value: - - name: my_kibana_role - description: My kibana role description - metadata: - version: 1 - transient_metadata: - enabled: true - elasticsearch: - indices: [] - cluster: [] - run_as: [] - kibana: - - base: - - all - feature: {} - spaces: - - '*' - - name: my_admin_role - description: My admin role description - metadata: - version: 1 - transient_metadata: - enabled: true - elasticsearch: - cluster: - - all - indices: - - names: - - index1 - - index2 - privileges: - - all - field_security: - grant: - - title - - body - query: '{\"match\": {\"title\": \"foo\"}}' - kibana: [] - get_role_response1: - summary: Get role details - value: - name: my_kibana_role - description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. - metadata: - version: 1 - transient_metadata: - enabled: true - elasticsearch: - cluster: - - all - remote_cluster: - - privileges: - - monitor_enrich - clusters: - - remote_cluster1 - indices: - - names: - - index1 - - index2 - privileges: - - all - allow_restricted_indices: false - remote_indices: - - names: - - remote_index1 - - remote_index2 - privileges: - - all - allow_restricted_indices: false - clusters: - - remote_cluster1 - run_as: [] - kibana: - - base: - - all - feature: {} - spaces: - - default - _transform_error: [] - _unrecognized_applications: [] - create_role_request1: - summary: Feature privileges in multiple spaces - description: Grant access to various features in some spaces. - value: - description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. - metadata: - version: 1 - elasticsearch: - cluster: [] - indices: [] - kibana: - - base: [] - feature: - discover: - - all - dashboard: - - all - spaces: - - default - - base: - - read - spaces: - - marketing - - sales - create_role_request2: - summary: Dashboard privileges in a space - description: Grant access to dashboard features in a Marketing space. - value: - description: Grant dashboard access in the Marketing space. - metadata: - version: 1 - elasticsearch: - cluster: [] - indices: [] - kibana: - - base: [] - feature: - dashboard: - - read - spaces: - - marketing - create_role_request3: - summary: Feature privileges in a space - description: Grant full access to all features in the default space. - value: - metadata: - version: 1 - elasticsearch: - cluster: [] - indices: [] - kibana: - - base: - - all - feature: {} - spaces: - - default - create_role_request4: - summary: Elasticsearch and Kibana feature privileges - description: Grant Elasticsearch and Kibana feature privileges. - value: - description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. - metadata: - version: 1 - elasticsearch: - cluster: - - all - indices: - - names: - - index1 - - index2 - privileges: - - all - remote_indices: - - clusters: - - remote_cluster1 - names: - - remote_index1 - - remote_index2 - privileges: - - all - remote_cluster: - - clusters: - - remote_cluster1 - privileges: - - monitor_enrich - kibana: - - base: - - all - feature: {} - spaces: - - default - copy_saved_objects_request1: - summary: Copy with createNewCopies - description: | - Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. - value: - objects: - - type: dashboard - id: my-dashboard - spaces: - - marketing - includeReferences: true - copy_saved_objects_request2: - summary: Copy without createNewCopies - description: | - Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. - value: - objects: - - type: dashboard - id: my-dashboard - spaces: - - marketing - includeReferences: true - createNewCopies: false - copy_saved_objects_response1: - summary: Copy with createNewCopies - description: | - The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. - value: - marketing: - success: true - successCount: 3 - successResults: - - id: my-dashboard - type: dashboard - destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-vis - type: visualization - destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-index-pattern - type: index-pattern - destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b - meta: - icon: indexPatternApp - title: my-pattern-* - copy_saved_objects_response2: - summary: Copy without createNewCopies - description: | - The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. - value: - marketing: - success: true - successCount: 3 - successResults: - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-vis - type: visualization - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-index-pattern - type: index-pattern - meta: - icon: indexPatternApp - title: my-pattern-* - copy_saved_objects_response3: - summary: Failed copy response with conflict errors - description: | - A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. - value: - marketing: - success: true - successCount: 4 - successResults: - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-vis - type: visualization - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-canvas - type: canvas-workpad - meta: - icon: canvasApp - title: Look at my canvas - - id: my-index-pattern - type: index-pattern - meta: - icon: indexPatternApp - title: my-pattern-* - sales: - success: false - successCount: 1, - errors: - - id: my-pattern - type: index-pattern - title: my-pattern-* - error: - type: conflict - meta: - icon: indexPatternApp - title: my-pattern-* - - id: my-visualization - type: my-vis - title: Look at my visualization - error: - type: conflict - destinationId: another-vis - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-canvas - type: canvas-workpad - title: Look at my canvas - error: - type: ambiguous_conflict - destinations: - - id: another-canvas - title: Look at another canvas - updatedAt: '2020-07-08T16:36:32.377Z' - - id: yet-another-canvas - title: Look at yet another canvas - updatedAt: '2020-07-05T12:29:54.849Z' - meta: - icon: canvasApp - title: Look at my canvas - successResults": - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - copy_saved_objects_response4: - summary: Failed copy with missing reference errors - description: | - The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. - value: - marketing: - success: false - successCount: 2 - errors: - - id: my-vis - type: visualization - title: Look at my visualization - error: - type: missing_references - references: - - type: index-pattern - id: my-pattern-* - meta: - icon: visualizeApp - title: Look at my visualization - successResults: - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-canvas - type: canvas-workpad - meta: - icon: canvasApp - title: Look at my canvas - disable_legacy_url_request1: - summary: Disable legacy URL aliases - description: | - This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. - value: - aliases: - - targetSpace: bills-space - targetType: dashboard - sourceId: 123 - get_shareable_references_request1: - summary: Get shareable references - description: | - Collect references and space contexts for a dashboard saved object. - value: - objects: - - type: dashboard - id: my-dashboard-id - get_shareable_references_response1: - summary: Get shareable references response - description: | - A response that includes the collected references and the spaces where the objects exist. - value: - objects: - - type: dashboard - id: my-dashboard-id - spaces: - - default - - marketing - inboundReferences: [] - resolve_copy_saved_objects_request1: - summary: Resolve conflict errors - description: | - Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. - value: - objects: - - type: dashboard - id: my-dashboard - includeReferences: true - createNewCopies: false - retries: - sales: - - type: index-pattern - id: my-pattern - overwrite: true - - type: visualization - id: my-vis - overwrite: true, - destinationId: another-vis - - type: canvas - id: my-canvas - overwrite: true - destinationId: yet-another-canvas - - type: dashboard - id: my-dashboard - resolve_copy_saved_objects_request2: - summary: Resolve missing reference errors - description: | - Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. - value: - objects: - - type: dashboard - id: my-dashboard - includeReferences: true - createNewCopies: false - retries: - marketing: - - type: visualization - id: my-vis - ignoreMissingReferences: true - - type: canvas - id: my-canvas - - type: dashboard - id: my-dashboard - update_saved_objects_spaces_request1: - summary: Update saved object spaces - description: Update the spaces of each saved object and all its references. - value: - objects: - - type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - spacesToAdd: - - test - spacesToRemove: [] - update_saved_objects_spaces_response1: - summary: Update saved object spaces - description: | - The response from updating the spaces of saved objects. - value: - objects: - - type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - spaces: - - default - - test - get_spaces_response1: - summary: Get all spaces - description: Get all spaces without specifying any options. - value: - - id: default - name: Default - description: This is the Default Space - disabledFeatures: [] - imageUrl: '' - _reserved: true - - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - disabledFeatures: - - apm - initials: MK - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - - id: sales - name: Sales - initials: MK - disabledFeatures: - - discover - imageUr": '' - solution: oblt - get_spaces_response2: - summary: Get all spaces with custom options - description: | - The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" - value: - - id: default - name: Default - description: This is the Default Space - disabledFeatures: [] - imageUrl: '' - _reserved: true - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: true - findSavedObjects: true - shareSavedObjectsIntoSpace: true - - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - disabledFeatures: - - apm - initials: MK - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: true - findSavedObjects: true - shareSavedObjectsIntoSpace: true - - id: sales - name: Sales - initials: MK - disabledFeatures: - - discover - imageUrl: '' - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: false - findSavedObjects: true - shareSavedObjectsIntoSpace: false - create_space_request: - summary: Create a marketing space - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== - get_space_response: - summary: Get details about a marketing space - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: '' - solution: es - update_space_request: - summary: Update a marketing space - description: Update the marketing space to remove the imageUrl. - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: '' - parameters: - APM_UI_elastic_api_version: - description: The version of the API to use - in: header - name: elastic-api-version - required: true - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - APM_UI_kbn_xsrf: - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - Cases_alert_id: - description: An identifier for the alert. - in: path - name: alertId - required: true - schema: - example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 - type: string - Cases_assignees_filter: - description: | - Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. - in: query - name: assignees - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_case_id: - description: The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded. - in: path - name: caseId - required: true - schema: - example: 9c235210-6834-11ea-a78c-6ffb38a34414 - type: string - Cases_category: - description: Filters the returned cases by category. - in: query - name: category - schema: - oneOf: - - $ref: '#/components/schemas/Cases_case_category' - - $ref: '#/components/schemas/Cases_case_categories' - Cases_comment_id: - description: | - The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs. - in: path - name: commentId - required: true - schema: - example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 - type: string - Cases_configuration_id: - description: An identifier for the configuration. - in: path - name: configurationId - required: true - schema: - example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 - type: string - Cases_connector_id: - description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. - in: path - name: connectorId - required: true - schema: - example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 - type: string - Cases_defaultSearchOperator: - description: he default operator to use for the simple_query_string. - example: OR - in: query - name: defaultSearchOperator - schema: - default: OR - type: string - Cases_from: - description: | - Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. - in: query - name: from - schema: - example: now-1d - type: string - Cases_ids: - description: | - The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` - in: query - name: ids - required: true - schema: - items: - example: d4e7abb0-b462-11ec-9a8d-698504725a43 - maxItems: 100 - minItems: 1 - type: string - type: array - Cases_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Cases_owner_filter: + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.domain", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "yaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "y6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" + } + ], + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "12345678-1234-1234-1234-123456789012", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + /api/attack_discovery/generations: + get: + description: >- + Get the latest Attack Discovery generations metadata (that are not + dismissed) for the current user. This endpoint retrieves generation + metadata including execution status and statistics for Attack Discovery + generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: >- + End of the time range for filtering generations. Accepts absolute + timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: >- + Start of the time range for filtering generations. Accepts absolute + timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + example: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: >- + AI is analyzing up to 100 alerts in the last 24 hours to + generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: >- + Get the latest Attack Discovery generations metadata for the current + user + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/generations/{execution_uuid}: + get: + description: >- + Returns a specific Attack Discovery generation, including all generated + Attack discoveries and associated metadata, including execution status + and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: >- + The unique identifier for the Attack Discovery generation execution. + This UUID is returned at the start of an Attack Discovery + generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: >- + Enables a markdown syntax used to render pivot fields, for example + `{{ user.name james }}`. When disabled, the same example would be + rendered as `james`. This is primarily used for Attack Discovery + views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: >- + When true, return the created Attack discoveries with text + replacements applied to the detailsMarkdown, entitySummaryMarkdown, + summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + example: + data: + - id: >- + c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: >- + Array of Attack discoveries generated during this + execution. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + type: array + generation: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration + description: >- + Optional metadata about the attack discovery generation + process, metadata including execution status and + statistics. This metadata may not be available for all + generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: >- + Human-readable error message describing what went wrong + with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: >- + Get a single Attack Discovery generation, including its discoveries and + (optional) generation metadata + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: >- + Dismisses an Attack Discovery generation for the current user, + indicating that its status should not be reported in the UI. This sets + the generation's status to "dismissed" and affects how the generation + appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: >- + The unique identifier for the Attack Discovery generation execution. + This UUID is returned when an Attack Discovery generation is created + and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: >- + AI is analyzing up to 100 alerts in the last 24 hours to + generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: >- + The number of alerts that were sent as context to the LLM + for this generation. + example: 75 + type: number + connector_id: + description: >- + The unique identifier of the connector used to generate + the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: >- + Statistical information about the connector's performance + for this user, providing insights into usage patterns and + success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: >- + The average duration in nanoseconds for successful + generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: >- + The total number of Attack discoveries successfully + created for this generation + example: 2 + type: number + discoveries: + description: >- + The number of attack discoveries that were generated + during this execution. + example: 3 + type: number + end: + description: >- + The timestamp when the generation process completed, in + ISO 8601 format. This field may be absent for generations + that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: >- + The unique identifier for this attack discovery generation + execution. This UUID can be used to reference this + specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: >- + A human-readable message describing the current state or + progress of the generation process. Provides context about + what the AI is analyzing. + example: >- + AI is analyzing up to 100 alerts in the last 24 hours to + generate discoveries. + type: string + reason: + description: >- + Additional context or reasoning provided when a generation + fails or encounters issues. This field helps diagnose + problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: >- + The timestamp when the generation process began, in ISO + 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: >- + The current status of the attack discovery generation. + After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: >- + Human-readable error message describing what went wrong + with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/schedules: + post: + description: >- + Creates a new Attack Discovery schedule that analyzes security alerts at + specified intervals. The schedule defines when and how Attack Discovery + analysis should run, including which alerts to analyze, which AI + connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + example: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps + description: >- + Attack Discovery schedule configuration including name, parameters, + schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + /api/attack_discovery/schedules/_find: + get: + description: >- + Find Attack Discovery schedules that match the search criteria. Supports + pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: >- + Number of Attack Discovery schedules to return per page (used for + pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: >- + Field used to sort results. Common fields include 'name', + 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: >- + Sort order direction. Use 'asc' for ascending or 'desc' for + descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + example: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: >- + Total number of Attack Discovery schedules matching the + query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/schedules/{id}: + delete: + description: >- + Permanently deletes an Attack Discovery schedule and all associated + configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + delete. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier of the deleted Attack Discovery + schedule + required: + - id + description: >- + Successfully deleted Attack Discovery schedule, returning the ID of + the deleted schedule for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + get: + description: >- + Retrieves a specific Attack Discovery schedule by its unique identifier. + Returns complete schedule configuration including parameters, interval + settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + retrieve. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + description: >- + Successfully retrieved Attack Discovery schedule with complete + configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-code-samples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + put: + description: >- + Updates an existing Attack Discovery schedule with new configuration. + All schedule properties can be modified including name, parameters, + interval, and actions. The update operation replaces the entire schedule + configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + update. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + example: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps + description: >- + Updated Attack Discovery schedule configuration. All fields are + required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + description: >- + Successfully updated Attack Discovery schedule with the new + configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + /api/attack_discovery/schedules/{id}/_disable: + post: + description: >- + Disables an Attack Discovery schedule, preventing it from running + according to its configured interval. The schedule configuration is + preserved and can be re-enabled later. Any currently running executions + will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + disable. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier of the disabled Attack Discovery + schedule + required: + - id + description: >- + Successfully disabled Attack Discovery schedule, returning the + schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/attack_discovery/schedules/{id}/_enable: + post: + description: >- + Enables a previously disabled Attack Discovery schedule, allowing it to + run according to its configured interval. Once enabled, the schedule + will begin executing at the next scheduled time based on its interval + configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: >- + The unique identifier (UUID) of the Attack Discovery schedule to + enable. This ID is returned when creating a schedule and can be + found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_NonEmptyString + description: >- + The unique identifier of the enabled Attack Discovery + schedule + required: + - id + description: >- + Successfully enabled Attack Discovery schedule, returning the + schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + /api/cases: + delete: + description: > + You must have `read` or `all` privileges and the `delete` sub-feature + privilege for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_ids' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete cases + tags: + - cases + x-code-samples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: > + DELETE + kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] + patch: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + updating. + operationId: updateCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + updateCaseRequest: + $ref: '#/components/examples/Cases_update_case_request' + schema: + $ref: '#/components/schemas/Cases_update_case_request' + responses: + '200': + content: + application/json: + examples: + updateCaseResponse: + $ref: '#/components/examples/Cases_update_case_response' + schema: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update cases + tags: + - cases + post: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + creating. + operationId: createCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createCaseRequest: + $ref: '#/components/examples/Cases_create_case_request' + schema: + $ref: '#/components/schemas/Cases_create_case_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseResponse: + $ref: '#/components/examples/Cases_create_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Create a case + tags: + - cases + /api/cases/_find: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. + operationId: findCasesDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_assignees_filter' + - $ref: '#/components/parameters/Cases_category' + - $ref: '#/components/parameters/Cases_defaultSearchOperator' + - $ref: '#/components/parameters/Cases_from' + - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_reporters' + - $ref: '#/components/parameters/Cases_search' + - $ref: '#/components/parameters/Cases_searchFields' + - $ref: '#/components/parameters/Cases_severity' + - $ref: '#/components/parameters/Cases_sortField' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_status' + - $ref: '#/components/parameters/Cases_tags' + - $ref: '#/components/parameters/Cases_to' + responses: + '200': + content: + application/json: + examples: + findCaseResponse: + $ref: '#/components/examples/Cases_find_case_response' + schema: + type: object + properties: + cases: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + maxItems: 10000 + type: array + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Search cases + tags: + - cases + /api/cases/{caseId}: + get: + description: > + Returns case details. The response does not include a comments + property; use the find case comments API to retrieve comments. The + totalComment field reflects the actual number of user comments on the + case. You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're seeking. + operationId: getCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getDefaultCaseResponse: + $ref: '#/components/examples/Cases_get_case_response' + getDefaultObservabilityCaseResponse: + $ref: '#/components/examples/Cases_get_case_observability_response' + schema: + $ref: '#/components/schemas/Cases_case_response_get_case' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case information + tags: + - cases + /api/cases/{caseId}/alerts: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseAlertsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getCaseAlertsResponse: + $ref: '#/components/examples/Cases_get_case_alerts_response' + schema: + items: + $ref: '#/components/schemas/Cases_alert_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get all alerts for a case + tags: + - cases + x-state: Technical preview + /api/cases/{caseId}/comments: + delete: + description: > + Deletes all comments and alerts from a case. You must have `all` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete all case comments and alerts + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments + patch: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're updating. + NOTE: You cannot change the comment type or the owner of a comment. + operationId: updateCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + updateCaseCommentRequest: + $ref: '#/components/examples/Cases_update_comment_request' + schema: + $ref: '#/components/schemas/Cases_update_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + updateCaseCommentResponse: + $ref: '#/components/examples/Cases_update_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update a case comment or alert + tags: + - cases + post: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're creating. + NOTE: Each case can have a maximum of 1,000 alerts. + operationId: addCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + createCaseCommentRequest: + $ref: '#/components/examples/Cases_add_comment_request' + schema: + $ref: '#/components/schemas/Cases_add_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseCommentResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add a case comment or alert + tags: + - cases + /api/cases/{caseId}/comments/_find: + get: + description: > + Retrieves a paginated list of comments for a case. You must have `read` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases with the comments you're + seeking. + operationId: findCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + responses: + '200': + content: + application/json: + examples: + findCaseCommentsResponse: + $ref: '#/components/examples/Cases_find_case_comments_response' + schema: + $ref: '#/components/schemas/Cases_find_comments_response' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case comments + tags: + - cases + /api/cases/{caseId}/comments/{commentId}: + delete: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete a case comment or alert + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: > + DELETE + kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases with the + comments you're seeking. + operationId: getCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '200': + content: + application/json: + examples: + getCaseCommentResponse: + $ref: '#/components/examples/Cases_get_comment_response' + schema: + oneOf: + - $ref: >- + #/components/schemas/Cases_alert_comment_response_properties + - $ref: >- + #/components/schemas/Cases_user_comment_response_properties + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get a case comment or alert + tags: + - cases + /api/cases/{caseId}/connector/{connectorId}/_push: + post: + description: > + You must have `all` privileges for the **Actions and Connectors** + feature in the **Management** section of the Kibana feature privileges. + You must also have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're pushing. + operationId: pushCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_connector_id' + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + pushCaseRequest: + summary: >- + Push a case to an external service. No request body is + required. + value: null + schema: + nullable: true + type: object + responses: + '200': + content: + application/json: + examples: + pushCaseResponse: + $ref: '#/components/examples/Cases_push_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Push a case to an external service + tags: + - cases + /api/cases/{caseId}/files: + post: + description: > + Attach a file to a case. You must have `all` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the case you're updating. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - The location of the file that is being uploaded. + operationId: addCaseFileDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + multipart/form-data: + examples: + addCaseFileRequest: + summary: Attach a plain text file named "my_attachment". + value: + filename: my_attachment + schema: + $ref: '#/components/schemas/Cases_add_case_file_request' + required: true + responses: + '200': + content: + application/json: + examples: + addCaseFileResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Attach a file to a case + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" \ + --form "file=@/path/to/my_attachment.txt" \ + --form "filename=my_attachment" + /api/cases/{caseId}/user_actions/_find: + get: + description: > + Retrieves a paginated list of user activity for a case. You must have + `read` privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the case you're seeking. + operationId: findCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_user_action_types' + responses: + '200': + content: + application/json: + examples: + findCaseActivityResponse: + $ref: '#/components/examples/Cases_find_case_activity_response' + schema: + type: object + properties: + page: + type: integer + perPage: + type: integer + total: + type: integer + userActions: + items: + $ref: >- + #/components/schemas/Cases_user_actions_find_response_properties + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case activity + tags: + - cases + /api/cases/alerts/{alertId}: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. + operationId: getCasesByAlertDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_alert_id' + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getCasesByAlertResponse: + summary: Cases associated with a given alert. + value: + - createdAt: '2020-02-19T23:06:33.798Z' + description: Investigating suspicious activity + id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + status: open + title: security_case + totals: + alerts: 1 + events: 0 + userComments: 0 + schema: + items: + $ref: '#/components/schemas/Cases_related_case' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get cases for an alert + tags: + - cases + x-state: Technical preview + /api/cases/configure: + get: + description: > + Get setting details such as the closure type, custom fields, templates, + and the default connector for cases. You must have `read` privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where the cases were created. + operationId: getCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getConfigurationResponse: + $ref: '#/components/examples/Cases_get_case_configuration_response' + schema: + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are + not used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want + a default connector, use `none`. To retrieve + connector IDs, use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the + `type` is `text`, the default value must be a + string. If the `type` is `toggle`, the default + value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: >- + The custom field label that is displayed in the + case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If + `false`, the custom field can be set to null or + omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case settings + tags: + - cases + post: + description: > + Case settings include external connection details, custom fields, and + templates. Connectors are used to interface with external systems. You + must create a connector before you can use it in your cases. If you set + a default connector, it is automatically selected when you create cases + in Kibana. If you use the create case API, however, you must still + specify all of the connector details. You must have `all` privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where you are creating cases. + operationId: setCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setCaseConfigRequest: + $ref: '#/components/examples/Cases_set_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_set_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + setCaseConfigResponse: + $ref: '#/components/examples/Cases_set_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector + IDs, use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` + is `text`, the default value must be a string. If + the `type` is `toggle`, the default value must be + boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: >- + The custom field label that is displayed in the + case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, + the custom field can be set to null or omitted when + a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add case settings + tags: + - cases + /api/cases/configure/{configurationId}: + patch: + description: > + Updates setting details such as the closure type, custom fields, + templates, and the default connector for cases. Connectors are used to + interface with external systems. You must create a connector before you + can use it in your cases. You must have `all` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where the case was created. + operationId: updateCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_configuration_id' + requestBody: + content: + application/json: + examples: + updateCaseConfigurationRequest: + $ref: '#/components/examples/Cases_update_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_update_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + updateCaseConfigurationResponse: + $ref: >- + #/components/examples/Cases_update_case_configuration_response + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector + IDs, use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` + is `text`, the default value must be a string. If + the `type` is `toggle`, the default value must be + boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: >- + The custom field label that is displayed in the + case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, + the custom field can be set to null or omitted when + a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update case settings + tags: + - cases + /api/cases/configure/connectors/_find: + get: + description: > + Get information about connectors that are supported for use in cases. + You must have `read` privileges for the **Actions and Connectors** + feature in the **Management** section of the Kibana feature privileges. + operationId: findCaseConnectorsDefaultSpace + responses: + '200': + content: + application/json: + examples: + findConnectorResponse: + $ref: '#/components/examples/Cases_find_connector_response' + schema: + items: + type: object + properties: + actionTypeId: + $ref: '#/components/schemas/Cases_connector_types' + config: + additionalProperties: true + type: object + properties: + apiUrl: + type: string + projectKey: + type: string + id: + type: string + isDeprecated: + type: boolean + isMissingSecrets: + type: boolean + isPreconfigured: + type: boolean + name: + type: string + referencedByCount: + type: integer + maxItems: 1000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case connectors + tags: + - cases + /api/cases/reporters: + get: + description: > + Returns information about the users who opened cases. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases. The API returns + information about the users as they existed at the time of the case + creation, including their name, full name, and email address. If any of + those details change thereafter or if a user is deleted, the information + returned by this API is unchanged. + operationId: getCaseReportersDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getReportersResponse: + $ref: '#/components/examples/Cases_get_reporters_response' + schema: + items: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case creators + tags: + - cases + /api/cases/tags: + get: + description: > + Aggregates and returns a list of case tags. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. + operationId: getCaseTagsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getTagsResponse: + $ref: '#/components/examples/Cases_get_tags_response' + schema: + items: + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case tags + tags: + - cases + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + /api/data_views/data_view/{viewId}: + delete: description: | - A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. - example: cases - in: query - name: owner - schema: - oneOf: - - $ref: '#/components/schemas/Cases_owner' - - $ref: '#/components/schemas/Cases_owners' - Cases_page_index: - description: The page number to return. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - type: integer - Cases_page_size: - description: The number of items to return. Limited to 100 items. - example: 20 - in: query - name: perPage - required: false - schema: - default: 20 - maximum: 100 - type: integer - Cases_reporters: - description: Filters the returned cases by the user name of the reporter. - example: elastic - in: query - name: reporters - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_search: - description: An Elasticsearch simple_query_string query that filters the objects in the response. - example: Case title 1 - in: query - name: search - schema: - type: string - Cases_searchFields: - description: The fields to perform the simple_query_string parsed query against. - in: query - name: searchFields - schema: - oneOf: - - $ref: '#/components/schemas/Cases_searchFieldsType' - - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' - Cases_severity: - description: The severity of the case. - example: low - in: query - name: severity - schema: - enum: - - critical - - high - - low - - medium - type: string - Cases_sort_order: - description: Determines the sort order. - example: desc - in: query - name: sortOrder - required: false - schema: - default: desc - enum: - - asc - - desc - type: string - Cases_sortField: - description: Determines which field is used to sort the results. - example: updatedAt - in: query - name: sortField - schema: - default: createdAt - enum: - - createdAt - - updatedAt - - closedAt - - title - - category - - status - - severity - type: string - Cases_status: - description: Filters the returned cases by state. - example: open - in: query - name: status - schema: - enum: - - closed - - in-progress - - open - type: string - Cases_tags: - description: Filters the returned cases by tags. - example: tag-1 - in: query - name: tags - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_to: + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + get: + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + /api/data_views/data_view/{viewId}/fields: + post: + description: > + Update fields presentation metadata such as count, customLabel, + customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field: + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + put: + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: >- + #/components/examples/Data_views_get_default_data_view_response + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + post: + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + /api/data_views/swap_references: + post: + description: > + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + /api/data_views/swap_references/_preview: + post: + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + /api/detection_engine/index: + delete: + description: > + Permanently deletes the Elastic Security alerts backing index in the + current space, including the alerts + + stored in it. Use with caution; prefer lifecycle policies or the UI when + available. + + Call `GET /api/detection_engine/index` first to confirm the index that + will be removed. + operationId: DeleteAlertsIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: >- + API [DELETE /api/detection_engine/index] is unauthorized + for the current user. The user needs alerts management + permissions for the space. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: The Elastic Security alerts index to delete was not found. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Index does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an alerts index + tags: + - Security Detections API + - Alert index API + get: + description: > + Returns the backing Elasticsearch index for Elastic Security detection + alerts in the current space, and + + whether its mapping is outdated. Use this to verify that an alert index + is provisioned before creating + + or running rules that write alerts to it. + operationId: ReadAlertsIndex + responses: + '200': + content: + application/json: + examples: + success: + value: + index_mapping_outdated: false + name: .alerts-security.alerts-default + schema: + type: object + properties: + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: >- + API [GET /api/detection_engine/index] is unauthorized for + the current user. Check Security and Kibana feature + privileges (detection engine / alerts) for the space. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: >- + Elastic Security alert index is not found for the current + space. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Reads the alert index name if it exists + tags: + - Security Detections API + - Alert index API + post: description: | - Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. - example: now+1d - in: query - name: to - schema: - type: string - Cases_user_action_types: - description: Determines the types of user actions to return. - in: query - name: types - schema: - items: - enum: - - action - - alert - - assignees - - attachment - - comment - - connector - - create_case - - description - - pushed - - settings - - severity - - status - - tags - - title - - user - example: create_case - type: string - type: array - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: When true, simulates the synchronization by returning only the list of actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Saved_objects_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Saved_objects_saved_object_id: - description: An identifier for the saved object. - in: path - name: id - required: true - schema: - type: string - Saved_objects_saved_object_type: - description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. - in: path - name: type - required: true - schema: - type: string - Short_URL_APIs_idParam: - description: The identifier for the short URL. - in: path - name: id - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - Alerting_401_response: - properties: - error: - enum: - - Unauthorized - example: Unauthorized - type: string - message: - type: string - statusCode: - enum: - - 401 - example: 401 - type: integer - title: Unsuccessful rule API response - type: object - Alerting_fieldmap_properties: - title: Field map objects in the get rule types response - type: object - properties: - array: - description: Indicates whether the field is an array. - type: boolean - dynamic: - description: Indicates whether it is a dynamic field mapping. - type: boolean - format: - description: | - Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. - type: string - ignore_above: - description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. - type: integer - index: - description: Indicates whether field values are indexed. - type: boolean - path: - description: TBD - type: string - properties: - additionalProperties: - type: object - properties: - type: - description: The data type for each object property. + Creates an index for Elastic Security alerts. Calling this API is not + required for the detection engine to function properly. You can create + rules and alerts without calling this API. + operationId: CreateAlertsIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: >- + API [POST /api/detection_engine/index] is unauthorized for + the current user. The user must be able to create indices + for the Elastic Security solution. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: >- + A prerequisite resource required to create the alerts + index was not found. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Create an alerts index + tags: + - Security Detections API + - Alert index API + /api/detection_engine/privileges: + get: + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: > + Delete a detection rule using the `rule_id` or `id` field. + + + The URL query must include one of the following: + + + * `id` - `DELETE /api/detection_engine/rules?id=` + + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + - Rules API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + get: + description: > + Retrieve a detection rule using the `rule_id` or `id` field. + + + The URL query must include one of the following: + + + * `id` - `GET /api/detection_engine/rules?id=` + + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from Elasticsearch + indices listed in the "Index pattern" section of the + rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: > + Indicates a successful call. + + > info + + > These fields are under development and their usage or schema may + change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + - Rules API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + patch: + description: > + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: >- + agent.version : * and agent.id : + "243d9b4f-ca01-4311-8e5c-9abbee91afd8" + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: > + FROM logs-abc* + + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + + | EVAL event_rate = count / DATE_DIFF("seconds", + min_timestamp, NOW()) + + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: >- + @timestamp >= "now-30d/d" and event.module:(threatintel or + ti_*) and threat.indicator.ip:* and not + labels.is_ioc_transform_source:"false" + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + - Rules API + post: + description: > + Create a new detection rule. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + + + You can create the following types of rules: + + + * **Custom query**: Searches the defined indices and creates an alert + when a document matches the rule's KQL query. + + * **Event correlation**: Searches the defined indices and creates an + alert when results match an [Event Query Language + (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) + query. + + * **Threshold**: Searches the defined indices and creates an alert when + the number of times the specified field's value meets the threshold + during a single execution. When there are multiple values that meet the + threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined + in the specified [Elasticsearch + index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). + For example, you can create an index for IP addresses and use this index + to create an alert whenever an event's `destination.ip` equals a value + in the index. The index's field mappings should be + [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + + * **New terms**: Generates an alert for each new term detected in source + documents within a specified time range. + + * **ES|QL**: Uses [Elasticsearch Query Language + (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) + to find events and aggregate search results. + + * **Machine learning rules**: Creates an alert when a machine learning + job discovers an anomaly above the defined threshold. + + > info + + > To create machine learning rules, you must have the [appropriate + license](https://www.elastic.co/subscriptions) or use a [cloud + deployment](https://cloud.elastic.co/registration). Additionally, for + the machine learning rule to function correctly, the associated machine + learning job must be running. + + + To retrieve machine learning job IDs, which are required to create + machine learning jobs, call the [Elasticsearch Get jobs + API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). + Machine learning jobs that contain `siem` in the `groups` field can be + used to create rules: + + + ```json + + ... + + "job_id": "linux_anomalous_network_activity_ecs", + + "job_type": "anomaly_detector", + + "job_version": "7.7.0", + + "groups": [ + "auditbeat", + "process", + "siem" + ], + + ... + + ``` + + + Additionally, you can set up notifications for when rules create alerts. + The notifications use the [Alerting and Actions + framework](https://www.elastic.co/docs/explore-analyze/alerting). Each + action type requires a connector. Connectors store the information + required to send notifications via external systems. The following + connector types are supported for rule notifications: + + + * Slack + + * Email + + * PagerDuty + + * Webhook + + * Microsoft Teams + + * IBM Resilient + + * Jira + + * ServiceNow ITSM + + > info + + > For more information on PagerDuty fields, see [Send a v2 + Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + + To retrieve connector IDs, which are required to configure rule + notifications, call the [Find objects + API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) + with `"type": "action"` in the request payload. + + + For detailed information on Kibana actions and alerting, and additional + API calls, see: + + + * [Alerting + API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + + * [Alerting and Actions + framework](https://www.elastic.co/docs/explore-analyze/alerting) + + * [Connectors + API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: >- + Threshold rule that detects multiple failed login attempts to + a Windows host from the same external source IP address + summary: Threshold rule + value: + description: >- + Detects when there are 20 or more failed login attempts from + the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: >- + host.name:prml-19 and event.category:authentication and + event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: >- + Machine learning rule that creates alerts, and sends Slack + notifications, when the linux_anomalous_network_activity_ecs + machine learning job discovers anomalies with a threshold of + 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: >- + Event correlation rule that creates alerts when the Windows + rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: >- + sequence by process.entity_id with maxspan=2h [process where + event.type in ("start", "process_started") and (process.name + == "rundll32.exe" or process.pe.original_file_name == + "rundll32.exe") and ((process.args == "rundll32.exe" and + process.args_count == 1) or (process.args != "rundll32.exe" + and process.args_count == 0))] [network where event.type == + "connection" and (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: > + Indicator match rule that creates an alert when one of the + following is true: The event's destination IP address and port + number matches destination IP and port values in the + threat_index index; The event's source IP address matches a + host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: >- + Checks for bad IP addresses listed in the ip-threat-list + index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: >- + New terms rule that creates alerts a new IP address is + detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: >- + esql rule that creates alerts from events that match an Excel + parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: >- + from auditbeat-8.10.2 METADATA _id, _version, _index | where + process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: >- + Query rule that searches for processes started by MS Office + and suppresses alerts by the process.parent.name field within + a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: >- + Detects when there are 20 or more failed login attempts + from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: >- + host.name:prml-19 and event.category:authentication and + event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: >- + sequence by process.entity_id with maxspan=2h [process + where event.type in ("start", "process_started") and + (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe") and + ((process.args == "rundll32.exe" and process.args_count == + 1) or (process.args != "rundll32.exe" and + process.args_count == 0))] [network where event.type == + "connection" and (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: >- + Checks for bad IP addresses listed in the ip-threat-list + index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: >- + from auditbeat-8.10.2 METADATA _id | where + process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: >- + agent.version : * and agent.id : + "243d9b4f-ca01-4311-8e5c-9abbee91afd8" + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: > + FROM logs* + + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* + MIN(dateField) finds the earliest timestamp in the dataset. + */ + + | EVAL event_rate = count / DATE_DIFF("seconds", + min_timestamp, NOW()) /* Calculates the event rate by + dividing the total count of events by the time difference + (in seconds) between the earliest event and the current + time. */ + + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: >- + @timestamp >= "now-30d/d" and event.module:(threatintel or + ti_*) and threat.indicator.ip:* and not + labels.is_ioc_transform_source:"true" + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: > + > info + + > All unspecified fields are deleted. You cannot modify the `id` or + `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: > + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + + + The edit action allows you to add, delete, or set tags, index patterns, + investigation fields, rule actions and schedules for multiple rules at + once. + + The edit action is idempotent, meaning that if you add a tag to a rule + that already has that tag, no changes are made. The same is true for + other edit actions, for example removing an index pattern that is not + specified in a rule will not result in any changes. The only exception + is the `add_rule_actions` and `set_rule_actions` action, which is + non-idempotent. This means that if you add or set a rule action to a + rule that already has that action, a new action is created with a new + unique ID. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: > + Enables dry run mode for the request call. + + + Enable dry run mode to verify that bulk actions can be applied to + specified rules. Certain rules, such as prebuilt Elastic rules on a + Basic subscription, can’t be edited and will return errors in the + request response. Error details will contain an explanation, the + rule name and/or ID, and additional troubleshooting information. + + + To enable dry run mode on a request, add the query parameter + `dry_run=true` to the end of the request URL. Rules specified in the + request will be temporarily updated. These updates won’t be written + to Elasticsearch. + + > info + + > Dry run mode is not supported for the `export` bulk action. A 400 + error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: >- + The following request duplicates rules with the specified IDs, + including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: >- + The following request runs the rule with the specified ID + within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: >- + The following request exports the rules with the specified + IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: >- + The following request adds two tags at the same time, tag-1 + and tag-2, to the rules that have the IDs sent in the payload. + If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: >- + The following request removes the tag "tag-1" from the rules + with the specified IDs. If the tag does not exist for a rule, + no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: >- + The following request sets the tags "tag-1" and "tag-2" for + the rules with the specified IDs, overwriting any existing + tags. If the set of tags is the same as the existing tags, no + changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: >- + The following request adds the index pattern "test-*" to the + rules with the specified IDs. If the index pattern already + exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: >- + The following request removes the index pattern "test-*" from + the rules with the specified IDs. If the index pattern does + not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: >- + The following request sets the index patterns "test-*" and + "prod-*" for the rules with the specified IDs, overwriting any + existing index patterns. If the set of index patterns is the + same as the existing index patterns, no changes are made. + summary: >- + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: >- + The following request adds investigation field to the rules + with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: >- + The following request deletes investigation fields from the + rules with the specified IDs. If the field does not exist for + a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: >- + The following request sets investigation fields for the rules + with the specified IDs, overwriting any existing investigation + fields. If the set of investigation fields is the same as the + existing investigation fields, no changes are made. + summary: >- + Edit - Set (overwrite existing) investigation fields for rules + (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: >- + The following request sets a timeline template for the rules + with the specified IDs. If the same timeline template is + already set for a rule, no changes are made. + summary: >- + Edit - Set (overwrite existing) timeline template for rules + (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: >- + The following request sets a schedule for the rules with the + specified IDs. If the same schedule is already set for a rule, + no changes are made. + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: >- + The following request sets rule actions for the rules with the + specified IDs. Each action receives its own unique ID. + summary: >- + Edit - Set (overwrite existing) rule actions for rules + (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: 2023-10-31T00:00:00.000Z + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: >- + The following request set alert suppression to the rules with + the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: >- + The following request set alert suppression to threshold rules + with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: >- + The following request removes alert suppression from the rules + with the specified IDs. If the rules do not have alert + suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: >- + The following request triggers the filling of gaps for the + specified rule ids and time range + summary: >- + Fill Gaps - Manually trigger the filling of gaps for specified + rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDisableRules + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleRun + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: >- + In this response one rule was updated and one was skipped. + Objects returned in attributes.results.skipped will only + include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: >- + A machine learning job detected unusually large + numbers of DNS queries for a single top-level DNS + domain, which is often used for DNS tunneling. DNS + tunneling can be used for command-and-control, + persistence, or data exfiltration activity. For + example, dnscat tends to generate many DNS + questions for a top-level domain as it uses the + DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but + no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - >- + DNS domains that use large numbers of child + domains, such as software or content + distribution networks, can trigger this alert + and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - >- + https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: >- + If processing of any rule fails, a partial error outputs the + ID and/or name of the affected rule and the corresponding + error, as well as successfully processed rules (in the same + format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: >- + Index patterns can't be added. Machine learning + rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: >- + Generates a detection alert for each external + alert written to the configured indices. + Enabling this rule allows you to immediately + begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but + no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: > + event.kind:alert and not event.module:(endgame + or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: >- + The attributes.errors section of the response shows that two + rules failed to update and one succeeded. The same results + would be returned if you ran the request without dry run + mode enabled. Notice that there are no arrays in + attributes.results. In dry run mode, rule updates are not + applied and saved to Elasticsearch, so the endpoint wouldn’t + return results for rules that have been updated, created, or + deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: >- + This example presents the successful setting of tags for 2 + rules. There was a difference between the set of tags that + were being added and the tags that were already set in the + rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: >- + This example presents the idempotent behavior of the edit + action with set_tags request. Both rules already had exactly + the same tags that were being added, so no changes were made + in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: >- + This example presents the idempotent behavior of the edit + action with add_tags request. One rule was updated and one + was skipped. The rule that was skipped already had all the + tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: >- + This example shows a non-idempotent nature of the + set_rule_actions requests. Regardless if the actions are the + same as the existing actions for a rule, the actions are + always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: >- + This example shows a non-idempotent nature of the + add_rule_actions requests. Regardless if the added action is + the same as another existing action for a rule, the new + action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Detections_API_BulkExportActionResponse + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + - Bulk API + /api/detection_engine/rules/_export: + post: + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > Rule actions and connectors are included in the exported file, but + sensitive information about the connector (such as authentication + credentials) is not included. You must re-add missing connector details + after importing detection rules. + + + > You can use Kibana’s [Saved + Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) + UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs + (experimental) to + [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) + and + [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) + any necessary connectors before importing detection rules. + + + > Similarly, any value lists used for rule exceptions are not included + in rule exports or imports. Use the [Manage value + lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) + UI (Rules → Detection rules (SIEM) → Manage value lists) to export and + import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: > + File name for saving the exported rules. + + > info + + > When using cURL to export rules to a file, use the -O and -J + options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + schema: + nullable: true + type: object + properties: + objects: + description: >- + Array of objects with a rule's `rule_id` field. Do not use + rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + examples: + sampleNdjson: + value: > + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example + rule","type":"query","enabled":true} + + {"exception_list":true} + + {"export_summary":{"total_rules":1,"exceptions_count":0}} + schema: + description: > + An `.ndjson` file containing the returned rules. + + + Each line in the file represents an object (a rule, exception + list parent container, or exception list item), and the last + line includes a summary of what was exported. + format: binary type: string - description: | - Details about the object properties. This property is applicable when `type` is `object`. - type: object - required: - description: Indicates whether the field is required. - type: boolean - scaling_factor: - description: | - The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. - type: integer - type: - description: Specifies the data type for the field. - example: scaled_float - type: string - APM_UI_400_response: - type: object - properties: - error: - description: Error type - example: Not Found - type: string - message: - description: Error message - example: Not Found - type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: - type: object - properties: - error: - description: Error type - example: Unauthorized - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 401 - type: number - APM_UI_403_response: - type: object - properties: - error: - description: Error type - example: Forbidden - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: - type: object - properties: - error: - description: Error type - example: Not Found - type: string - message: - description: Error message - example: Not Found - type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: - type: object - properties: - error: - description: Error type - example: Internal Server Error - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: - type: object - properties: - error: - description: Error type - example: Not Implemented - type: string - message: - description: Error message - example: Not Implemented - type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: - type: object - properties: - agent_name: - description: The agent name is used by the UI to determine which settings to display. - type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' - required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration - type: object - properties: - '@timestamp': - description: Timestamp - example: 1730194190636 - type: number - agent_name: - description: Agent name - type: string - applied_by_agent: - description: Applied by agent - example: true - type: boolean - etag: - description: | - `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' - required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: - type: object - properties: - configurations: - description: Agent configuration - items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - type: array - APM_UI_agent_keys_object: - type: object - properties: - name: - description: The name of the APM agent key. - type: string - privileges: - description: | - The APM agent key privileges. It can take one or more of the following values: - * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. - items: + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + - Import/Export API + x-codeSamples: + - lang: cURL + source: > + curl -X POST + "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" + -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules + parameters: + - description: > + List of `alert.attributes` field names to return for each rule (for + example `name`, `enabled`). + + If omitted, the default field set is returned. Repeat the parameter + to pass multiple field names, or + + use comma-separated values when supported by your client. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: > + Search query + + + Filters the returned results according to the value of the specified + field, using the alert.attributes.: syntax, + where can be: + + - name + + - enabled + + - tags + + - createdBy + + - interval + + - updatedBy + + > info + + > Even though the JSON rule object uses created_by and updated_by + fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: >- + Identifies a PowerShell process launched by either + cscript.exe or wscript.exe. Observing Windows + scripting processes executing a PowerShell script, may + be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but no + matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: >- + event.action:"Process Create (rule: ProcessCreate)" + and process.parent.name:("wscript.exe" or + "cscript.exe") and process.name:"powershell.exe" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema + type: array + required: + - page + - perPage + - total + - data + description: > + Successful response + + > info + + > These fields are under development and their usage or schema may + change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + - Rules API + x-codeSamples: + - lang: cURL + source: > + curl -X GET + "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" + -H 'kbn-xsrf: true' + /api/detection_engine/rules/_import: + post: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + + > warn + + > When used with [API + key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, + the user's key gets assigned to the affected rules. If the user's key + gets deleted or the user becomes inactive, the rules will stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + + > info + + > To import rules with actions, you need at least Read privileges for + the Action and Connectors feature. To overwrite or add new connectors, + you need All privileges for the Actions and Connectors feature. To + import rules without actions, you don’t need Actions and Connectors + privileges. Refer to [Enable and access + detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) + for more information. + + + > info + + > Rule actions and connectors are included in the exported file, but + sensitive information about the connector (such as authentication + credentials) is not included. You must re-add missing connector details + after importing detection rules. + + + > You can use Kibana’s [Saved + Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) + UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs + (experimental) to + [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) + and + [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) + any necessary connectors before importing detection rules. + + + > Similarly, any value lists used for rule exceptions are not included + in rule exports or imports. Use the [Manage value + lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) + UI (Rules → Detection rules (SIEM) → Manage value lists) to export and + import value lists separately. + operationId: ImportRules + parameters: + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. Both the exception list container and its items are + overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + - Import/Export API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + /api/detection_engine/rules/{id}/exceptions: + post: + description: Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + requestBody: + content: + application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + /api/detection_engine/rules/prepackaged: + put: + description: > + Install and update all Elastic prebuilt detection rules and Timelines. + + + This endpoint allows you to install and update prebuilt detection rules + and Timelines provided by Elastic. + + When you call this endpoint, it will: + + - Install any new prebuilt detection rules that are not currently + installed in your system. + + - Update any existing prebuilt detection rules that have been modified + or improved by Elastic. + + - Install any new prebuilt Timelines that are not currently installed in + your system. + + - Update any existing prebuilt Timelines that have been modified or + improved by Elastic. + + + This ensures that your detection engine is always up-to-date with the + latest rules and Timelines, + + providing you with the most current and effective threat detection + capabilities. + operationId: InstallPrebuiltRulesAndTimelines + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_installed: 112 + rules_updated: 0 + timelines_installed: 5 + timelines_updated: 2 + schema: + additionalProperties: false + type: object + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines + tags: + - Security Detections API + - Prebuilt Rules API + /api/detection_engine/rules/prepackaged/_status: + get: + description: > + Retrieve the status of all Elastic prebuilt detection rules and + Timelines. + + + This endpoint provides detailed information about the number of custom + rules, installed prebuilt rules, available prebuilt rules that are not + installed, outdated prebuilt rules, installed prebuilt timelines, + available prebuilt timelines that are not installed, and outdated + prebuilt timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_custom_installed: 0 + rules_installed: 0 + rules_not_installed: 112 + rules_not_updated: 0 + timelines_installed: 0 + timelines_not_installed: 0 + timelines_not_updated: 0 + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: >- + The total number of available prebuilt rules that are not + installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: >- + The total number of available prebuilt timelines that are + not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Detections API + - Prebuilt Rules API + /api/detection_engine/rules/preview: + post: + description: > + Simulates a detection rule using the same rule type and query logic as a + persisted rule, over a short + + time window, without persisting a rule or writing alerts. Use the + response to validate queries, see sample + + matching documents, and inspect execution logs. Pair `invocationCount` + and `timeframeEnd` to cap run time. + operationId: RulePreview + parameters: + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query + schema: + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: > + Rule create payload (same shape as `POST /api/detection_engine/rules` + for a given `type`) plus + + `invocationCount` and `timeframeEnd` to control how the preview is + executed. Optional + + `enable_logged_requests` surfaces Elasticsearch request logging for + debugging. + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: 2025-01-20T10:00:00.000Z + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString + required: + - logs + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].timeframeEnd: expected string, received + null + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + - Rule preview API + /api/detection_engine/signals/assignees: + post: + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd + remove: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove + schema: + $ref: >- + #/components/schemas/Security_Detections_API_SetAlertAssigneesBody + description: User profile IDs to add or remove on each listed alert document ID. + required: true + responses: + '200': + content: + application/json: + examples: + add: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query or update by IDs response + type: object + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].ids: at least one alert id is required to + update assignees + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/detection_engine/signals/assignees] is + unauthorized for the current user, this action is granted + by the Kibana Security Solution privileges for cases and + detections + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + - Alerts API + /api/detection_engine/signals/finalize_migration: + post: + deprecated: true + description: > + **DEPRECATED.** Completes a legacy alert index migration. Do not + automate against this in new code. + + **WARNING:** Finalizing swaps read aliases; confirm the migration has + finished successfully before calling. + + + Finalize successful migrations of detection alerts. This replaces the + original index's alias with the + + successfully migrated index's alias. The endpoint is idempotent, so you + can poll until a migration + + finishes and then call this operation once. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json: + examples: + oneMigration: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to finalize. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to finalize + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - completed: true + destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: >- + #/components/schemas/Security_Detections_API_MigrationFinalizationResult + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].migration_ids: at least one migration id is + required to finalize + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Finalize detection alert migrations + tags: + - Security Detections API + - Alerts migration API + /api/detection_engine/signals/migration: + delete: + deprecated: true + description: > + **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new + call sites. + + **WARNING:** This schedules deletions; ensure no production reads still + point at the source index. + + + Migrations favor data integrity over shard size. Consequently, unused or + orphaned indices are artifacts of + + the migration process. A successful migration can leave both the old and + new indices present, so the old + + index may be deleted. While you can delete these indices manually, the + endpoint applies a deletion policy + + to the relevant index, causing it to be deleted after 30 days, and + removes other migration-specific artifacts. + operationId: AlertsMigrationCleanup + requestBody: + content: + application/json: + examples: + cleanupMigrations: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to cleanup. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: 2021-01-06T22:05:56.859Z + version: 16 + schema: + items: + $ref: >- + #/components/schemas/Security_Detections_API_MigrationCleanupResult + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].migration_ids: at least one migration id is + required to run cleanup + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Clean up detection alert migrations + tags: + - Security Detections API + - Alerts migration API + post: + deprecated: true + description: > + **DEPRECATED.** Legacy API for on-demand reindexing of old + `.siem-signals-*` alert indices. Do not build new + + integrations; upgrade the Elastic Stack and rely on product-managed data + lifecycle instead. + + **WARNING:** Migrations can be resource intensive and should be planned + during a maintenance window. + + + Initiate a migration of detection alerts. Migrations are initiated per + index. The process is not destructive + + and should not remove existing data, but it can consume significant + cluster resources. Plan capacity accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json: + examples: + singleIndex: + value: + index: + - .siem-signals-default-000001 + schema: + allOf: + - type: object + properties: + index: + description: Array of index names to migrate. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + required: + - index + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsReindexOptions + description: Alerts migration parameters + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000001, + migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d + migration_index: .siem-signals-default-000001-r000016 + schema: + type: object + properties: + indices: + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexMigrationError + - $ref: >- + #/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].index: at least one index name is required + to start a migration + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Detections API + - Alerts migration API + /api/detection_engine/signals/migration_status: + get: + deprecated: true + description: > + **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` + index migration workflows. Do not use + + for new automations; there is no supported replacement in this public + API. + + **WARNING:** Prefer upgrading through supported Elastic stack upgrades + rather than ad-hoc index migrations. + + + Retrieves indices that contain detection alerts of a particular age, + along with migration information for + + each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: > + Time from which data is analyzed. For example, now-4200s means the + rule analyzes data from 70 minutes + + before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + example: now-30d + format: date-math + type: string + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000002 + is_outdated: true + migrations: + - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + status: pending + updated: 2021-01-06T20:41:37.173Z + version: 16 + signal_versions: + - count: 100 + version: 15 + - count: 87 + version: 16 + version: 15 + - index: .siem-signals-default-000003 + is_outdated: false + migrations: [] + signal_versions: + - count: 54 + version: 16 + version: 16 + schema: + type: object + properties: + indices: + items: + $ref: >- + #/components/schemas/Security_Detections_API_IndexMigrationStatus + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query].from: expected date-math, received null' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Retrieve the status of detection alert migrations + tags: + - Security Detections API + - Alerts migration API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: 2025-01-17T08:00:00.000Z + lte: 2025-01-18T07:59:59.999Z + runtime_mappings: {} + size: 0 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_QueryAlertsBodyParams + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Failed to parse search request: unknown query clause in + bool filter + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + - Alerts API + /api/detection_engine/signals/status: + post: + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - >- + 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: 2024-10-23T07:00:00.000Z + lte: 2025-01-21T20:12:11.704Z + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: 2024-10-23T07:00:00.000Z + lte: 2025-01-21T20:12:11.704Z + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].signal_ids: at least one alert id is + required to update status + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + - Alerts API + /api/detection_engine/signals/tags: + post: + description: > + Add tags to detection alerts, and remove them from alerts, by alert IDs + or a query, in a single request. + + > info + + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd + remove: + $ref: >- + #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].tags: cannot add and remove the same tag in + a single request + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + - Tags API + /api/encrypted_saved_objects/_rotate_key: + post: + description: > + Superuser role required. + + + If a saved object cannot be decrypted using the primary encryption key, + then Kibana will attempt to decrypt it using the specified + decryption-only keys. In most of the cases this overhead is negligible, + but if you're dealing with a large number of saved objects and + experiencing performance issues, you may want to rotate the encryption + key. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: rotateEncryptionKey + parameters: + - description: > + Specifies a maximum number of saved objects that Kibana can process + in a single batch. Bulk key rotation is an iterative process since + Kibana may not be able to fetch and process all required saved + objects in one go and splits processing into consequent batches. By + default, the batch size is 10000, which is also a maximum allowed + value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: > + Limits encryption key rotation only to the saved objects with the + specified type. By default, Kibana tries to rotate the encryption + key for all saved object types that may contain encrypted + attributes. + in: query + name: type + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' + schema: + type: object + properties: + failed: + description: > + Indicates the number of the saved objects that were still + encrypted with one of the old encryption keys that Kibana + failed to re-encrypt with the primary key. + type: number + successful: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + + + NOTE: In most cases, `total` will be greater than + `successful` even if `failed` is zero. The reason is that + Kibana may not need or may not be able to rotate + encryption keys for all encrypted saved objects. + type: number + total: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + type: number + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + '429': + content: + application/json: + schema: + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects + tags: + - saved objects + /api/endpoint_list: + post: + description: >- + Create the exception list for Elastic Endpoint rule exceptions. When you + create the exception list, it will have a `list_id` of `endpoint_list`. + If the Elastic Endpoint exception list already exists, your request will + return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + /api/endpoint_list/items: + delete: + description: >- + Delete an Elastic Endpoint exception list item, specified by the `id` or + `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + get: + description: >- + Get the details of an Elastic Endpoint exception list item, specified by + the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + post: + description: >- + Create an Elastic Endpoint exception list item, and associate it with + the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + put: + description: >- + Update an Elastic Endpoint exception list item, specified by the `id` or + `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: >- + The version id, normally returned by the API when the item + is retrieved. Use it ensure updates are made against the + latest version. + type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + /api/endpoint_list/items/_find: + get: + description: Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: enum: - - event:write - - config_agent:read + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: >- + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + /api/endpoint/action: + get: + description: Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + /api/endpoint/action_status: + get: + description: Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + /api/endpoint/action/{action_id}: + get: + description: Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: > + The file identifier is constructed in one of two ways: + + - For Elastic Defend agents (`agentType` of `endpoint`): combine the + `action_id` and `agent_id` values using a dot (`.`) separator: + + `{file_id}` = `{action_id}.{agent_id}` + + - For all other agent types: the `file_id` is the `agent_id` for + which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: > + Download a file associated with a response action. Files are downloaded + in a password-protected `.zip` archive to prevent the file from running. + Use password `elastic` to open the `.zip` in a safe environment. + + > info + + > Files retrieved from third-party-protected hosts require a different + password. Refer to [Third-party response + actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) + for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: > + The file identifier is constructed in one of two ways: + + - For Elastic Defend agents (`agentType` of `endpoint`): combine the + `action_id` and `agent_id` values using a dot (`.`) separator: + + `{file_id}` = `{action_id}.{agent_id}` + + - For all other agent types: the `file_id` is the `agent_id` for + which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + /api/endpoint/action/cancel: + post: + description: >- + Cancel a running or pending response action (Applies only to some agent + types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: >- + Cancel a response action on a Microsoft Defender for Endpoint + host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + /api/endpoint/action/execute: + post: + description: Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + /api/endpoint/action/isolate: + post: + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max + of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + /api/endpoint/action/memory_dump: + post: + description: Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + /api/endpoint/action/runscript: + post: + description: Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: >- + --delete --paths-to-delete + /tmp/temp_file.txt,/tmp/random_file.txt + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + /api/endpoint/action/state: + get: + description: >- + Get a response actions state, which reports whether encryption is + enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + /api/endpoint/action/unisolate: + post: + description: Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes + alert_ids: + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: >- + The IDs of cases where the action taken will be logged. Max + of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: >- + a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + /api/endpoint/metadata: + get: + description: Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - in: query + name: sortDirection + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SortDirection + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + /api/endpoint/metadata/{id}: + get: + description: Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + /api/endpoint/policy_response: + get: + description: Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + post: + description: Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: >- + The package policy ID to create or update the protection updates + note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + /api/entity_analytics/monitoring/engine/delete: + delete: + description: >- + Deletes the Privilege Monitoring Engine and optionally removes all + associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/engine/disable: + post: + description: >- + Disables the Privilege Monitoring Engine, stopping all monitoring + activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/engine/init: + post: + description: >- + Initializes the Privilege Monitoring Engine, setting up the required + resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + description: Successful response + '500': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: >- + Schedules the Privilege Monitoring Engine to run as soon as possible, + triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/privileges/health: + get: + description: >- + Returns the current health status of the Privilege Monitoring Engine, + including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: >- + Maximum number of privileged users allowed to be + monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: >- + Check if the current user has all required permissions for Privilege + Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + example: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users: + post: + description: >- + Creates a new privileged user to be monitored by the Privilege + Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users/_csv: + post: + description: >- + Bulk upserts privileged users by uploading a CSV file. Returns per-row + errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 1 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users/{id}: + delete: + description: Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: >- + A message providing additional information about the + deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + put: + description: >- + Updates the details of an existing monitored privileged user by their + document ID. + operationId: UpdatePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + /api/entity_analytics/monitoring/users/list: + get: + description: >- + Returns a list of all privileged users currently being monitored. + Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: >- + Installs the privileged access detection integration package and sets up + the associated ML modules required for the Entity Analytics privileged + user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: >- + Installs the privileged access detection package for the Entity + Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: >- + Returns the installation and ML module setup status of the privileged + access detection package, along with the state of each associated ML + job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: >- + Gets the status of the privileged access detection package for the + Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + /api/entity_analytics/watchlists: + post: + description: >- + Creates a new entity analytics watchlist with an optional set of entity + sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Filter + identifierField: + description: >- + Field used to query the entity store for index-type + sources + type: string + indexPattern: + type: string + integrationName: + description: >- + Required when type is entity_analytics_integration. + One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Matcher + type: array + name: + type: string + queryRule: + description: >- + KQL query used to filter data from the provided index + patterns + type: string + range: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_DateRange + type: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntitySourceType + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + - type: object + properties: + entitySources: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_analytics/watchlists/{id}: + get: + description: >- + Retrieves the details of an entity analytics watchlist by its unique + identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + put: + description: >- + Updates the name, description, risk modifier, or managed status of an + existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: type: string - type: array - required: - - name - - privileges - APM_UI_agent_keys_response: - type: object - properties: - agentKey: - description: Agent key - type: object - properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: - type: object - properties: - annotations: - description: Annotations - items: - type: object - properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version - type: string - type: array - APM_UI_base_source_map_object: - type: object - properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier - type: string - packageName: - description: Package name - type: string - relative_url: - description: Relative URL - type: string - type: - description: Type - type: string - APM_UI_create_annotation_object: - type: object - properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. - type: string - message: - description: The message displayed in the annotation. It defaults to `service.version`. - type: string - service: - description: The service that identifies the configuration to create or update. - type: object - properties: - environment: - description: The environment of the service. - type: string - version: - description: The version of the service. - type: string - required: - - version - tags: - description: | - Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. - items: + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: > + Uploads a CSV file to add entities to a watchlist. The CSV must contain + a header row + + with a "type" column (user, host, service, or generic) and one or more + ECS identity + + fields (e.g. "user.name", "host.hostname") used to match entities in the + entity store. + + + Matched entities are added to the watchlist and their + `entity.attributes.watchlists` + + field is updated in the entity store. + + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: > + Assigns the provided entities to the specified watchlist using a + "manual" source label. + + The entities must already exist in the entity store. + + + If an entity is already on the watchlist, no new document is created — + the "manual" label + + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem + type: array + not_found: + description: >- + Number of entities not found in the manual watchlist + assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + /api/entity_analytics/watchlists/list: + get: + description: Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_WatchlistObject + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + /api/entity_store/enable: + post: + description: >- + Initialize the entire Entity Store, creating engines for all or + specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + lookbackPeriod: + default: 3h + description: >- + The amount of time the transform looks back to calculate the + aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: >- + The initial page size to use for the composite aggregation + of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: >- + The Entity Store was successfully initialized, creating host + and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: >- + The entity type of the engine ('user', 'host', 'service', + 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: >- + Array of engine types to delete. Empty by default, which results + in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + get: + description: Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: >- + Returns a list with one running host engine and one stopped + user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + get: + description: >- + Get the engine descriptor for a specific entity type, including its + configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: >- + Returns the engine descriptor for a host engine that is + currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/init: + post: + description: Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + lookbackPeriod: + default: 3h + description: >- + The amount of time the transform looks back to calculate the + aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: >- + The initial page size to use for the composite aggregation + of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: >- + A host engine was successfully initialized and is now in the + installing state. + summary: Host engine initialized + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/start: + post: + description: >- + Start a previously stopped entity engine, resuming transform processing + for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: >- + The engine was successfully started and is now processing + data. + summary: Engine started successfully + value: + started: true + schema: + type: object + properties: + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/stop: + post: + description: >- + Stop a running entity engine, pausing transform processing for the given + entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: >- + The engine was successfully stopped and is no longer + processing data. + summary: Engine stopped successfully + value: + stopped: true + schema: + type: object + properties: + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/apply_dataview_indices: + post: + description: >- + Synchronize data view index patterns to all running entity engines so + that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: >- + All running engines were successfully updated with the + current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult + type: array + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': + content: + application/json: + examples: + partialSuccessExample: + description: >- + The host engine was updated but the user engine failed due + to insufficient privileges. + summary: One engine failed + value: + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false + schema: + type: object + properties: + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: >- + An unexpected error occurred while applying data view + indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. + type: string + statusCode: + description: HTTP status code. + type: number + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + /api/entity_store/entities/{entityType}: + delete: + description: > + Delete a single entity in Entity Store. + + The entity will be immediately deleted from the latest index. It will + remain available in historical snapshots if it has been snapshotted. + The delete operation does not prevent the entity from being recreated if + it is observed again in the future. + operationId: DeleteSingleEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + description: >- + Identifier of the entity to be deleted, commonly entity.id + value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: >- + The entity was found and successfully removed from the + latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: >- + Operation on an uninitialized Engine or in a cluster without CRUD + API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + put: + description: > + Update or create an entity in Entity Store. + + If the specified entity already exists, it is updated with the provided + values. If the entity does not exist, a new one is created. By default, + only the following fields can be updated: * `entity.attributes.*` * + `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set + the `force` query parameter to `true`. > info > Some fields always + retain the first observed value. Updates to these fields will not appear + in the final index. + + > Due to technical limitations, not all updates are guaranteed to appear + in the final list of observed values. + + > Due to technical limitations, create is an async operation. The time + for a document to be present in the > final index depends on the entity + store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: >- + Conflict. The entity was updated while another update was happening + in ElasticSearch + '503': + description: >- + Operation on an uninitialized Engine or in a cluster without CRUD + API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + /api/entity_store/entities/bulk: + put: + description: > + Update or create many entities in Entity Store. + + If the specified entity already exists, it is updated with the provided + values. If the entity does not exist, a new one is created. + + The creation is asynchronous. The time for a document to be present in + the final index depends on the entity store transform and usually takes + more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: >- + Operation on an uninitialized Engine or in a cluster without CRUD + API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + /api/entity_store/entities/list: + get: + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: type: string - type: array - required: - - '@timestamp' - - service - APM_UI_create_annotation_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _source: - description: Response - type: object - properties: - '@timestamp': - type: string - annotation: + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_InspectQuery + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Entity + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + /api/entity_store/status: + get: + description: >- + Get the overall Entity Store status and per-engine statuses, optionally + including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: >- + If true, returns a detailed status of each engine including all its + components. + example: true + in: query + name: include_components + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + entityStoreRunning: + description: >- + The Entity Store is running with both host and user engines + started and using default settings. + summary: Entity Store running with two engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running + schema: + type: object + properties: + engines: + description: Per-engine status information. + items: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + - type: object + properties: + components: + description: >- + Detailed component-level status. Only included + when include_components is true. + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus + type: array + type: array + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_StoreStatus + description: The overall status of the Entity Store. + required: + - status + - engines + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + /api/exception_lists: + delete: + description: Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: >- + Exception list's identifier. Either `id` or `list_id` must be + specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: >- + Human readable exception list string identifier, e.g. + `trusted-linux-processes`. Either `id` or `list_id` must be + specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + `single` deletes the list in the current Kibana space; `agnostic` + deletes a global list. Must match the + + list you are removing when using `list_id` or `id`. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE + /api/exception_lists?list_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + get: + description: Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: >- + Exception list's identifier. Either `id` or `list_id` must be + specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: >- + Human readable exception list string identifier, e.g. + `trusted-linux-processes`. Either `id` or `list_id` must be + specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + When `single`, the list is resolved in the current Kibana space. + When `agnostic`, the list is a global + + (space-agnostic) container. Required for looking up the correct list + when `list_id` is not unique. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + detectionType: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists?list_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + post: + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign exception lists to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection type: object properties: - title: - type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + default: [] type: - type: string - event: - type: object - properties: - created: - type: string - message: - type: string - service: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedListId: + value: + _version: WzMsMV0= + created_at: 2025-01-09T01:05:23.019Z + created_by: elastic + description: >- + This is a sample detection type exception with an + autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: 2025-01-09T01:05:23.020Z + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: 2025-01-09T01:10:36.369Z + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: 2025-01-09T01:10:36.369Z + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: 2025-01-09T01:07:49.658Z + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: 2025-01-09T01:07:49.658Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list + tags: + - Security Exceptions API + put: + description: Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection + schema: + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection type: object properties: - environment: + _version: + description: >- + The version id, normally returned by the API when the item + was retrieved. Use it ensure updates are done against the + latest version. type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta name: - type: string + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType version: - type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result - type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: | - If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. - This is useful for cases where the agent configuration was not applied successfully. - type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - mark_as_applied_by_agent: - description: | - `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". - This is needed for Jaeger agent that doesn't have etags - type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs - type: string - APM_UI_service_environment_object: - type: object - properties: - alreadyConfigured: - description: Already configured - type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE - type: string - APM_UI_service_environments_response: - type: object - properties: - environments: - description: Service environment list - items: - $ref: '#/components/schemas/APM_UI_service_environment_object' - type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod - type: string - name: - description: The name of the service. - example: node - type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object - properties: - id: - type: string - required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: - artifacts: - description: Artifacts - items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - type: array - APM_UI_upload_source_map_object: - type: object - properties: - bundle_filepath: - description: The absolute path of the final bundle as used in the web application. - type: string - service_name: - description: The name of the service that the service map should apply to. - type: string - service_version: - description: The version of the service that the service map should apply to. - type: string - sourcemap: - description: | - The source map. It can be a string or file upload. It must follow the - [source map format specification](https://tc39.es/ecma426/). - format: binary - type: string - required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object - properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Cases_actions: - enum: - - add - - create - - delete - - push_to_service - - update - example: create - type: string - Cases_actions_comment_response_properties: - title: Case response properties for actions comments - type: object - properties: - actions: - type: object - properties: - targets: - items: - type: object - properties: - endpointId: - example: 1 - type: string - hostname: - example: host-01 - type: string - type: array - type: - example: isolate - type: string - comment: - example: Isolating the host from the case UI. - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - enum: - - actions - example: actions - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd - type: string - required: - - type - Cases_add_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert - type: string - required: - - alertId - - index - - owner - - rule - - type - title: Add case comment request properties for alerts - Cases_add_case_comment_request: - description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_add_alert_comment_request_properties' - user: '#/components/schemas/Cases_add_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' - title: Add case comment request - Cases_add_case_file_request: - description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. - type: object - properties: - file: - description: The file being attached to the case. - format: binary - type: string - filename: - description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** - type: string - required: - - file - title: Add case file request properties - Cases_add_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. - enum: - - user - example: user - type: string - required: - - comment - - owner - - type - title: Add case comment request properties for user comments - type: object - Cases_alert_comment_response_properties: - title: Add case comment response properties for alerts - type: object - properties: - alertId: - items: - example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleList: + value: + _version: WzExLDFd + created_at: 2025-01-07T20:43:55.264Z + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: 2025-01-07T21:32:03.726Z + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PUT /api/exception_lists] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list + tags: + - Security Exceptions API + /api/exception_lists/_duplicate: + post: + description: Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - description: The `list_id` of the existing exception list to copy (source list). + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: >- + Scope in which the source list is defined (`single` = current space, + `agnostic` = all spaces). + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the duplicated + list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true type: string - type: array - created_at: - example: '2023-11-06T19:29:38.424Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - id: - example: 73362370-ab1a-11ec-985f-97e55adae8b9 - type: string - index: - items: - example: .internal.alerts-security.alerts-default-000001 + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzExNDY1LDFd + created_at: 2025-01-09T16:19:50.280Z + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: 2025-01-09T16:19:50.280Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type: Invalid enum value. + Expected 'agnostic' | 'single', received 'foo' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/_duplicate] is unauthorized + for user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list id: "foo" does not exist' + status_code: 404 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Exception list not found + '405': + content: + application/json: + examples: + notAllowed: + value: + message: >- + Cannot duplicate: list is immutable or the operation is + not allowed in this state + status_code: 405 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Exceptions API + /api/exception_lists/_export: + post: + description: Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - description: >- + Exception list's internal `id` (UUID) returned on create; use with + `list_id` and `namespace_type` for an unambiguous target. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: >- + Human-readable `list_id` of the exception list to export, as shown + in the UI and API responses. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + `single` exports a list in the current Kibana space; `agnostic` + exports a global (space-agnostic) list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - rule: - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true - type: string - type: - enum: - - alert - example: alert - type: string - updated_at: - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzMwNDgsMV0= - type: string - required: - - type - Cases_alert_identifiers: - description: | - The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 - oneOf: - - type: string - - items: + responses: + '200': + content: + application/ndjson: + examples: + exportSavedObjectsResponse: + value: > + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This + is a sample detection type + exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample + Detection Exception + List","namespace_type":"single","os_types":[],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This + is a sample endpoint type + exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some + host","another + host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample + Endpoint Exception + List","namespace_type":"single","os_types":["linux"],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + schema: + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: list_id: Required, namespace_type: + Required + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/_export] is unauthorized + for user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list + tags: + - Security Exceptions API + /api/exception_lists/_find: + get: + description: Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name type: string - maxItems: 1000 - type: array - title: Alert identifiers - x-state: Technical preview - Cases_alert_indices: - description: | - The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - oneOf: - - type: string - - items: + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleLists: + value: + data: + - _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionList + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/exception_lists/_find?namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists + tags: + - Security Exceptions API + /api/exception_lists/_import: + post: + description: Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: > + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This + is a sample detection type + exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample + Detection Exception + List","namespace_type":"single","os_types":[],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This + is a sample endpoint type + exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some + host","another + host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample + Endpoint Exception + List","namespace_type":"single","os_types":["linux"],"tags":["user + added string for a + tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + withErrors: + value: + errors: + - error: + message: >- + Error found importing exception list: Invalid value + \"4\" supplied to \"list_id\" + status_code: 400 + list_id: (unknown list_id) + - error: + message: >- + Found that item_id: + \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already + exists. Import of item_id: + \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, + schema: + type: object + properties: + errors: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Multipart part `file` is required and must contain a valid + .ndjson exception list export + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/_import] is unauthorized + for user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list + tags: + - Security Exceptions API + /api/exception_lists/items: + delete: + description: Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: >- + Exception item's identifier. Either `id` or `item_id` must be + specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: >- + Human readable exception item string identifier, e.g. + `trusted-linux-processes`. Either `id` or `item_id` must be + specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - description: > + `single` deletes the item in the current Kibana space; `agnostic` + deletes an item in a space-agnostic list. Must match the list that + owns the item. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + simpleExceptionItem: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE + /api/exception_lists/items?item_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Exceptions API + get: + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. + operationId: ReadExceptionListItem + parameters: + - description: >- + Exception list item's identifier. Either `id` or `item_id` must be + specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: >- + Human readable exception item string identifier, e.g. + `trusted-linux-processes`. Either `id` or `item_id` must be + specified. + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - description: > + `single` fetches the item in the current space; `agnostic` fetches a + global (space-agnostic) item. Must + + match how the list was created. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists/items?item_id=&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item + tags: + - Security Exceptions API + post: + description: > + Create an exception item and associate it with the specified exception + list. + + > info + + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json: + examples: + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedItemId: + value: + _version: WzYsMV0= + comments: [] + created_at: 2025-01-09T01:16:23.322Z + created_by: elastic + description: >- + This is a sample exception that has no item_id so it is + autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: 2025-01-09T01:16:23.322Z + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: 2025-01-07T20:07:33.119Z + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: 2025-01-07T20:07:33.119Z + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: 2025-01-09T01:31:12.614Z + created_by: elastic + description: >- + Don't signal when agent.name is rock01 and source.ip is in + the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: 2025-01-09T01:31:12.614Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/exception_lists/items] is unauthorized for + user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: >- + exception list item id: \"simple_list_item\" already + exists + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + put: + description: Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzEyLDFd + comments: [] + created_at: 2025-01-07T21:12:25.512Z + created_by: elastic + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: 2025-01-07T21:34:50.233Z + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: item_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PUT /api/exception_lists/items] is unauthorized for + user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + /api/exception_lists/items/_find: + get: + description: Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - description: > + Free-text search term applied to exception list item fields (for + example a hostname or file path fragment). + in: query + name: search + required: false + schema: + example: host.name type: string - maxItems: 1000 - type: array - title: Alert indices - x-state: Technical preview - Cases_alert_response_properties: - type: object - properties: - attached_at: - format: date-time - type: string - id: - description: The alert identifier. - type: string - index: - description: The alert index. - type: string - Cases_assignees: - description: An array containing users that are assigned to the case. - items: - type: object - properties: - uid: - description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. - example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc type: string - required: - - uid - maxItems: 10 - nullable: true - type: array - Cases_attachment_totals: - description: Counts of alerts, events, and user comments attached to a case. - properties: - alerts: - description: Number of alert attachments on the case. - type: integer - events: - description: Number of event attachments on the case. - type: integer - userComments: - description: Number of user comment attachments on the case. - type: integer - required: - - alerts - - events - - userComments - title: Attachment totals - type: object - Cases_case_categories: - items: - $ref: '#/components/schemas/Cases_case_category' - maxItems: 100 - type: array - Cases_case_category: - description: A word or phrase that categorizes the case. - maxLength: 50 - type: string - Cases_case_close_sync_reason: - description: | - The close reason to sync to attached alerts when closing the case. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user. - oneOf: - - enum: - - false_positive - - duplicate - - true_positive - - benign_positive - - automated_closure - - other - type: string - - type: string - Cases_case_description: - description: The description for the case. - maxLength: 30000 - type: string - Cases_case_observable: - description: A single observable attached to a case. - properties: - createdAt: - description: When the observable was created. - example: '2024-11-14T10:00:00.000Z' - format: date-time - type: string - description: - description: An optional description for the observable. - example: Source IP - nullable: true - type: string - id: - description: The observable identifier. - example: df927ab8-54ed-47d6-be07-9948c255c097 - type: string - typeKey: - description: The observable type key. - example: observable-type-ipv4 - type: string - updatedAt: - description: When the observable was last updated. - example: '2024-11-14T10:00:00.000Z' - format: date-time - nullable: true - type: string - value: - description: The observable value. - example: 10.0.0.8 - type: string - required: - - id - - typeKey - - value - - description - - createdAt - - updatedAt - title: Case observable - type: object - Cases_case_response_closed_by_properties: - nullable: true - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - title: Case response properties for closed_by - type: object - Cases_case_response_created_by_properties: - title: Case response properties for created_by - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - Cases_case_response_get_case: + responses: + '200': + content: + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: 2025-01-07T21:12:25.512Z + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: 2025-01-07T21:12:25.512Z + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + /api/exception_lists/summary: + get: + description: Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: > + `single` returns summary for a list in the current space; `agnostic` + for a space-agnostic list. Must + + line up with `id` / `list_id` used to look up the list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + example: >- + exception-list-agnostic.attributes.tags:"policy:policy-1" OR + exception-list-agnostic.attributes.tags:"policy:all" + type: string + responses: + '200': + content: + application/json: + examples: + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-summary] + statusCode: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + /api/exceptions/shared: + post: + description: > + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json: + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + required: + - name + - description + required: true + responses: + '200': + content: + application/json: + examples: + sharedList: + value: + _version: WzIsMV0= + created_at: 2025-01-07T19:34:27.942Z + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: 2025-01-07T19:34:27.942Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Exceptions API + /api/features: + get: + description: > + Get information about all Kibana features. Features are used by spaces + and security to refine and secure access to Kibana. + operationId: get-features + responses: + '200': + content: + application/json: + examples: + getFeaturesExample: + value: | + { + "features": [ + { + "name": "tasks", + "description": "Manages task results" + }, + { + "name": "security", + "description": "Manages configuration for Security features, such as users and roles" + }, + { + "name": "searchable_snapshots", + "description": "Manages caches and configuration for searchable snapshots" + }, + { + "name": "logstash_management", + "description": "Enables Logstash Central Management pipeline storage" + }, + { + "name": "transform", + "description": "Manages configuration and state for transforms" + }, + { + "name": "kibana", + "description": "Manages Kibana configuration and reports" + }, + { + "name": "synonyms", + "description": "Manages synonyms" + }, + { + "name": "async_search", + "description": "Manages results of async searches" + }, + { + "name": "ent_search", + "description": "Manages configuration for Enterprise Search features" + }, + { + "name": "machine_learning", + "description": "Provides anomaly detection and forecasting functionality" + }, + { + "name": "geoip", + "description": "Manages data related to GeoIP database downloader" + }, + { + "name": "watcher", + "description": "Manages Watch definitions and state" + }, + { + "name": "fleet", + "description": "Manages configuration for Fleet" + }, + { + "name": "enrich", + "description": "Manages data related to Enrich policies" + }, + { + "name": "inference_plugin", + "description": "Inference plugin for managing inference services and inference" + } + ] + } + schema: + type: object + description: Indicates a successful call + summary: Get features + tags: + - system + x-state: Technical Preview + /api/lists: + delete: description: | - Case details returned by the get case API. The comments property is not included in the response. Use the find case comments API to retrieve comments. totalComment reflects the actual number of user comments. - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true - type: string - closed_at: - format: date-time - nullable: true - type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. - items: - type: object - properties: - key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. - type: string - type: - description: | - The custom field type. It must match the type specified in the case configuration settings. - enum: - - text - - toggle - type: string - value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: Value list identifier to delete, including all of its list items. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + Determines whether exception items referencing this value list + should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + example: false + type: boolean + - description: >- + Determines whether to delete value list without performing any + additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean + responses: + '200': + content: + application/json: + examples: + ipList: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:39:39.292Z + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists?id=ip_list] is unauthorized for + user, this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list + tags: + - Security Lists API + get: + description: Get the details of a value list using the list ID. + operationId: ReadList + parameters: + - description: Value list identifier (`id`) returned when the list was created. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:21:53.843Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - type: array - description: - example: A case description. - type: string - duration: - description: | - The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. - example: 120 - nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - type: string - incremental_id: - description: | - A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. - example: 1 - nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 - items: - type: string - type: array - title: - example: Case title 1 - type: string - total_observables: - description: The number of observables attached to the case. - example: 0 - nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - description: The number of user comments on the case. Use the find case comments API to retrieve comment content. - example: 1 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== - type: string - required: - - closed_at - - closed_by - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - title: Get case response - type: object - Cases_case_response_properties: - title: Case response properties - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true - type: string - closed_at: - format: date-time - nullable: true - type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - comments: - description: An array of comment objects for the case. - items: - discriminator: - mapping: - actions: '#/components/schemas/Cases_actions_comment_response_properties' - alert: '#/components/schemas/Cases_alert_comment_response_properties' - event: '#/components/schemas/Cases_event_comment_response_properties' - user: '#/components/schemas/Cases_user_comment_response_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_actions_comment_response_properties' - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_event_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - maxItems: 10000 - title: Case response properties for comments - type: array - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. - items: - type: object - properties: - key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. - type: string - type: - description: | - The custom field type. It must match the type specified in the case configuration settings. - enum: - - text - - toggle - type: string - value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists?id=ip_list] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details + tags: + - Security Lists API + patch: + description: Update specific fields of an existing list using the list `id`. + operationId: PatchList + requestBody: + content: + application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED + schema: + example: + id: ip_list + name: Bad ips list - UPDATED + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:21:53.843Z + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PATCH /api/lists] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list + tags: + - Security Lists API + post: + description: Create a new value list. + operationId: CreateList + requestBody: + content: + application/json: + examples: + ip: + value: + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: + value: + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-09T18:23:52.241Z + created_at: 2025-01-09T18:23:52.241Z + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: 2025-01-09T18:23:52.241Z + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-09T18:24:55.786Z + created_at: 2025-01-09T18:24:55.786Z + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: 2025-01-09T18:24:55.786Z + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-09T18:25:39.604Z + created_at: 2025-01-09T18:25:39.604Z + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: 2025-01-09T18:25:39.604Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + notFound: + value: + message: >- + To create a list, the data stream must exist first. Data + stream \".lists-default\" does not exist + status_code: 400 + schema: oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - type: array - description: - example: A case description. - type: string - duration: - description: | - The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. - example: 120 - nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - type: string - incremental_id: - description: | - A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. - example: 1 - nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 - items: - type: string - type: array - title: - example: Case title 1 - type: string - total_observables: - description: The number of observables attached to the case. - example: 0 - nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - example: 0 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== - type: string - required: - - closed_at - - closed_by - - comments - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - Cases_case_response_pushed_by_properties: - nullable: true - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - title: Case response properties for pushed_by - type: object - Cases_case_response_updated_by_properties: - nullable: true - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - title: Case response properties for updated_by - type: object - Cases_case_severity: - description: The severity of the case. - enum: - - critical - - high - - low - - medium - type: string - Cases_case_status: - description: The status of the case. - enum: - - closed - - in-progress - - open - type: string - Cases_case_tags: - description: | - The words and phrases that help categorize cases. It can be an empty array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_case_title: - description: A title for the case. - maxLength: 160 - type: string - Cases_closure_types: - description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). - enum: - - close-by-pushing - - close-by-user - example: close-by-user - type: string - Cases_connector_properties_cases_webhook: - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - fields: - example: null - nullable: true - type: string - id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .cases-webhook - example: .cases-webhook - type: string - required: - - fields - - id - - name - - type - title: Create or upate case request properties for Cases Webhook connector - Cases_connector_properties_jira: - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. - type: object - properties: - issueType: - description: The type of issue. - nullable: true - type: string - parent: - description: The key of the parent issue, when the issue type is sub-task. - nullable: true - type: string - priority: - description: The priority of the issue. - nullable: true - type: string - required: - - issueType - - parent - - priority - id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .jira - example: .jira - type: string - required: - - fields - - id - - name - - type - title: Create or update case request properties for a Jira connector - Cases_connector_properties_none: - description: Defines properties for connectors when type is `.none`. - type: object - properties: - fields: - description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. - example: null - nullable: true - type: string - id: - description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. - example: none - type: string - name: - description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. - example: none - type: string - type: - description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. - enum: - - .none - example: .none - type: string - required: - - fields - - id - - name - - type - title: Create or update case request properties for no connector - Cases_connector_properties_resilient: - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. - nullable: true - type: object - properties: - issueTypes: - description: The type of incident. - items: - type: string - type: array - severityCode: - description: The severity code of the incident. - type: string - required: - - issueTypes - - severityCode - id: - description: The identifier for the connector. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .resilient - example: .resilient - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a IBM Resilient connector - Cases_connector_properties_servicenow: - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - impact: - description: The effect an incident had on business. - nullable: true - type: string - severity: - description: The severity of the incident. - nullable: true - type: string - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - urgency: - description: The extent to which the incident resolution can be delayed. - nullable: true - type: string - required: - - category - - impact - - severity - - subcategory - - urgency - id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .servicenow - example: .servicenow - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow ITSM connector - Cases_connector_properties_servicenow_sir: - description: Defines properties for connectors when type is `.servicenow-sir`. - type: object - properties: - fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - destIp: - description: Indicates whether cases will send a comma-separated list of destination IPs. - nullable: true - type: boolean - malwareHash: - description: Indicates whether cases will send a comma-separated list of malware hashes. - nullable: true - type: boolean - malwareUrl: - description: Indicates whether cases will send a comma-separated list of malware URLs. - nullable: true - type: boolean - priority: - description: The priority of the issue. - nullable: true - type: string - sourceIp: - description: Indicates whether cases will send a comma-separated list of source IPs. - nullable: true - type: boolean - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - required: - - category - - destIp - - malwareHash - - malwareUrl - - priority - - sourceIp - - subcategory - id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .servicenow-sir - example: .servicenow-sir - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow SecOps connector - Cases_connector_properties_swimlane: - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - nullable: true - type: string - required: - - caseId - id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .swimlane - example: .swimlane - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a Swimlane connector - Cases_connector_types: - description: The type of connector. - enum: - - .cases-webhook - - .jira - - .none - - .resilient - - .servicenow - - .servicenow-sir - - .swimlane - example: .none - type: string - Cases_create_case_request: - description: The create case API request body varies depending on the type of connector. - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: | - Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. - items: - type: object - properties: - key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. - type: string - type: - description: | - The custom field type. It must match the type specified in the case configuration settings. - enum: - - text - - toggle + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list + tags: + - Security Lists API + put: + description: > + Update a value list using the list `id`. The original list is replaced, + and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json: + examples: + replaceList: + value: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated + schema: + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - name + - description + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T05:39:39.292Z + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PUT /api/lists] is unauthorized for user, this action + is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list + tags: + - Security Lists API + /api/lists/_find: + get: + description: >- + Get a paginated subset of value lists. By default, the first page is + returned, with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: >- + Returns the lists that come after the last lists returned in the + previous call (use the `cursor` value returned in the previous + call). This parameter uses the `tie_breaker_id` field to ensure all + lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json: + examples: + ipList: + value: + cursor: >- + WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received nan' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/_find?page=1&per_page=20] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists + tags: + - Security Lists API + /api/lists/index: + delete: + description: Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Unable to delete value list data streams: invalid or + missing index metadata + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists/index] is not authorized; lists-all + (or equivalent) is required to delete data streams + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams + tags: + - Security Lists API + get: + description: Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + '200': + content: + application/json: + examples: + bothExist: + value: + list_index: true + list_item_index: true + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Unable to read value list data stream status for this + space + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/index] is not authorized; list read + permissions are required + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams + tags: + - Security Lists API + post: + deprecated: true + description: > + **DEPRECATED.** `deprecated: true` is set on this operation. Value list + backing data streams for the space + + are now created as part of supported workflows; calling this explicitly + is rarely required. + + **WARNING:** Do not use for new integrations. Prefer the UI or the list + and list-item APIs after confirming + + indices exist with `GET /api/lists/index`. + + + Creates the `.lists` and `.items` data streams in the current Kibana + space. + operationId: CreateListIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Indices exist but the request could not be completed for + the current space. Check that Elasticsearch and Kibana + privileges allow index creation for lists. + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: > + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/index] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: >- + data stream: \".lists-default\" and \".items-default\" + already exists + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams + tags: + - Security Lists API + /api/lists/items: + delete: + description: >- + Delete a value list item using its `id`, or its `list_id` and `value` + fields. + operationId: DeleteListItem + parameters: + - description: >- + Value list item's identifier. Required if `list_id` and `value` are + not specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + The value used to evaluate exceptions. Required if `id` is not + specified. + in: query + name: value + required: false + schema: + example: 255.255.255.255 + type: string + - description: >- + Determines when changes made by the request are made visible to + search. + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false + type: string + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIwLDFd + '@timestamp': 2025-01-08T05:15:05.159Z + created_at: 2025-01-08T05:15:05.159Z + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: 2025-01-08T05:44:14.009Z + updated_by: elastic + value: 255.255.255.255 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Either \"list_id\" or \"id\" needs to be defined in the + request + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item + tags: + - Security Lists API + get: + description: Get the details of a value list item. + operationId: ReadListItem + parameters: + - description: >- + Value list item identifier. Required if `list_id` and `value` are + not specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + Value list item list's `id` identfier. Required if `id` is not + specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: >- + The value used to evaluate exceptions. Required if `id` is not + specified. + in: query + name: value + required: false + schema: + example: 127.0.0.2 + type: string + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzExLDFd + '@timestamp': 2025-01-08T05:16:25.882Z + created_at: 2025-01-08T05:16:25.882Z + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: 2025-01-08T05:16:25.882Z + updated_by: elastic + value: 127.0.0.2 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + Either \"list_id\" or \"id\" needs to be defined in the + request + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item + tags: + - Security Lists API + patch: + description: >- + Update specific fields of an existing value list item using the item + `id`. + operationId: PatchListItem + requestBody: + content: + application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 + schema: + example: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search. + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ipItem: + value: + _version: WzE5LDFd + '@timestamp': 2025-01-08T05:15:05.159Z + created_at: 2025-01-08T05:15:05.159Z + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: 2025-01-08T05:23:37.602Z + updated_by: elastic + value: 255.255.255.255 + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: >- + {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] + failed to parse field [ip] of type [ip] in document with + id ip_item. Preview of fields value: + 2","caused_by":{"type":"illegal_argument_exception","reason":"2 + is not an IP string literal."}},"status":400}]} + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PATCH /api/lists/items] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item + tags: + - Security Lists API + post: + description: > + Create a value list item and associate it with the specified value list. + + + All value list items in the same list must be the same type. For + example, each list item in an `ip` list must define a specific IP + address. + + > info + + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json: + examples: + ip: + value: + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-08T04:59:06.154Z + created_at: 2025-01-08T04:59:06.154Z + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: 2025-01-08T04:59:06.154Z + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': 2025-01-09T18:33:08.202Z + created_at: 2025-01-09T18:33:08.202Z + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: 2025-01-09T18:33:08.202Z + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': 2025-01-09T18:34:29.422Z + created_at: 2025-01-09T18:34:29.422Z + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: 2025-01-09T18:34:29.422Z + updated_by: elastic + value: zeek + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + uri [/api/lists/items] with method [post] exists but is + not available with the current configuration + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/items] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item + tags: + - Security Lists API + put: + description: > + Update a value list item using the list item ID. The original list item + is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json: + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 + schema: + example: + id: ip_item + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIwLDFd + '@timestamp': 2025-01-08T05:15:05.159Z + created_at: 2025-01-08T05:15:05.159Z + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: 2025-01-08T05:44:14.009Z + updated_by: elastic + value: 255.255.255.255 + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [PATCH /api/lists/items] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item + tags: + - Security Lists API + /api/lists/items/_export: + post: + description: Export list item values from the specified value list. + operationId: ExportListItems + parameters: + - description: Value list's `id` to export. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/ndjson: + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + schema: + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary type: string - value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: 'Bad Request","message":"[request query]: list_id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/items/_export?list_id=ips.txt] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items + tags: + - Security Lists API + /api/lists/items/_find: + get: + description: Get all value list items in the specified list. + operationId: FindListItems + parameters: + - description: Parent value list's `id` to page through items for. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of list items to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: > + Opaque cursor returned in a previous response; pass it to continue + listing from the next page. Omit on the first request. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + responses: + '200': + content: + application/json: + examples: + ip: + value: + cursor: >- + WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': 2025-01-08T04:59:06.154Z + created_at: 2025-01-08T04:59:06.154Z + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: 2025-01-08T04:59:06.154Z + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Lists_API_FindListItemsCursor + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET + /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] + is unauthorized for user, this action is granted by the + Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items + tags: + - Security Lists API + /api/lists/items/_import: + post: + description: > + Import value list items from a TXT or CSV file. The maximum file size is + 9 million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: >- + Determines when changes made by the request are made visible to + search. + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + example: true + type: string + requestBody: + content: + multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': 2025-01-08T04:47:34.273Z + created_at: 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: Either type or list_id need to be defined in the query + status_code: 400 + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/items/_import?list_id=ip_list] is + unauthorized for user, this action is granted by the + Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + notFound: + value: + message: >- + List with the specified list_id does not exist, create the + list or fix list_id to import to an existing one + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items + tags: + - Security Lists API + /api/lists/privileges: + get: + description: > + Returns the caller's authentication state and the Elasticsearch + `cluster`, `index`, and `application` + + privileges for `.lists` and `.items` data streams in the current Kibana + space. Use this to decide which list + + APIs (`read` vs `all` operations) are available before you create or + import lists. + operationId: ReadListPrivileges + responses: + '200': + content: + application/json: + examples: + privileges: + value: + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Unable to resolve list privileges: invalid or missing + space context for this request + statusCode: 400 + schema: oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - required: - - connector - - description - - owner - - settings - - tags - - title - title: Create case request - type: object - Cases_event_comment_response_properties: - title: Case response properties for event comments - type: object - properties: - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - eventId: - items: - example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: >- + [security_exception\n\tRoot + causes:\n\t\tsecurity_exception: unable to authenticate + user [elastic] for REST request + [/_security/_authenticate]]: unable to authenticate user + [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/privileges] is unauthorized for user, + this action is granted by the Kibana privileges + [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges + tags: + - Security Lists API + /api/logstash/pipeline/{id}: + delete: + description: > + Delete a centrally-managed Logstash pipeline. + + If your Elasticsearch cluster is protected with basic authentication, + you must have either the `logstash_admin` built-in role or a customized + Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: delete-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: type: string - type: array - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - index: - items: - example: .internal.alerts-security.alerts-default-000001 + responses: + '204': + description: Indicates a successful call + summary: Delete a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + get: + description: > + Get information for a centrally-managed Logstash pipeline. + + To use this API, you must have either the `logstash_admin` built-in role + or a customized Logstash reader role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - enum: - - event - example: event - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd - type: string - required: - - type - Cases_external_service: - nullable: true - type: object - properties: - connector_id: - type: string - connector_name: - type: string - external_id: - type: string - external_title: - type: string - external_url: - type: string - pushed_at: - format: date-time - type: string - pushed_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - Cases_find_comments_response: - title: Find case comments response - type: object - properties: - comments: - description: Paginated list of user comments for the case. - items: - $ref: '#/components/schemas/Cases_user_comment_response_properties' - type: array - page: - description: The current page index. - type: integer - per_page: - description: The number of items per page. - type: integer - total: - description: The total number of comments. - type: integer - required: - - comments - - page - - per_page - - total - Cases_owner: - description: | - The application that owns the cases: Stack Management, Observability, or Elastic Security. - enum: - - cases - - observability - - securitySolution - example: cases - type: string - Cases_owners: - items: - $ref: '#/components/schemas/Cases_owner' - type: array - Cases_payload_alert_comment: - type: object - properties: - comment: - type: object - properties: - alertId: - oneOf: - - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + responses: + '200': + content: + application/json: + examples: + getLogstashPipelineResponseExample1: + value: |- + { + "id": "hello-world", + "description": "Just a simple pipeline", + "username": "elastic", + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persistent" + } + } + schema: + type: object + description: Indicates a successful call + summary: Get a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + put: + description: > + Create a centrally-managed Logstash pipeline or update a pipeline. + + To use this API, you must have either the `logstash_admin` built-in role + or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: put-logstash-pipeline + parameters: + - description: > + An identifier for the pipeline. Pipeline ID must begin with a letter + or underscore and can contain only letters, underscores, dashes, + hyphens, and numbers. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putLogstashPipelineRequestExample1: + value: |- + { + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persisted" + } + } + schema: + type: object + properties: + description: + description: A description of the pipeline. type: string - - items: - type: string - type: array - index: + pipeline: + description: A definition for the pipeline. + type: string + settings: + description: > + Supported settings, represented as object keys, include the + following: + + + - `pipeline.workers` + + - `pipeline.batch.size` + + - `pipeline.batch.delay` + + - `pipeline.ecs_compatibility` + + - `pipeline.ordered` + + - `queue.type` + + - `queue.max_bytes` + + - `queue.checkpoint.writes` + type: object + required: + - pipeline + responses: + '204': + description: Indicates a successful call + summary: Create or update a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + /api/logstash/pipelines: + get: + description: > + Get a list of all centrally-managed Logstash pipelines. + + + To use this API, you must have either the `logstash_admin` built-in role + or a customized Logstash reader role. + + > info + + > Limit the number of pipelines to 10,000 or fewer. As the number of + pipelines nears and surpasses 10,000, you may see performance issues on + Kibana. + + + The `username` property appears in the response when security is enabled + and depends on when the pipeline was created or last updated. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipelines + responses: + '200': + content: + application/json: + examples: + getLogstashPipelinesResponseExample1: + value: |- + { + "pipelines": [ + { + "id": "hello-world", + "description": "Just a simple pipeline", + "last_modified": "2018-04-14T12:23:29.772Z", + "username": "elastic" + }, + { + "id": "sleepy-pipeline", + "description": "", + "last_modified": "2018-03-24T03:41:30.554Z" + } + ] + } + schema: + type: object + description: Indicates a successful call + summary: Get all Logstash pipelines + tags: + - logstash + x-state: Technical Preview + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models in the default space. You must have `all` privileges for the + **Machine Learning** feature in the **Analytics** section of the Kibana + feature privileges. This API runs automatically when you start Kibana + and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + /api/ml/saved_objects/update_jobs_spaces: + post: + description: Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces + requestBody: + content: + application/json: + examples: + updateADJobSpacesRequest: + value: + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': + content: + application/json: + examples: + successADResponse: + value: + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: >- + Update a list of trained models to add and/or remove them from given + spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': + content: + application/json: + examples: + successTMResponse: + value: + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces + tags: + - ml + /api/note: + delete: + description: > + Deletes notes by saved object ID. Send either `noteId` (single ID) or + `noteIds` (array of IDs) in the JSON body. + + + The response has HTTP 200 with an empty body on success. + + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: oneOf: - - example: .alerts-observability.logs.alerts-default - type: string - - items: - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - rule: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: + type: string + nullable: true + type: array + required: + - noteIds + description: > + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ + "noteIds": ["", ...] }` for bulk delete. + + `noteIds` may be null in some clients; prefer an empty array or omit + unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + - access:securitySolution + get: + description: > + Returns Security Timeline notes as saved objects. + + + **Query modes (mutually exclusive branches on the server):** + + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the + given Elasticsearch document `_id` (single string or array). Pagination + query parameters (`page`, `perPage`, etc.) are **not** applied; the + server uses a fixed page size (up to 10000 notes). + + + 2. **`savedObjectIds` is set** — Returns notes linked to the given + Timeline saved object id(s). Same fixed cap as above; list-mode query + parameters are **not** applied. + + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using + saved-objects find semantics: `page` (default 1), `perPage` (default + 10), optional `search`, `sortField`, `sortOrder`, `filter`, + `createdByFilter`, and `associatedFilter`. + + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes + parameters: + - description: > + Event document `_id` values to match against each note's `eventId`. + When this parameter is present, the response is all matching notes + (up to the server's hard limit), not a paged list using + `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: > + Timeline `savedObjectId` value(s). Returns notes that reference + those timelines. When present, list-mode pagination parameters are + not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: > + Page number for list mode (when `documentIds` and `savedObjectIds` + are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true + type: string + - description: > + Page size for list mode (when `documentIds` and `savedObjectIds` are + omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: >- + Sort order (`asc` or `desc`) for saved-objects find (list mode + only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: > + Kuery filter string combined with other list-mode filters (for + example `createdByFilter` or `associatedFilter`). Typed as a string + for API compatibility; interpreted by the saved-objects layer (list + mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: > + Kibana user profile **UID** (UUID). The server resolves the user's + display identifiers and returns notes whose `createdBy` matches any + of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter + schema: + nullable: true + type: string + - description: > + Restricts notes by how they relate to a Timeline and/or an event + document (list mode only). Some values apply extra filtering after + the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + responses: + '200': + content: + application/json: + examples: + notesPage: + summary: Paged notes for a timeline + value: + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 + schema: + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes + tags: + - Security Timeline API + - access:securitySolution + patch: + description: > + Creates a new note or updates an existing one. + + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + + **Update:** Send `note` with the changed fields and set `noteId` to the + note's saved object ID. Optionally include `version` for optimistic + concurrency when the client has it from a prior read. + + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: >- + https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute + requestBody: + content: + application/json: + examples: + addNote: + summary: Add a note on an event + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: type: object properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: >- + Note payload (timeline, text, optional event linkage, + metadata). + noteId: + description: >- + The `savedObjectId` of the note to update. Omit when + creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e nullable: true type: string - name: - description: The rule name. - example: security_rule + version: + description: >- + Saved object version string from a previous read; optional + on update. + example: WzQ2LDFd nullable: true type: string - type: - enum: - - alert - type: string - Cases_payload_assignees: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - Cases_payload_connector: - type: object - properties: - connector: - type: object - properties: - fields: - description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. - example: null - nullable: true + required: + - note + description: > + Body must include the `note` object. For updates, include `noteId` + (and optionally `version`). + + To attach a note to a specific event, set `note.eventId` to that + event's document `_id`; for a timeline-wide note, omit or clear + `eventId` per product rules. + required: true + responses: + '200': + content: + application/json: + examples: + persisted: + summary: Persisted note wrapper + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note + tags: + - Security Timeline API + - access:securitySolution + /api/observability_ai_assistant/chat/complete: + post: + description: > + Create a new chat completion by using the Observability AI Assistant. + + + The API returns the model's response based on the current conversation + context. + + + It also handles any tool requests within the conversation, which may + trigger multiple calls to the underlying large language model (LLM). + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: observability-ai-assistant-chat-complete + requestBody: + content: + application/json: + examples: + chatCompleteRequestExample: + $ref: >- + #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample + schema: type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - type: string - destIp: - description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: The effect an incident had on business for ServiceNow ITSM connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. + actions: items: - type: string + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_Function type: array - malwareHash: - description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: The key of the parent issue, when the issue type is sub-task for Jira connectors. - type: string - priority: - description: The priority of the issue for Jira and ServiceNow SecOps connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: The severity code of the incident for IBM Resilient connectors. - type: string - sourceIp: - description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: The subcategory of the incident for ServiceNow ITSM connectors. - type: string - urgency: - description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. - type: string - id: - description: The identifier for the connector. To create a case without a connector, use `none`. - example: none - type: string - name: - description: The name of the connector. To create a case without a connector, use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - Cases_payload_create_case: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: - type: object - properties: - fields: - description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. - example: null - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. + connectorId: + description: A unique identifier for the connector. type: string - category: - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + conversationId: + description: >- + A unique identifier for the conversation if you are + continuing an existing conversation. type: string - destIp: - description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. - nullable: true + disableFunctions: + description: >- + Flag indicating whether all function calls should be + disabled for the conversation. If true, no calls to + functions will be made. type: boolean - impact: - description: The effect an incident had on business for ServiceNow ITSM connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. + instructions: + description: >- + An array of instruction objects, which can be either simple + strings or detailed objects. items: - type: string + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_Instruction type: array - malwareHash: - description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: The key of the parent issue, when the issue type is sub-task for Jira connectors. - type: string - priority: - description: The priority of the issue for Jira and ServiceNow SecOps connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: The severity code of the incident for IBM Resilient connectors. - type: string - sourceIp: - description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. - nullable: true + messages: + description: >- + An array of message objects containing the conversation + history. + items: + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_Message + type: array + persist: + description: >- + Indicates whether the conversation should be saved to + storage. If true, the conversation will be saved and will be + available in Kibana. type: boolean - subcategory: - description: The subcategory of the incident for ServiceNow ITSM connectors. - type: string - urgency: - description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + title: + description: A title for the conversation. type: string - id: - description: The identifier for the connector. To create a case without a connector, use `none`. - example: none - type: string - name: - description: The name of the connector. To create a case without a connector, use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - description: - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 - items: + required: + - messages + - connectorId + - persist + responses: + '200': + content: + application/json: + examples: + chatCompleteResponseExample: + $ref: >- + #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample + schema: + type: object + description: Successful response + summary: Generate a chat completion + tags: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: > + curl --request POST + 'localhost:5601/api/observability_ai_assistant/chat/complete' -u + : -H 'kbn-xsrf: true' -H "Content-Type: + application/json" --data ' + + { + + "connectorId": "", + + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + + "instructions": ["When the user asks about Elasticsearch cluster + health, use the get_cluster_health tool to retrieve cluster health, + then summarize the response in plain English."] + + }' + x-state: Technical Preview + /api/osquery/history: + get: + description: > + Get a unified, time-sorted history of live, rule-triggered, and + scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: >- + A base64-encoded cursor for pagination. Use the value from the + previous response to fetch the next page. + in: query + name: nextPage + required: false + schema: + description: >- + A base64-encoded cursor for pagination. Use the value from the + previous response to fetch the next page. + type: string + - description: >- + A search string to filter history entries by pack name, query text, + or query ID. + in: query + name: kuery + required: false + schema: + description: >- + A search string to filter history entries by pack name, query + text, or query ID. + type: string + - description: Comma-separated list of user IDs to filter live query history. + in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: >- + Comma-separated list of source types to include. Valid values are + `live`, `rule`, and `scheduled`. + in: query + name: sourceFilters + required: false + schema: + description: >- + Comma-separated list of source types to include. Valid values are + `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). + in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). + in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + examples: + unifiedHistoryExample: + summary: Example unified history response + value: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse + description: Indicates a successful call. + summary: Get unified query history + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/live_queries: + get: + description: Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryResponse + description: Indicates a successful call. + summary: Get live queries + tags: + - Security Osquery API + post: + description: Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse + description: Indicates a successful call. + summary: Create a live query + tags: + - Security Osquery API + /api/osquery/live_queries/{id}: + get: + description: Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - type: array - title: - type: string - Cases_payload_delete: - description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. - nullable: true - type: object - Cases_payload_description: - type: object - properties: - description: - type: string - Cases_payload_pushed: - type: object - properties: - externalService: - $ref: '#/components/schemas/Cases_external_service' - Cases_payload_settings: - type: object - properties: - settings: - $ref: '#/components/schemas/Cases_settings' - Cases_payload_severity: - type: object - properties: - severity: - $ref: '#/components/schemas/Cases_case_severity' - Cases_payload_status: - type: object - properties: - status: - $ref: '#/components/schemas/Cases_case_status' - Cases_payload_tags: - type: object - properties: - tags: - example: - - tag-1 - items: + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse + description: Indicates a successful call. + summary: Get live query details + tags: + - Security Osquery API + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - type: array - Cases_payload_title: - type: object - properties: - title: - type: string - Cases_payload_user_comment: - type: object - properties: - comment: - type: object - properties: - comment: - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - enum: - - user - type: string - Cases_related_case: - description: | - Summary of a case returned when listing cases that contain a given alert. This is a subset of the full case response. - properties: - createdAt: - description: When the case was created. - format: date-time - type: string - description: - description: The case description. - type: string - id: - description: The case identifier. - type: string - status: - $ref: '#/components/schemas/Cases_case_status' - title: - description: The case title. - type: string - totals: - $ref: '#/components/schemas/Cases_attachment_totals' - required: - - id - - title - - description - - status - - createdAt - - totals - title: Related case - type: object - Cases_response_4xx: - properties: - error: - example: Unauthorized - type: string - message: - type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful cases API response - type: object - Cases_rule: + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + type: string + - description: A KQL search string to filter results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse + description: Indicates a successful call. + summary: Get live query results + tags: + - Security Osquery API + /api/osquery/packs: + get: + description: Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs + tags: + - Security Osquery API + post: + description: Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack + tags: + - Security Osquery API + /api/osquery/packs/{id}: + delete: + description: Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + schema: + example: {} + type: object + properties: {} + description: Indicates a successful call. + summary: Delete a pack + tags: + - Security Osquery API + get: + description: Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details + tags: + - Security Osquery API + put: description: | - The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - title: Alerting rule - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - type: string - name: - description: The rule name. - example: security_rule - type: string - x-state: Technical preview - Cases_searchFieldsType: - description: The fields to perform the `simple_query_string` parsed query against. - enum: - - description - - title - type: string - Cases_searchFieldsTypeArray: - items: - $ref: '#/components/schemas/Cases_searchFieldsType' - type: array - Cases_set_case_configuration_request: - description: External connection details, such as the closure type and default connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. - example: none - type: string - name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. - type: boolean - required: - - key - - label - - required - - type - maxItems: 10 - minItems: 0 - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - required: - - closure_type - - connector - - owner - title: Set case configuration request - type: object - Cases_settings: - description: An object that contains the case settings. - type: object - properties: - extractObservables: - description: | - When true, observables (e.g. IPs, hashes, URLs) are automatically extracted from case comments. Optional; defaults to false when omitted. - example: false - type: boolean - syncAlerts: - description: Turns alert syncing on or off. - example: true - type: boolean - required: - - syncAlerts - Cases_string: - type: string - Cases_string_array: - items: - $ref: '#/components/schemas/Cases_string' - maxItems: 100 - type: array - Cases_template_tags: + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + /api/osquery/packs/{id}/copy: + post: + description: >- + Create a copy of a query pack with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). The copied pack is always created with `enabled` set to + `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + examples: + copyPackExample: + summary: Example response for copying a pack + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/saved_queries: + get: + description: Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryResponse + description: Indicates a successful call. + summary: Get saved queries + tags: + - Security Osquery API + post: + description: Create and save a query for later use. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse + description: Indicates a successful call. + summary: Create a saved query + tags: + - Security Osquery API + /api/osquery/saved_queries/{id}: + delete: + description: Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: Indicates a successful call. + summary: Delete a saved query + tags: + - Security Osquery API + get: + description: Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse + description: Indicates a successful call. + summary: Get saved query details + tags: + - Security Osquery API + put: description: | - The words and phrases that help categorize templates. It can be an empty array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_templates: - items: - type: object - properties: - caseFields: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - type: object - properties: - fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. - example: none - type: string - name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - customFields: - description: Custom field values in the template. - items: - type: object - properties: - key: - description: The unique key for the custom field. - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - value: - description: | - The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. - oneOf: - - type: string - - type: boolean - type: array - x-state: Technical preview - description: - $ref: '#/components/schemas/Cases_case_description' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - description: - description: A description for the template. + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse + description: Indicates a successful call. + summary: Update a saved query + tags: + - Security Osquery API + /api/osquery/saved_queries/{id}/copy: + post: + description: >- + Create a copy of a saved query with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + examples: + copySavedQueryExample: + summary: Example response for copying a saved query + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CopySavedQueryResponse + description: Indicates a successful call. + summary: Copy a saved query + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: > + Get paginated per-agent action results for a specific scheduled query + execution, with success/failure aggregation and execution metadata (pack + name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - key: - description: | - A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + examples: + scheduledActionResultsExample: + summary: Example scheduled action results response + value: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse + description: Indicates a successful call. + summary: Get scheduled action results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: > + Get paginated query result rows (the actual osquery output data) for a + specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - name: - description: The name of the template. + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' type: string - tags: - $ref: '#/components/schemas/Cases_template_tags' - type: array - x-state: Technical preview - Cases_update_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - id: - description: | - The identifier for the comment. To retrieve comment IDs, use the get comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert - type: string - version: - description: | - The current comment version. To retrieve version values, use the get comments API. - example: Wzk1LDFd - type: string - required: - - alertId - - id - - index - - owner - - rule - - type - - version - title: Update case comment request properties for alerts - Cases_update_case_comment_request: - description: The update case comment API request body varies depending on whether you are updating an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_update_alert_comment_request_properties' - user: '#/components/schemas/Cases_update_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' - title: Update case comment request - Cases_update_case_configuration_request: - description: | - You can update settings such as the closure type, custom fields, templates, and the default connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. - nullable: true + responses: + '200': + content: + application/json: + examples: + scheduledQueryResultsExample: + summary: Example scheduled query results response + value: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse + description: Indicates a successful call. + summary: Get scheduled query results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + /api/pinned_event: + patch: + description: Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json: + examples: + pinEvent: + summary: Pin an event + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: type: object - id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. - example: none - type: string - name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: >- + The `savedObjectId` of the timeline that you want this + pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. - type: boolean - required: - - key - - label - - required - - type - type: array - templates: - $ref: '#/components/schemas/Cases_templates' - version: - description: | - The version of the connector. To retrieve the version value, use the get configuration API. - example: WzIwMiwxXQ== - type: string - required: - - version - title: Update case configuration request - type: object - Cases_update_case_request: - description: The update case API request body varies depending on the type of connector. - properties: - cases: - description: An array containing one or more case objects. - items: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - closeReason: - $ref: '#/components/schemas/Cases_case_close_sync_reason' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: | - Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. - items: + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true + responses: + '200': + content: + application/json: + examples: + pinnedSaved: + summary: Pinned event saved object + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse + description: Indicates a successful call. + summary: Pin/unpin an event + tags: + - Security Timeline API + - access:securitySolution + /api/risk_score/engine/dangerously_delete_data: + delete: + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json: + examples: + CleanUpRiskEngineResponse: + summary: Successful cleanup response + value: + cleanup_successful: true + schema: + type: object + properties: + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + /api/risk_score/engine/saved_object/configure: + patch: + description: Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject + requestBody: + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object + value: + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d + schema: + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + range: type: object properties: - key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. + end: type: string - type: - description: | - The custom field type. It must match the type specified in the case configuration settings. - enum: - - text - - toggle + start: type: string - value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' - id: - description: The identifier for the case. - maxLength: 30000 - type: string - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - version: - description: | - The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs. - type: string - required: - - id - - version - maxItems: 100 - minItems: 1 - type: array - required: - - cases - title: Update case request - type: object - Cases_update_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 - type: string - id: - description: | - The identifier for the comment. To retrieve comment IDs, use the get comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. - enum: - - user - example: user - type: string - version: - description: | - The current comment version. To retrieve version values, use the get comments API. - example: Wzk1LDFd - type: string - required: - - comment - - id - - owner - - type - - version - title: Update case comment request properties for user comments - type: object - Cases_user_actions_find_response_properties: - type: object - properties: - action: - $ref: '#/components/schemas/Cases_actions' - comment_id: - example: 578608d0-03b1-11ed-920c-974bfa104448 - nullable: true - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - id: - example: 22fd3e30-03b1-11ed-920c-974bfa104448 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - type: - description: The type of action. - enum: - - assignees - - category - - comment - - connector - - create_case - - customFields - - delete_case - - description - - extended_fields - - observables - - pushed - - settings - - severity - - status - - tags - - title - example: create_case - type: string - version: - example: WzM1ODg4LDFd - type: string - required: - - action - - comment_id - - created_at - - created_by - - id - - owner - - payload - - type - - version - Cases_user_comment_response_properties: - title: Case response properties for user comments - type: object - properties: - comment: - example: A new comment. - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - enum: - - user - example: user - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd - type: string - required: - - type - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: - enum: - - Not Found - example: Not Found - type: string - message: - example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found - type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: Allows the data view saved object to exist before the data is available. Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request - type: object - properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' + required: true + responses: + '200': + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response + value: + risk_engine_saved_object_configured: true + schema: + type: object + properties: + risk_engine_saved_object_configured: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse + description: Unexpected error + summary: Configure the Risk Engine Saved Object + tags: + - Security Entity Analytics API + /api/risk_score/engine/schedule_now: + post: + description: >- + Schedule the risk scoring engine to run as soon as possible. You can use + this to recalculate entity risk scores after updating their asset + criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json: {} + responses: + '200': + content: + application/json: + examples: + ScheduleRiskEngineNowResponse: + summary: Successful schedule response + value: + success: true + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse + description: Successful response + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse + description: Unexpected error + summary: Run the risk scoring engine + tags: + - Security Entity Analytics API + /api/saved_objects/_bulk_create: + post: + deprecated: true + description: > + Create multiple Kibana saved objects. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the import API for your use case. + + NOTE: For forward compatibility, include `coreMigrationVersion` and + `typeMigrationVersion` when creating saved objects outside of Kibana or + when persisting raw saved objects outside of Kibana. + operationId: bulkCreateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: When true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: + items: + type: object + properties: + coreMigrationVersion: + description: > + The Kibana version that last migrated this document. When + creating saved objects outside of Kibana, preserve this + field to retain forward compatibility. + type: string + typeMigrationVersion: + description: > + The type version that last migrated this document. When + creating saved objects outside of Kibana, preserve this + field to retain forward compatibility. + type: string + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Create saved objects + tags: + - saved objects + /api/saved_objects/_bulk_delete: + post: + deprecated: true + description: > + WARNING: When you delete a saved object, it cannot be recovered. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. There is currently no alternative API for all use cases + supported by this API. Once alternative APIs are provided in a future + Elastic version, it will be possible to migrate away from this API. + operationId: bulkDeleteSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + When true, force delete objects that exist in multiple namespaces. + Note that the option applies to the whole request. Use the delete + object API to specify per-object deletion behavior. TIP: Use this if + you attempted to delete objects and received an HTTP 400 error with + the following message: "Unable to delete saved object that exists in + multiple namespaces, use the force option to delete it anyway". + WARNING: When you bulk delete objects that exist in multiple + namespaces, the API also deletes legacy url aliases that reference + the object. These requests are batched to minimise the impact but + they can place a heavy load on Kibana. Make sure you limit the + number of objects that exist in multiple namespaces in a single bulk + delete operation. + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Delete saved objects + tags: + - saved objects + /api/saved_objects/_bulk_get: + post: + deprecated: true + description: > + Retrieve multiple Kibana saved objects by identifier. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the export API for your use case. + operationId: bulkGetSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Get saved objects + tags: + - saved objects + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: > + Retrieve multiple Kibana saved objects by identifier using any legacy + URL aliases if they exist. Under certain circumstances when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved by the bulk resolve API + using either its new ID or its old ID. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the export API for your use case. + operationId: bulkResolveSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Resolve saved objects + tags: + - saved objects + /api/saved_objects/_bulk_update: + post: + deprecated: true + description: > + Update the attributes for multiple Kibana saved objects. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the import API for your use case. + operationId: bulkUpdateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Update saved objects + tags: + - saved objects + /api/saved_objects/_find: + get: + deprecated: true + description: > + Retrieve a paginated set of Kibana saved objects. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the export API for your use case. + operationId: findSavedObjects + parameters: + - description: > + An aggregation structure, serialized as a string. The field format + is similar to filter, meaning that to use a saved object type + attribute in the aggregation, the `savedObjectType.attributes.title: + "myTitle"` format must be used. For root fields, the syntax is + `savedObjectType.rootField`. NOTE: As objects change in Kibana, the + results on each page of the response also change. Use the find API + for traditional paginated results, but avoid using it to export + large amounts of data. + in: query + name: aggs + schema: + type: string + - description: The default operator to use for the `simple_query_string`. + in: query + name: default_search_operator + schema: + type: string + - description: The fields to return in the attributes key of the response. + in: query + name: fields + schema: + oneOf: + - type: string + - type: array + - description: > + The filter is a KQL string with the caveat that if you filter with + an attribute from your saved object type, it should look like that: + `savedObjectType.attributes.title: "myTitle"`. However, if you use a + root attribute of a saved object such as `updated_at`, you will have + to define your filter like that: `savedObjectType.updated_at > + 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: >- + Filters to objects that do not have a relationship with the type and + identifier combination. + in: query + name: has_no_reference + schema: + type: object + - description: >- + The operator to use for the `has_no_reference` parameter. Either + `OR` or `AND`. Defaults to `OR`. + in: query + name: has_no_reference_operator + schema: + type: string + - description: >- + Filters to objects that have a relationship with the type and ID + combination. + in: query + name: has_reference + schema: + type: object + - description: >- + The operator to use for the `has_reference` parameter. Either `OR` + or `AND`. Defaults to `OR`. + in: query + name: has_reference_operator + schema: + type: string + - description: The page of objects to return. + in: query + name: page + schema: + type: integer + - description: The number of objects to return per page. + in: query + name: per_page + schema: + type: integer + - description: >- + An Elasticsearch `simple_query_string` query that filters the + objects in the response. + in: query + name: search + schema: + type: string + - description: >- + The fields to perform the `simple_query_string` parsed query + against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - type: array + - description: > + Sorts the response. Includes "root" and "type" fields. "root" fields + exist for all saved objects, such as "updated_at". "type" fields are + specific to an object type, such as fields returned in the + attributes key of the response. When a single type is defined in the + type parameter, the "root" and "type" fields are allowed, and + validity checks are made in that order. When multiple types are + defined in the type parameter, only "root" fields are allowed. + in: query + name: sort_field + schema: + type: string + - description: The saved object types to include. + in: query + name: type + required: true + schema: + oneOf: + - type: string + - type: array + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Search for saved objects + tags: + - saved objects + /api/saved_objects/_resolve_import_errors: + post: + description: | + To resolve errors from the Import objects API, you can: + + * Retry certain saved objects + * Overwrite specific saved objects + * Change references to different saved objects + operationId: resolveImportErrors + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. When enabled during the initial import, also enable when + resolving import errors. This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + - description: > + Creates copies of the saved objects, regenerates each object ID, and + resets the origin. When enabled during the initial import, also + enable when resolving import errors. + in: query + name: createNewCopies + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data: + examples: + resolveImportErrorsRequest: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_request + schema: type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + properties: + file: + description: The same file given to the import API. + format: binary + type: string + retries: + description: >- + The retry operations, which can specify how to resolve + different types of errors. + items: + type: object + properties: + destinationId: + description: >- + Specifies the destination ID that the imported object + should have, if different from the current ID. + type: string + id: + description: The saved object ID. + type: string + ignoreMissingReferences: + description: >- + When set to `true`, ignores missing reference errors. + When set to `false`, does nothing. + type: boolean + overwrite: + description: >- + When set to `true`, the source object overwrites the + conflicting destination object. When set to `false`, + does nothing. + type: boolean + replaceReferences: + description: >- + A list of `type`, `from`, and `to` used to change the + object references. + items: + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + type: array + type: + description: The saved object type. + type: string + required: + - type + - id + type: array + required: + - retries + required: true + responses: + '200': + content: + application/json: + examples: + resolveImportErrorsResponse: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_response + schema: + type: object + properties: + errors: + description: > + Specifies the objects that failed to resolve. + + + NOTE: One object can result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and a `conflict` error. + items: + type: object + type: array + success: + description: > + Indicates a successful import. When set to `false`, some + objects may not have been created. For additional + information, refer to the `errors` and `successResults` + properties. + type: boolean + successCount: + description: | + Indicates the number of successfully resolved records. + type: number + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are only created when all resolvable errors + are addressed, including conflict and missing references. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve import errors + tags: + - saved objects + /api/saved_objects/{type}: + post: + deprecated: true + description: > + Create a Kibana saved object with a randomly generated identifier. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the import API for your use case. + + NOTE: For forward compatibility, include `coreMigrationVersion` and + `typeMigrationVersion` when creating saved objects outside of Kibana or + when persisting raw saved objects outside of Kibana. + operationId: createSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + coreMigrationVersion: + description: > + The Kibana version that last migrated this document. When + creating saved objects outside of Kibana, preserve this + field to retain forward compatibility. + type: string + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + typeMigrationVersion: + description: > + The type version that last migrated this document. When + creating saved objects outside of Kibana, preserve this + field to retain forward compatibility. + type: string + required: + - attributes + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + /api/saved_objects/{type}/{id}: + get: + deprecated: true + description: > + Retrieve a single Kibana saved object by identifier. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the export API for your use case. + operationId: getSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Get a saved object + tags: + - saved objects + post: + deprecated: true + description: > + Create a Kibana saved object and specify its identifier instead of using + a randomly generated ID. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the import API for your use case. + + NOTE: For forward compatibility, include `coreMigrationVersion` and + `typeMigrationVersion` when creating saved objects outside of Kibana or + when persisting raw saved objects outside of Kibana. + operationId: createSavedObjectId + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: - default: false - description: Override an existing data view if a data view with the provided title already exists. - type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + coreMigrationVersion: + description: > + The Kibana version that last migrated this document. When + creating saved objects outside of Kibana, preserve this + field to retain forward compatibility. + type: string + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + typeMigrationVersion: + description: > + The type version that last migrated this document. When + creating saved objects outside of Kibana, preserve this + field to retain forward compatibility. + type: string + required: + - attributes + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + put: + deprecated: true + description: > + Update the attributes for Kibana saved objects. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the import API for your use case. + operationId: updateSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + requestBody: + content: + application/json: + schema: type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '404': + content: + application/json: + schema: + type: object + description: Indicates the object was not found. + '409': + content: + application/json: + schema: + type: object + description: Indicates a conflict error. + summary: Update a saved object + tags: + - saved objects + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: > + Retrieve a single Kibana saved object by identifier using any legacy URL + alias if it exists. Under certain circumstances, when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved using either its new ID or + its old ID. + + + WARNING: This API is intended to be removed in a future Elastic stack + version. Consider using the export API for your use case. + operationId: resolveSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve a saved object + tags: + - saved objects + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json: + schema: + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. + properties: + create: + description: Array of anonymization fields to create. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + description: >- + Object containing the query to filter anonymization fields + and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json: + example: + anonymization_fields_count: 5 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 1 + skipped: 1 + succeeded: 2 + total: 5 + message: Bulk action completed successfully + status_code: 200 + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request body + statusCode: 400 + schema: + type: object + properties: + error: + description: Error type or name. + type: string + message: + description: Detailed error message. + type: string + statusCode: + description: Status code of the response. + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields + required: false + schema: + items: type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + example: created_at + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + example: asc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: >- + If true, additionally fetch all anonymization fields, otherwise + fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + example: + aggregations: + anonymized: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 + schema: + type: object + properties: + aggregations: + type: object + properties: + field_status: + type: object + properties: + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters + statusCode: 400 + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Create a model response for the given chat conversation. + operationId: ChatComplete + parameters: + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + example: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: sk-abc123 + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream: + schema: + format: binary + type: string + description: Indicates a successful model response call. + '400': + content: + application/json: + schema: + type: object + properties: + error: + description: Error type. + example: Bad Request + type: string + message: + description: Human-readable error message. + example: Invalid request payload. + type: string + statusCode: + description: HTTP status code. + example: 400 + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + delete: + description: This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + schema: type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. - type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: An array of space identifiers for sharing the data view between multiple spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: - type: object - properties: - source: - description: Script for the runtime field. + properties: + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false + responses: + '200': + content: + application/json: + example: + success: true + schema: + type: object + properties: + failures: + items: + type: string + type: array + success: + example: true + type: boolean + totalDeleted: + example: 10 + type: number + description: >- + Indicates a successful call. The conversations were deleted + successfully. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete conversations + tags: + - Security AI Assistant API + - Conversation API + post: + description: >- + Create a new Security AI Assistant conversation. This endpoint allows + the user to initiate a conversation with the Security AI Assistant by + providing the required parameters. + operationId: CreateConversation + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was created + successfully. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required parameter: title' + type: string + statusCode: + example: 400 + type: number + description: >- + Generic Error. This response indicates an issue with the request, + such as missing required parameters or incorrect data. + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: >- + Get a list of all conversations for the current user. This endpoint + allows users to search, filter, sort, and paginate through their + conversations. + operationId: FindConversations + parameters: + - description: >- + A list of fields to include in the response. If omitted, all fields + are returned. + in: query + name: fields + required: false + schema: + example: + - id + - title + - createdAt + items: type: string - type: - description: Mapping type of the runtime field. - type: string - required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: + type: array + - description: >- + A search query to filter the conversations. Can match against + titles, messages, or other conversation attributes. + in: query + name: filter + required: false + schema: + example: Security Issue type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request - type: object - properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. - type: string - fromType: - description: | - Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. - type: string - toId: - description: New saved object reference value to replace the old value. - type: string - required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: When you use rollup indices, contains the field list for the rollup data view API endpoints. - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - required: - - aggs - - params - Data_views_typemeta_response: - description: When you use rollup indices, contains the field list for the rollup data view API endpoints. - nullable: true - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request - type: object - properties: - data_view: - description: | - The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + - description: >- + The field by which to sort the results. Valid fields are + `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + example: created_at + - description: >- + The order in which to sort the results. Can be either `asc` for + ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: >- + Whether to return conversations that the current user owns. If true, + only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean + responses: + '200': + content: + application/json: + schema: + type: object + properties: + data: + description: A list of conversations. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: >- + The total number of conversations matching the filter + criteria. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: >- + Successful response, returns a paginated list of conversations + matching the specified criteria. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid filter query parameter + type: string + statusCode: + example: 400 + type: number + description: >- + Generic Error. The request could not be processed due to an invalid + query parameter or other issue. + summary: Get conversations + tags: + - Security AI Assistant API + - Conversations API + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: >- + Delete an existing conversation using the conversation ID. This endpoint + allows users to permanently delete a conversation. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was deleted + successfully. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete a conversation + tags: + - Security AI Assistant API + - Conversation API + get: + description: >- + Get the details of an existing conversation using the conversation ID. + This allows users to fetch the specific conversation data by its unique + ID. + operationId: ReadConversation + parameters: + - description: >- + The conversation's `id` value, a unique identifier for the + conversation. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. The conversation details are returned. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. The request could not be processed due to an error. + summary: Get a conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: >- + Update an existing conversation using the conversation ID. This endpoint + allows users to modify the details of an existing conversation. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was updated + successfully. + '400': + content: + application/json: + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: >- + Generic Error. This response indicates an issue with the request, + such as missing required parameters or incorrect data. + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/knowledge_base: + get: + description: Read a single KB + operationId: GetKnowledgeBase + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseReadResponse200Example2: + summary: >- + A response that returns information about the knowledge + base. + value: + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Read a KnowledgeBase + tags: + - Security AI Assistant API + - KnowledgeBase API + post: + operationId: PostKnowledgeBase + parameters: + - description: >- + ELSER modelId to use when setting up the Knowledge Base. If not + provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: >- + Indicates whether we should or should not install Security Labs docs + when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. + value: + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse + description: Indicates a successful call. + '400': + content: + application/json: + examples: + KnowledgeBaseResponse400Example2: + summary: >- + A response for a request that failed due to an invalid query + parameter value. + value: > + statusCode: 400 error: Bad Request message: "[request + query]: ignoreSecurityLabs: Invalid enum value. Expected + 'true' | 'false', received 'yes', ignoreSecurityLabs: + Expected boolean, received string" + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Create a KnowledgeBase + tags: + - Security AI Assistant API + - KnowledgeBase API + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseReadResponse200Example1: + summary: >- + A response that returns information about the knowledge + base. + value: + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Read a KnowledgeBase for a resource + tags: + - Security AI Assistant API + - KnowledgeBase API + post: + description: Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + - description: >- + ELSER modelId to use when setting up the Knowledge Base. If not + provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: >- + Indicates whether we should or should not install Security Labs docs + when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. + value: + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse + description: Indicates a successful call. + '400': + content: + application/json: + examples: + KnowledgeBaseResponse400Example1: + summary: >- + A response for a request that failed due to an invalid query + parameter value. + value: > + statusCode: 400 error: Bad Request message: "[request + query]: ignoreSecurityLabs: Invalid enum value. Expected + 'true' | 'false', received 'yes', ignoreSecurityLabs: + Expected boolean, received string" + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 + description: Generic Error + summary: Create a KnowledgeBase for a resource + tags: + - Security AI Assistant API + - KnowledgeBase API + /api/security_ai_assistant/knowledge_base/entries: + post: + description: Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry + requestBody: + content: + application/json: + example: + content: >- + To reset your password, go to the settings page and click 'Reset + Password'. + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + required: true + responses: + '200': + content: + application/json: + example: + content: >- + To reset your password, go to the settings page and click + 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + description: Successful request returning Knowledge Base Entries + '400': + content: + application/json: + example: + error: Invalid input + message: The 'title' field is required. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as invalid input or missing required + fields. + summary: Create a Knowledge Base Entry + tags: + - Security AI Assistant API + - Knowledge Base Entries API + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: >- + The bulk action is applied to all Knowledge Base Entries that match the + filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + schema: type: object - name: + properties: + create: + description: List of Knowledge Base Entries to create. + example: + - content: This is the content of the new entry. + title: New Entry + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - content: Updated content. + id: '123' + title: Updated Entry + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps + type: array + responses: + '200': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse + description: Successful bulk operation request + '400': + content: + application/json: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: Generic Error + summary: Applies a bulk action to multiple Knowledge Base Entries + tags: + - Security AI Assistant API + - Knowledge Base Entries Bulk API + /api/security_ai_assistant/knowledge_base/entries/_find: + get: + description: Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries + parameters: + - description: >- + A list of fields to include in the response. If not provided, all + fields will be included. + in: query + name: fields + required: false + schema: + example: + - title + - created_at + items: type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField + example: created_at + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: asc + - description: Page number for paginated results. Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 10 + minimum: 0 + type: integer + responses: + '200': + content: + application/json: + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + data: + description: The list of Knowledge Base Entries for the current page. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + type: array + page: + description: The current page number. + example: 1 + type: integer + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 + type: integer + total: + description: The total number of Knowledge Base Entries available. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing the paginated Knowledge Base Entries. + '400': + content: + application/json: + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + error: + description: A short description of the error. + example: Bad Request type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + description: Generic Error indicating an issue with the request. + summary: Finds Knowledge Base Entries that match the given query. + tags: + - Security AI Assistant API + - Knowledge Base Entries API + /api/security_ai_assistant/knowledge_base/entries/{id}: + delete: + description: Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: '12345' + message: Knowledge Base Entry successfully deleted. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields + description: >- + Successful request returning the `id` of the deleted Knowledge Base + Entry. + '400': + content: + application/json: + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as an invalid `id` or the entry not + being found. + summary: Deletes a single Knowledge Base Entry using the `id` field + tags: + - Security AI Assistant API + - Knowledge Base Entries API + get: + description: Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: >- + The unique identifier (`id`) of the Knowledge Base Entry to + retrieve. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + content: >- + To reset your password, go to the settings page and click + 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + description: Successful request returning the requested Knowledge Base Entry. + '400': + content: + application/json: + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as an invalid `id` or the entry not + being found. + summary: Read a Knowledge Base Entry + tags: + - Security AI Assistant API + - Knowledge Base Entries API + put: + description: Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + example: + content: >- + To reset your password, go to the settings page, click 'Reset + Password', and follow the instructions. + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps + required: true + responses: + '200': + content: + application/json: + example: + content: >- + To reset your password, go to the settings page, click 'Reset + Password', and follow the instructions. + id: '12345' + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + description: Successful request returning the updated Knowledge Base Entry. + '400': + content: + application/json: + example: + error: Invalid input + message: The 'content' field cannot be empty. + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as invalid input or the entry not + being found. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + - Knowledge Base Entries API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + example: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json: + examples: + success: + value: + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call with the results of the bulk action. + '400': + content: + application/json: + schema: type: object properties: - id: + error: + description: A short error message. + example: Bad Request type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. - properties: - anomalyDetectorTypes: - description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. - items: - enum: - - txLatency - - txThroughput - - txFailureRate - type: string - minItems: 1 - type: array - anomalySeverityType: - description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' - enum: - - critical - - major - - minor - - warning - type: string - environment: - description: The environment from APM. - type: string - serviceName: - description: The service name from APM. - type: string - transactionType: - description: The transaction type from APM. - type: string - windowSize: - description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - windowUnit: - description: 'The type of units for the time window: minutes, hours, or days.' - type: string - required: - - windowSize - - windowUnit - - environment - - anomalySeverityType - title: APM Anomaly Rule Params - type: object - rule_type_id: - enum: - - apm.anomaly - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. + type: string + statusCode: + description: The HTTP status code for the error. + example: 400 + type: number + description: Indicates a generic error due to a bad request. + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: >- + Get a list of all prompts based on optional filters, sorting, and + pagination. + operationId: FindPrompts + parameters: + - description: List of specific fields to include in each returned prompt. + in: query + name: fields + required: false + schema: + example: + - id + - name + - content + items: type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + type: array + - description: Search query string to filter prompts by matching fields. + in: query + name: filter + required: false + schema: + example: error handling type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: APM anomaly - type: object - Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + - description: Field to sort prompts by. + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json: + schema: + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string + data: + description: >- + The list of prompts returned based on the search query, + sorting, and pagination. + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. + '400': + content: + application/json: + schema: type: object properties: - id: + error: + description: Short error message. + example: Bad Request type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + message: + description: Detailed description of the error. + example: Invalid sort order value provided. + type: string + statusCode: + description: HTTP status code for the error. + example: 400 + type: number + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts + tags: + - Security AI Assistant API + - Prompts API + /api/security/session/_invalidate: + post: + description: > + Invalidate user sessions that match a query. To use this API, you must + be a superuser. + operationId: post-security-session-invalidate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + invalidateRequestExample1: + description: >- + Run `POST api/security/session/_invalidate` to invalidate all + existing sessions. + summary: Invalidate all sessions + value: |- + { + "match" : "all" + } + invalidateRequestExample2: + description: >- + Run `POST api/security/session/_invalidate` to invalidate + sessions that were created by any SAML authentication + provider. + summary: Invalidate all SAML sessions + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml" } + } + } + invalidateRequestExample3: + description: >- + Run `POST api/security/session/_invalidate` to invalidate + sessions that were created by the SAML authentication provider + named `saml1`. + summary: Invalidate sessions for a provider + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml", "name": "saml1" } + } + } + invalidateRequestExample4: + description: >- + Run `POST api/security/session/_invalidate` to invalidate + sessions that were created by any OpenID Connect + authentication provider for the user with the username + `user@my-oidc-sso.com`. + summary: Invalidate sessions for a user + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "oidc" }, + "username": "user@my-oidc-sso.com" + } + } + schema: type: object properties: - blob: - maxLength: 10000 + match: + description: > + The method Kibana uses to determine which sessions to + invalidate. If it is `all`, all existing sessions will be + invalidated. If it is `query`, only the sessions that match + the query will be invalidated. + enum: + - all + - query type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. - properties: - environment: - description: Filter the errors coming from your application to apply the rule to a specific environment. - type: string - errorGroupingKey: - description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. - type: string - groupBy: - items: - description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: query: - additionalProperties: false + description: > + The query that Kibana uses to match the sessions to + invalidate when the `match` parameter is set to `query`. type: object properties: - language: + provider: + description: >- + The authentication providers that will have their user + sessions invalidated. + type: object + properties: + name: + description: The authentication provider name. + type: string + type: + description: > + The authentication provide type. For example: + `basic`, `token`, `saml`, `oidc`, `kerberos`, or + `pki`. + type: string + required: + - type + username: + description: The username that will have its sessions invalidated. type: string - query: - anyOf: - - type: string - - additionalProperties: - nullable: true - type: object required: - - query - - language + - provider required: - - query - serviceName: - description: Filter the errors coming from your application to apply the rule to a specific service. - type: string - threshold: - description: The number of errors, which is the threshold for alerts. - type: number - useKqlFilter: - description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. - type: boolean - windowSize: - description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - windowUnit: - description: 'The type of units for the time window: minutes, hours, or days.' - type: string - required: - - windowSize - - windowUnit - - threshold - - environment - title: Error Count Rule Params - type: object - rule_type_id: - enum: - - apm.error_rate - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + - match + responses: + '200': + content: + application/json: + schema: + type: object + properties: + total: + description: The number of sessions that were successfully invalidated. + type: integer + description: Indicates a successful call + '403': + description: >- + Indicates that the user may not be authorized to invalidate sessions + for other users. + summary: Invalidate user sessions + tags: + - user session + /api/short_url: + post: + description: > + Kibana URLs may be long and cumbersome, short URLs are much easier to + remember and share. + + Short URLs are created by specifying the locator ID and locator + parameters. When a short URL is resolved, the locator ID and locator + parameters are used to redirect user to the right Kibana page. + operationId: post-url + requestBody: + content: + application/json: + schema: + type: object + properties: + humanReadableSlug: + description: > + When the `slug` parameter is omitted, the API will generate + a random human-readable slug if `humanReadableSlug` is set + to true. + type: boolean + locatorId: + description: The identifier for the locator. + type: string + params: + description: > + An object which contains all necessary parameters for the + given locator to resolve to a Kibana location. + + > warn + + > When you create a short URL, locator params are not + validated, which allows you to pass arbitrary and ill-formed + data into the API that can break Kibana. Make sure any data + that you send to the API is properly formed. + type: object + slug: + description: > + A custom short URL slug. The slug is the part of the short + URL that identifies it. You can provide a custom slug which + consists of latin alphabet letters, numbers, and `-._` + characters. The slug must be at least 3 characters long, but + no longer than 255 characters. + type: string + required: + - locatorId + - params + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Create a short URL + tags: + - short url + x-state: Technical Preview + /api/short_url/_slug/{slug}: + get: + description: | + Resolve a Kibana short URL by its slug. + operationId: resolve-url + parameters: + - description: The slug of the short URL. + in: path + name: slug + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Resolve a short URL + tags: + - short url + x-state: Technical Preview + /api/short_url/{id}: + delete: + description: | + Delete a Kibana short URL. + operationId: delete-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + '200': + description: Indicates a successful call. + summary: Delete a short URL + tags: + - short url + x-state: Technical Preview + get: + description: | + Get a single Kibana short URL. + operationId: get-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Get a short URL + tags: + - short url + x-state: Technical Preview + /api/synthetics/monitor/test/{monitorId}: + post: + description: > + Trigger an immediate test execution for the specified monitor. The + response includes the generated `testRunId`. If the test encounters + issues in one or more service locations, an `errors` array is also + returned with details about the failures. + operationId: post-synthetics-monitor-test + parameters: + - description: The ID (config_id) of the monitor to test. + in: path + name: monitorId + required: true + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Error rate - type: object - Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + responses: + '200': + content: + application/json: + examples: + testNowMonitorResponseExample1: + value: |- + { + "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", + "errors": [ + { + "locationId": "us_central_staging", + "error": { + "status": 401, + "reason": "no auth credentials provided", + "failed_monitors": null + } + } + ] + } + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false + errors: + description: >- + Array of errors encountered while triggering the test, one + per service location. + items: + type: object + properties: + error: type: object properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object + failed_monitors: + description: >- + Optional list of monitors that failed at the + location. + items: + type: object + nullable: true + type: array + reason: + description: Human-readable explanation of the failure. + type: string + status: + description: HTTP status code returned by the agent. + type: integer required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + - status + - reason + - failed_monitors + locationId: + description: >- + Identifier of the service location where the error + occurred. + type: string + required: + - locationId + - error + type: array + testRunId: + description: Unique identifier for the triggered test run. type: string required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + - testRunId + description: Test run triggered successfully. + '404': + description: Monitor not found. + summary: Trigger an on-demand test run for a monitor + tags: + - synthetics + x-state: Generally available; added in 9.2.0 + /api/synthetics/monitors: + get: + description: > + Get a list of monitors. + + You must have `read` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: get-synthetic-monitors + parameters: + - description: Additional filtering criteria. + in: query + name: filter + schema: + type: string + - description: The locations to filter by. + in: query + name: locations + schema: + oneOf: + - type: string + - type: array + - description: The monitor types to filter. + in: query + name: monitorTypes + schema: + oneOf: + - enum: + - browser + - http + - icmp + - tcp type: string - id: - description: The identifier for the connector saved object. + - type: array + - description: The page number for paginated results. + in: query + name: page + schema: + type: integer + - description: The number of items to return per page. + in: query + name: per_page + schema: + type: integer + - description: The projects to filter by. + in: query + name: projects + schema: + oneOf: + - type: string + - type: array + - description: A free-text query string. + in: query + name: query + schema: + type: string + - description: The schedules to filter by. + in: query + name: schedules + schema: + oneOf: + - type: array + - type: string + - description: The field to sort the results by. + in: query + name: sortField + schema: + enum: + - name + - createdAt + - updatedAt + - status + type: string + - description: The sort order. + in: query + name: sortOrder + schema: + enum: + - asc + - desc + type: string + - description: The status to filter by. + in: query + name: status + schema: + oneOf: + - type: array + - type: string + - description: Tags to filter monitors. + in: query + name: tags + schema: + oneOf: + - type: string + - type: array + - description: > + Specifies whether to apply logical AND filtering for specific + fields. Accepts either a string with values "tags" or "locations" or + an array containing both. + in: query + name: useLogicalAndFor + schema: + oneOf: + - enum: + - tags + - locations type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + - items: + enum: + - tags + - locations + type: string + type: array + responses: + '200': + content: + application/json: + examples: + getSyntheticMonitorsResponseExample1: + description: >- + A successful response from `GET + /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. + value: |- + { + "page": 1, + "total": 24, + "monitors": [ + { + "type": "icmp", + "enabled": false, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "timeout": "16", + "name": "8.8.8.8:80", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "max_attempts": 2, + "wait": "7", + "revision": 3, + "mode": "all", + "ipv4": true, + "ipv6": true, + "created_at": "2023-11-07T09:57:04.152Z", + "updated_at": "2023-12-04T19:19:34.039Z", + "host": "8.8.8.8:80" + } + ], + "absoluteTotal": 24, + "perPage": 10, + } + schema: type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: A successful response. + summary: Get monitors + tags: + - synthetics + post: + description: > + Create a new monitor with the specified attributes. A monitor can be one + of the following types: HTTP, TCP, ICMP, or Browser. The required and + default fields may vary based on the monitor type. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: post-synthetic-monitors + requestBody: + content: + application/json: + examples: + postSyntheticMonitorsRequestExample1: + description: Create an HTTP monitor to check a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample2: + description: Create a TCP monitor to monitor a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + postSyntheticMonitorsRequestExample3: + description: Create an ICMP monitor to perform ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample4: + description: Create a browser monitor to check a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: > + The request body should contain the attributes of the monitor + you want to create. The required and default fields differ + depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + required: true + responses: + '200': + content: + application/json: + examples: + postSyntheticMonitorsResponseWithWarning: + description: >- + A response when a browser monitor specifies a timeout but + has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } + schema: type: object properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. - properties: - aggregationType: - description: The type of aggregation to perform. - enum: - - avg - - 95th - - 99th - type: string - environment: - description: Filter the rule to apply to a specific environment. - type: string - groupBy: - items: - description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - language: - type: string - query: - anyOf: - - type: string - - additionalProperties: - nullable: true - type: object - required: - - query - - language - required: - - query - serviceName: - description: Filter the rule to apply to a specific service. - type: string - threshold: - description: The latency threshold value. - type: number - transactionName: - description: Filter the rule to apply to a specific transaction name. - type: string - transactionType: - description: Filter the rule to apply to a specific transaction type. - type: string - useKqlFilter: - description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. - type: boolean - windowSize: - description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - windowUnit: - description: 'The type of units for the time window. For example: minutes, hours, or days.' - type: string - required: - - windowSize - - windowUnit - - threshold - - aggregationType - - environment - title: Transaction Duration Rule Params - type: object - rule_type_id: - enum: - - apm.transaction_duration - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Transaction duration - type: object - Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + warnings: + description: > + An optional array of warnings about the monitor + configuration. + items: + $ref: '#/components/schemas/Synthetics_monitorWarning' + type: array + description: > + A successful response. The response may include a `warnings` array + when the monitor configuration has non-critical issues. For example, + if a browser monitor specifies a timeout but has no private + locations configured, a warning is returned indicating the timeout + will have no effect. + '400': + content: + application/json: + examples: + invalidBrowserTimeout: + description: >- + A 400 error when a browser monitor timeout is below 30 + seconds. + summary: Invalid browser timeout + value: |- + { + "statusCode": 400, + "error": "Bad Request", + "message": "Browser Monitor timeout is invalid", + "attributes": { + "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." + } + } + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. + attributes: type: object properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + details: + example: >- + Invalid timeout 20 seconds supplied. Minimum timeout + for browser monitors is 30 seconds. type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + error: + example: Bad Request type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: + message: + example: Browser Monitor timeout is invalid type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + statusCode: + example: 400 + type: integer + description: > + Bad request. For browser monitors, a 400 error is returned if the + timeout is less than 30 seconds. + summary: Create a monitor + tags: + - synthetics + /api/synthetics/monitors/_bulk_delete: + post: + description: | + Delete multiple monitors by sending a list of config IDs. + operationId: delete-synthetic-monitors + requestBody: + content: + application/json: + examples: + bulkDeleteRequestExample1: + description: >- + Run `POST /api/synthetics/monitors/_bulk_delete` to delete a + list of monitors. + value: |- + { + "ids": [ + "monitor1-id", + "monitor2-id" + ] + } + schema: type: object properties: - blob: - maxLength: 10000 - type: string + ids: + description: An array of monitor IDs to delete. + items: + type: string + type: array required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. - properties: - environment: - type: string - groupBy: - items: - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false + - ids + required: true + responses: + '200': + content: + application/json: + examples: + deleteMonitorsResponseExample1: + description: A response from successfully deleting multiple monitors. + value: |- + [ + { + "id": "monitor1-id", + "deleted": true + }, + { + "id": "monitor2-id", + "deleted": true + } + ] + schema: + items: + description: >- + The API response includes information about the deleted + monitors. type: object properties: - language: + deleted: + description: > + If it is `true`, the monitor was successfully deleted If + it is `false`, the monitor was not deleted. + type: boolean + ids: + description: The unique identifier of the deleted monitor. type: string - query: - anyOf: - - type: string - - additionalProperties: - nullable: true - type: object - required: - - query - - language - required: - - query - serviceName: - type: string - threshold: - type: number - transactionName: - type: string - transactionType: - type: string - useKqlFilter: - type: boolean - windowSize: - type: number - windowUnit: - type: string - required: - - windowSize - - windowUnit - - threshold - - environment - title: Transaction Error Rate Rule Params - type: object - rule_type_id: - enum: - - apm.transaction_error_rate - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + type: array + description: A successful response. + summary: Delete monitors + tags: + - synthetics + /api/synthetics/monitors/{id}: + delete: + description: > + Delete a monitor from the Synthetics app. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: delete-synthetic-monitor + parameters: + - description: The identifier for the monitor that you want to delete. + in: path + name: id + required: true + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Transaction error rate - type: object - Kibana_HTTP_APIs_ClassicFieldDefinition: - additionalProperties: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' - type: object - Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - - anyOf: - - additionalProperties: false - type: object - properties: - description: - type: string - format: - description: A non-empty string. - minLength: 1 - type: string - type: - enum: - - keyword - - match_only_text - - long - - double - - date - - boolean - - ip - - geo_point - - integer - - short - - byte - - float - - half_float - - text - - wildcard - - version - - unsigned_long - - date_nanos - type: string - required: - - type - - additionalProperties: false - type: object - properties: - description: - type: string - type: - enum: - - system - type: string - required: - - type - Kibana_HTTP_APIs_ClassicStreamUpsertRequest: - additionalProperties: false - type: object - properties: - dashboards: - items: + responses: + '200': + description: OK + summary: Delete a monitor + tags: + - synthetics + get: + operationId: get-synthetic-monitor + parameters: + - description: The ID of the monitor. + in: path + name: id + required: true + schema: type: string - type: array - queries: - items: - type: object - properties: - description: - type: string - esql: + responses: + '200': + content: + application/json: + examples: + getSyntheticMonitorResponseExample1: + description: >- + A successful response from `GET + /api/synthetics/monitors/`. + value: |- + { + "type": "http", + "enabled": true, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "timeout": "16", + "name": "am i something", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "max_attempts": 2, + "__ui": { + "is_tls_enabled": false + }, + "max_redirects": "0", + "response.include_body": "on_error", + "response.include_headers": true, + "check.request.method": "GET", + "mode": "any", + "response.include_body_max_bytes": "1024", + "ipv4": true, + "ipv6": true, + "ssl.verification_mode": "full", + "ssl.supported_protocols": [ + "TLSv1.1", + "TLSv1.2", + "TLSv1.3" + ], + "revision": 13, + "created_at": "2023-11-08T08:45:29.334Z", + "updated_at": "2023-12-18T20:31:44.770Z", + "url": "https://fast.com" + } + schema: type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - type: - default: match - enum: - - match - - stats - type: string - required: - - id - - title - - description - - esql - type: array - rules: - items: + description: A successful response. + '404': + description: If the monitor is not found, the API returns a 404 error. + summary: Get a monitor + tags: + - synthetics + put: + description: > + Update a monitor with the specified attributes. The required and default + fields may vary based on the monitor type. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + + You can also partially update a monitor. This will only update the + fields that are specified in the request body. All other fields are left + unchanged. The specified fields should conform to the monitor type. For + example, you can't update the `inline_scipt` field of a HTTP monitor. + operationId: put-synthetic-monitor + parameters: + - description: The identifier for the monitor that you want to update. + in: path + name: id + required: true + schema: type: string - type: array - stream: - additionalProperties: false - type: object - properties: - description: - type: string - ingest: - additionalProperties: false - type: object - properties: - classic: - additionalProperties: false - type: object - properties: - field_overrides: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - required: - - lifecycle - - processing - - settings - - failure_store - - classic - query_streams: - items: - type: object - properties: - name: - type: string - required: - - name - type: array - type: - enum: - - classic - type: string - required: - - description - - ingest - - type - required: - - dashboards - - rules - - queries - - stream - Kibana_HTTP_APIs_Condition: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' - - additionalProperties: false - description: A logical AND that groups multiple conditions. - type: object - properties: - and: - description: An array of conditions. All sub-conditions must be true for this condition to be true. - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - type: array - required: - - and - - additionalProperties: false - description: A logical OR that groups multiple conditions. - type: object - properties: - or: - description: An array of conditions. At least one sub-condition must be true for this condition to be true. - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - type: array - required: - - or - - additionalProperties: false - description: A logical NOT that negates a condition. - type: object - properties: - not: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: A condition that negates another condition. - required: - - not - - additionalProperties: false - description: A condition that always evaluates to false. - type: object - properties: - never: - additionalProperties: false - description: An empty object. This condition never matches. - type: object - properties: {} - required: - - never - - additionalProperties: false - description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. - type: object - properties: - always: - additionalProperties: false - description: An empty object. This condition always matches. - type: object - properties: {} - required: - - always - description: The root condition object. It can be a simple filter or a combination of other conditions. - Kibana_HTTP_APIs_ConditionWithSteps: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - - additionalProperties: false - type: object - properties: - else: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - required: - - steps - Kibana_HTTP_APIs_ContentPackIncludedObjects: - anyOf: - - additionalProperties: false - type: object - properties: - objects: - additionalProperties: false + requestBody: + content: + application/json: + examples: + putSyntheticMonitorsRequestExample1: + description: Update an HTTP monitor that checks a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample2: + description: Update a TCP monitor that monitors a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + putSyntheticMonitorsRequestExample3: + description: Update an ICMP monitor that performs ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample4: + description: Update a browser monitor that checks a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: > + The request body should contain the attributes of the monitor + you want to update. The required and default fields differ + depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' type: object - properties: - all: - additionalProperties: false - type: object - properties: {} - required: - - all - required: - - objects - - additionalProperties: false - type: object - properties: - objects: - additionalProperties: false + required: true + responses: + '200': + content: + application/json: + examples: + putSyntheticMonitorResponseWithWarning: + description: >- + A response when a browser monitor specifies a timeout but + has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } + schema: + type: object + properties: + warnings: + description: > + An optional array of warnings about the monitor + configuration. + items: + $ref: '#/components/schemas/Synthetics_monitorWarning' + type: array + description: > + A successful response. The response may include a `warnings` array + when the monitor configuration has non-critical issues. + '400': + description: > + Bad request. For browser monitors, a 400 error is returned if the + timeout is less than 30 seconds. + summary: Update a monitor + tags: + - synthetics + /api/synthetics/params: + get: + description: > + Get a list of all parameters. You must have `read` privileges for the + Synthetics feature in the Observability section of the Kibana feature + privileges. + operationId: get-parameters + responses: + '200': + content: + application/json: + examples: + getParametersResponseExample1: + description: >- + A successful response for a user with read-only permissions + to get a list of parameters. + summary: Read access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"] + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"] + } + ] + getParametersResponseExample2: + description: >- + A successful response for a user with write permissions to + get a list of parameters. + summary: Write access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"], + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"], + "value": "value2" + } + ] + schema: + items: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + type: array + description: A successful response. + summary: Get parameters + tags: + - synthetics + post: + description: > + Add one or more parameters to the Synthetics app. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: post-parameters + requestBody: + content: + application/json: + examples: + postParametersRequestExample1: + description: Add a single parameter. + summary: Single parameter + value: |- + { + "key": "your-key-name", + "value": "your-parameter-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersRequestExample2: + description: Add multiple parameters. + summary: Multiple parameters + value: |- + [ + { + "key": "param1", + "value": "value1" + }, + { + "key": "param2", + "value": "value2" + } + ] + schema: + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_parameterRequest' + type: array + - $ref: '#/components/schemas/Synthetics_parameterRequest' + description: >- + The request body can contain either a single parameter object or an + array of parameter objects. + required: true + responses: + '200': + content: + application/json: + examples: + postParametersResponseExample1: + description: A successful response for a single added parameter. + summary: Single parameter + value: |- + { + "id": "unique-parameter-id", + "key": "your-key-name", + "value": "your-param-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersResponseExample2: + description: A successful response for multiple added parameters. + summary: Multiple parameters + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "value": "value2" + } + ] + schema: + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_postParameterResponse' + type: array + - $ref: '#/components/schemas/Synthetics_postParameterResponse' + description: A successful response. + summary: Add parameters + tags: + - synthetics + /api/synthetics/params/_bulk_delete: + post: + description: > + Delete parameters from the Synthetics app. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: delete-parameters + requestBody: + content: + application/json: + examples: + deleteParametersRequestExample1: + description: >- + Run `POST /api/synthetics/params/_bulk_delete` to delete + multiple parameters. + value: |- + { + "ids": ["param1-id", "param2-id"] + } + schema: type: object properties: - mappings: - type: boolean - queries: - items: - type: object - properties: - id: - type: string - required: - - id - type: array - routing: + ids: + description: An array of parameter IDs to delete. items: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' - - type: object - properties: - destination: - type: string - required: - - destination + type: string type: array - required: - - mappings - - queries - - routing - required: - - objects - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. - properties: - status: - additionalProperties: false - type: object - properties: - overall: - additionalProperties: false - type: object - properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - required: - - level - required: - - overall - required: - - status - title: core_status_redactedResponse - type: object - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. - properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - type: object - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. - type: object - properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number - required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - name: - description: Kibana instance name. - type: string - status: - additionalProperties: false - type: object - properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. - type: object - properties: - elasticsearch: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - http: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - savedObjects: - additionalProperties: false + required: true + responses: + '200': + content: + application/json: + examples: + deleteParametersResponseExample1: + value: |- + [ + { + "id": "param1-id", + "deleted": true + } + ] + schema: + items: type: object properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. + deleted: + description: > + Indicates whether the parameter was successfully + deleted. It is `true` if it was deleted. It is `false` + if it was not deleted. + type: boolean + id: + description: The unique identifier for the deleted parameter. type: string - required: - - level - - summary - - meta - required: - - elasticsearch - - savedObjects - overall: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - plugins: - additionalProperties: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: - nullable: true - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - description: A dynamic mapping of plugin ID to plugin status. - type: object - required: - - overall - - core - - plugins - uuid: - description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. - type: string - version: - additionalProperties: false - type: object - properties: - build_date: - description: The date and time of this build. - type: string - build_flavor: - description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. - enum: - - serverless - - traditional - type: string - build_hash: - description: A unique hash value representing the git commit of this Kibana build. - type: string - build_number: - description: A monotonically increasing number, each subsequent build will have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. - type: string - required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date - required: - - name - - uuid - - version - - status - - metrics - title: core_status_response - type: object - Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + type: array + description: A successful response. + summary: Delete parameters + tags: + - synthetics + /api/synthetics/params/{id}: + delete: + description: > + Delete a parameter from the Synthetics app. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: delete-parameter + parameters: + - description: The ID for the parameter to delete. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + description: OK + summary: Delete a parameter + tags: + - synthetics + get: + description: > + Get a parameter from the Synthetics app. + + You must have `read` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: get-parameter + parameters: + - description: The unique identifier for the parameter. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getParameterResponseExample1: + description: >- + A successful response for a user with read-only permissions + to get a single parameter. + summary: Read access + value: |- + { + "id": "unique-parameter-id", + "key": "your-api-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"] + } + getParameterResponseExample2: + description: >- + A successful response for a user with write permissions to + get a single parameter. + summary: Write access + value: |- + { + "id": "unique-parameter-id", + "key": "your-param-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"], + "value": "your-param-value" + } + schema: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + description: A successful response. + summary: Get a parameter + tags: + - synthetics + put: + description: > + Update a parameter in the Synthetics app. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + operationId: put-parameter + parameters: + - description: The unique identifier for the parameter. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putParameterRequestExample1: + value: |- + { + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } + schema: type: object properties: - blob: - maxLength: 10000 + description: + description: The updated description of the parameter. type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. - properties: - comparator: - type: string - groupBy: - items: - type: string - type: array - searchConfiguration: - additionalProperties: false - type: object - properties: - index: + key: + description: The key of the parameter. type: string - required: - - index - threshold: - items: - type: number - type: array - timeSize: - type: number - timeUnit: - type: string - required: - - timeUnit - - timeSize - - threshold - - comparator - - searchConfiguration - title: Degraded Docs Rule Params - type: object - rule_type_id: - enum: - - datasetQuality.degradedDocs - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Degraded docs - type: object - Kibana_HTTP_APIs_es-query-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + tags: + description: An array of updated tags to categorize the parameter. + items: type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + type: array + value: + description: The updated value associated with the parameter. + type: string + description: The request body cannot be empty; at least one attribute is required. + required: true + responses: + '200': + content: + application/json: + examples: + putParameterResponseExample1: + value: |- + { + "id": "param_id1", + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } + schema: type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + description: A successful response. + summary: Update a parameter + tags: + - synthetics + /api/synthetics/private_locations: + get: + description: > + Get a list of private locations. + + You must have `read` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. + operationId: get-private-locations + responses: + '200': + content: + application/json: + examples: + getPrivateLocationsResponseExample1: + value: |- + [ + { + "label": "Test private location", + "id": "fleet-server-policy", + "agentPolicyId": "fleet-server-policy", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + }, + { + "label": "Test private location 2", + "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "test" + } + ] + schema: + items: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + type: array + description: A successful response. + summary: Get private locations + tags: + - synthetics + post: + description: >- + You must have `all` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. + operationId: post-private-location + requestBody: + content: + application/json: + examples: + postPrivateLocationRequestExample1: + description: >- + Run `POST /api/private_locations` to create a private + location. + value: |- + { + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + "spaces": ["default"] + } + schema: type: object properties: - blob: - maxLength: 10000 + agentPolicyId: + description: >- + The ID of the agent policy associated with the private + location. type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. - properties: - aggField: - description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. - minLength: 1 - type: string - aggType: - default: count - description: The type of aggregation to perform. - type: string - esqlQuery: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - description: The query definition in Elasticsearch Query Language. - nullable: true - oneOf: - - additionalProperties: false + geo: + description: Geographic coordinates (WGS84) for the location. type: object properties: - esql: - minLength: 1 - type: string + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number required: - - esql - - not: {} - esQuery: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - minLength: 1 + - lat + - lon + label: + description: A label for the private location. type: string - - not: {} - excludeHitsFromPreviousRun: - default: true - description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. - type: boolean - groupBy: - default: all - description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. - type: string - index: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - description: The indices to query. - nullable: true - oneOf: - - items: - minLength: 1 + spaces: + description: > + An array of space IDs where the private location is + available. If it is not provided, the private location is + available in all spaces. + items: type: string - minItems: 1 - type: array - - not: {} - searchConfiguration: - anyOf: - - items: {} type: array - - type: boolean - - type: number - - type: object - - type: string - description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. - nullable: true - oneOf: - - additionalProperties: true - type: object - properties: {} - - not: {} - searchType: - default: esQuery - description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' - enum: - - searchSource - - esQuery - - esqlQuery - type: string - size: - description: The number of documents to pass to the configured actions when the threshold condition is met. - maximum: 10000 - minimum: 0 - type: number - sourceFields: - description: The sourceFields param is ignored. - items: - additionalProperties: false - type: object - properties: - label: - type: string - searchPath: - type: string - required: - - label - - searchPath - maxItems: 5 - type: array - termField: - anyOf: - - minLength: 1 - type: string - - items: + tags: + description: An array of tags to categorize the private location. + items: type: string - maxItems: 4 - minItems: 2 - type: array - description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. - termSize: - description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. - minimum: 1 - type: number - threshold: - items: - description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. - type: number - maxItems: 2 - minItems: 1 - type: array - thresholdComparator: - description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' - enum: - - '>' - - < - - '>=' - - <= - - between - - notBetween - type: string - timeField: - anyOf: - - items: {} type: array - - type: boolean - - type: number - - type: object - - type: string - description: The field that is used to calculate the time window. - nullable: true - oneOf: - - minLength: 1 - type: string - - minLength: 1 - type: string - x-oas-optional: true - timeWindowSize: - description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - minimum: 1 - type: number - timeWindowUnit: - description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' - type: string - required: - - size - - timeWindowSize - - timeWindowUnit - - threshold - - thresholdComparator - - timeField - - searchConfiguration - - esQuery - - index - - esqlQuery - title: ES Query Rule Params - type: object - rule_type_id: - enum: - - .es-query - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + required: + - agentPolicyId + - label + required: true + responses: + '200': + content: + application/json: + examples: + postPrivateLocationResponseExample1: + value: |- + { + "id": "abcd1234", + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + } + schema: + type: object + description: A successful response. + '400': + description: >- + If the `agentPolicyId` is already used by an existing private + location or if the `label` already exists, the API will return a 400 + Bad Request response with a corresponding error message. + summary: Create a private location + tags: + - synthetics + /api/synthetics/private_locations/{id}: + delete: + description: > + You must have `all` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. + + The API does not return a response body for deletion, but it will return + an appropriate status code upon successful deletion. + + A location cannot be deleted if it has associated monitors in use. You + must delete all monitors associated with the location before deleting + the location. + operationId: delete-private-location + parameters: + - description: The unique identifier of the private location to be deleted. + in: path + name: id + required: true + schema: + maxLength: 1024 + minLength: 1 type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: ES query - type: object - Kibana_HTTP_APIs_FailureStore: - anyOf: - - additionalProperties: false - type: object - properties: - inherit: - additionalProperties: false - type: object - properties: {} - required: - - inherit - - additionalProperties: false - type: object - properties: - disabled: - additionalProperties: false - type: object - properties: {} - required: - - disabled - - additionalProperties: false - type: object - properties: - lifecycle: - additionalProperties: false + responses: + '200': + description: OK + summary: Delete a private location + tags: + - synthetics + get: + description: > + You must have `read` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. + operationId: get-private-location + parameters: + - description: A private location identifier or label. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPrivateLocationResponseExample1: + value: |- + { + "label": "Test private location", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + } + schema: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + summary: Get a private location + tags: + - synthetics + put: + description: > + Update an existing private location's label. + + You must have `all` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. + + When a private location's label is updated, all monitors using this + location will also be updated to maintain data consistency. + operationId: put-private-location + parameters: + - description: The unique identifier of the private location to be updated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putPrivateLocationRequestExample1: + description: Update a private location's label. + value: |- + { + "label": "Updated Private Location Name" + } + schema: type: object properties: - enabled: - additionalProperties: false - type: object - properties: - data_retention: - description: A non-empty string. - minLength: 1 - type: string + label: + description: >- + A new label for the private location. Must be at least 1 + character long. + minLength: 1 + type: string required: - - enabled - required: - - lifecycle - - additionalProperties: false - type: object - properties: - lifecycle: - additionalProperties: false + - label + required: true + responses: + '200': + content: + application/json: + examples: + putPrivateLocationResponseExample1: + value: |- + { + "label": "Updated Private Location Name", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "tags": ["private", "testing", "updated"], + "geo": { + "lat": 37.7749, + "lon": -122.4194 + }, + "spaces": ["*"] + } + schema: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + '400': + description: >- + If the `label` is shorter than 1 character the API will return a 400 + Bad Request response with a corresponding error message. + '404': + description: >- + If the private location with the specified ID does not exist, the + API will return a 404 Not Found response. + summary: Update a private location + tags: + - synthetics + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + '200': + content: + application/json: + examples: + taskManagerHealthResponse1: + $ref: >- + #/components/examples/Task_manager_health_APIs_health_200response + schema: + $ref: '#/components/schemas/Task_manager_health_APIs_health_response' + description: Indicates a successful call + summary: Get the task manager health + tags: + - task manager + /api/timeline: + delete: + description: Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json: + examples: + deleteByIds: + summary: Delete timelines by saved object id + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 + schema: type: object properties: - disabled: - additionalProperties: false - type: object - properties: {} + savedObjectIds: + description: >- + The list of IDs of the Timelines or Timeline templates to + delete + items: + type: string + maxItems: 100 + type: array + searchIds: + description: >- + Saved search IDs that should be deleted alongside the + timelines + items: + type: string + maxItems: 100 + type: array required: - - disabled - required: - - lifecycle - Kibana_HTTP_APIs_FieldDefinition: - additionalProperties: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' - type: object - Kibana_HTTP_APIs_FieldDefinitionConfig: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - - anyOf: - - additionalProperties: false + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': + content: + application/json: + examples: + success: + summary: Success + value: {} + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + get: + description: Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the Timeline template to retrieve. + in: query + name: template_timeline_id + schema: + type: string + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json: + examples: + timelineDetail: + summary: Timeline detail + value: + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + patch: + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: type: object properties: - description: - type: string - format: - description: A non-empty string. - minLength: 1 + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: >- + The timeline object of the Timeline or Timeline template + that you’re updating. + timelineId: + description: >- + The `savedObjectId` of the Timeline or Timeline template + that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true type: string - type: - enum: - - keyword - - match_only_text - - long - - double - - date - - boolean - - ip - - geo_point - - integer - - short - - byte - - float - - half_float - - text - - wildcard - - version - - unsigned_long - - date_nanos + version: + description: >- + The version of the Timeline or Timeline template that you’re + updating. + example: WzE0LDFd + nullable: true type: string required: - - type - - additionalProperties: false + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': + content: + application/json: + examples: + patched: + summary: Updated timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 + schema: + type: object + properties: + body: + description: The error message. + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: >- + Indicates that the user does not have the required access to create + a Timeline. + summary: Update a Timeline + tags: + - Security Timeline API + - access:securitySolution + post: + description: Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: type: object properties: - description: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true type: string - format: - not: {} - type: - not: {} - required: - - description - - additionalProperties: false - type: object - properties: - description: + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true type: string - type: - enum: - - system + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true type: string required: - - type - Kibana_HTTP_APIs_FilterCondition: - anyOf: - - additionalProperties: false - description: A condition that compares a field to a value or range using an operator as the key. - type: object - properties: - contains: - anyOf: - - type: string - - type: number - - type: boolean - description: Contains comparison value. - endsWith: - anyOf: - - type: string - - type: number - - type: boolean - description: Ends-with comparison value. - eq: - anyOf: - - type: string - - type: number - - type: boolean - description: Equality comparison value. - field: - description: The document field to filter on. - minLength: 1 - type: string - gt: - anyOf: - - type: string - - type: number - - type: boolean - description: Greater-than comparison value. - gte: - anyOf: - - type: string - - type: number - - type: boolean - description: Greater-than-or-equal comparison value. - includes: - anyOf: - - type: string - - type: number - - type: boolean - description: Checks if multivalue field includes the value. - lt: - anyOf: - - type: string - - type: number - - type: boolean - description: Less-than comparison value. - lte: - anyOf: - - type: string - - type: number - - type: boolean - description: Less-than-or-equal comparison value. - neq: - anyOf: - - type: string - - type: number - - type: boolean - description: Inequality comparison value. - range: - additionalProperties: false - description: Range comparison values. - type: object - properties: - gt: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - gte: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - lt: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - lte: - anyOf: - - type: string - - type: number - - type: boolean - description: A value that can be a string, number, or boolean. - startsWith: - anyOf: - - type: string - - type: number - - type: boolean - description: Starts-with comparison value. - required: - - field - - additionalProperties: false - description: A condition that checks for the existence or non-existence of a field. - type: object - properties: - exists: - description: Indicates whether the field exists or not. - type: boolean - field: - description: The document field to check. - minLength: 1 - type: string - required: - - field - description: A basic filter condition, either unary or binary. - Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + - timeline + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Created timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + body: + description: The error message + example: update timeline error type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_copy: + post: + description: | + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json: + examples: + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: >- + The `savedObjectId` of the timeline or template to + duplicate. + type: string + required: + - timeline + - timelineIdToCopy + description: >- + Source timeline id to copy plus timeline fields for the new saved + object. + required: true + responses: + '200': + content: + application/json: + examples: + copied: + summary: Newly saved timeline + value: + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_draft: + get: + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. + operationId: GetDraftTimelines + parameters: + - description: >- + Which draft to load (`default` investigation timeline or `template` + timeline template). + in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + responses: + '200': + content: + application/json: + examples: + draftPayload: + summary: Draft timeline payload + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: type: object properties: - id: + message: type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + status_code: + type: number + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + post: + description: > + Create a clean draft Timeline or Timeline template for the current user. + + > info + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + examples: + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default + schema: type: object properties: - blob: - maxLength: 10000 - type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. - properties: - boundaryGeoField: - minLength: 1 - type: string - boundaryIndexId: - minLength: 1 - type: string - boundaryIndexQuery: - nullable: true - boundaryIndexTitle: - minLength: 1 - type: string - boundaryNameField: - minLength: 1 - type: string - boundaryType: - minLength: 1 - type: string - dateField: - minLength: 1 - type: string - entity: - minLength: 1 - type: string - geoField: - minLength: 1 - type: string - index: - minLength: 1 - type: string - indexId: - minLength: 1 - type: string - indexQuery: - nullable: true - required: - - index - - indexId - - geoField - - entity - - dateField - - boundaryType - - boundaryIndexTitle - - boundaryIndexId - - boundaryGeoField - - indexQuery - - boundaryIndexQuery - title: Geo Containment Rule Params - type: object - rule_type_id: - enum: - - .geo-containment - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Geo containment - type: object - Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - timelineType + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json: + examples: + draftResponse: + summary: Draft after reset or creation + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + message: type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + status_code: + type: number + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_export: + post: + description: Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: + maxItems: 1000 + minItems: 1 nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson: + examples: + ndjsonLine: + summary: Single NDJSON line + value: >- + {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} + schema: + description: NDJSON of the exported Timelines type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + description: Indicates a successful call. + '400': + content: + application/ndjson: + examples: + badRequest: + summary: Export error + value: + body: Export limit exceeded + statusCode: 400 + schema: type: object properties: - id: + body: type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_favorite: + patch: + description: Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: type: object properties: - blob: - maxLength: 10000 + templateTimelineId: + nullable: true type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. - properties: - aggField: - description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. - minLength: 1 - type: string - aggType: - default: count - description: The type of aggregation to perform. - type: string - filterKuery: - description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. - type: string - groupBy: - default: all - description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. - type: string - index: - anyOf: - - minLength: 1 + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true type: string - - items: - minLength: 1 + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': + content: + application/json: + examples: + favoriteResponse: + summary: Favorite metadata updated + value: + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Forbidden + value: + body: Forbidden + statusCode: 403 + schema: + type: object + properties: + body: type: string - minItems: 1 - type: array - description: The indices to query. - termField: - description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. - minLength: 1 - type: string - termSize: - description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. - minimum: 1 - type: number - threshold: - items: - type: number - maxItems: 2 - minItems: 1 - type: array - thresholdComparator: - description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' - enum: - - '>' - - < - - '>=' - - <= - - between - - notBetween - type: string - timeField: - description: The field that is used to calculate the time window. - minLength: 1 - type: string - timeWindowSize: - description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - minimum: 1 - type: number - timeWindowUnit: - description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' - type: string - required: - - index - - timeField - - timeWindowSize - - timeWindowUnit - - thresholdComparator - - threshold - title: Index Threshold Rule Params - type: object - rule_type_id: - enum: - - .index-threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Index threshold - type: object - Kibana_HTTP_APIs_IngestStreamLifecycle: - anyOf: - - additionalProperties: false - type: object - properties: - dsl: - additionalProperties: false - type: object - properties: - data_retention: - description: A non-empty string. - minLength: 1 - type: string - downsample: - items: - type: object - properties: - after: - description: A non-empty string. - minLength: 1 - type: string - fixed_interval: - description: A non-empty string. - minLength: 1 - type: string - required: - - after - - fixed_interval - type: array - required: - - dsl - - additionalProperties: false - type: object - properties: - ilm: - additionalProperties: false + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_import: + post: + description: Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json: + examples: + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) + value: + file: >- + {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n + isImmutable: 'false' + schema: type: object properties: - policy: - description: A non-empty string. - minLength: 1 + file: {} + isImmutable: + description: Whether the Timeline should be immutable + enum: + - 'true' + - 'false' type: string required: - - policy - required: - - ilm - - additionalProperties: false - type: object - properties: - inherit: - additionalProperties: false - type: object - properties: {} - required: - - inherit - Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + - file + description: The Timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json: + examples: + importSummary: + summary: Import summary + value: + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Invalid import + value: + body: Invalid file extension + statusCode: 400 + schema: type: object properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + '404': + content: + application/json: + examples: + notFound: + summary: Saved objects client missing + value: + body: Unable to find saved object client + statusCode: 404 + schema: type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + body: + description: The error message + example: Unable to find saved object client type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + statusCode: + example: 404 + type: number + description: Not found response. + '409': + content: + application/json: + examples: + conflict: + summary: Import conflict + value: + body: Could not import timelines + statusCode: 409 + schema: type: object properties: - id: + body: + description: The error message + example: Could not import timelines type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - anyOf: - - additionalProperties: false + statusCode: + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_prepackaged: + post: + description: Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json: + examples: + emptyArrays: + summary: Installer payload shape + value: + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] + schema: type: object properties: - count: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - value: - type: number - required: - - comparator - - value - criteria: + prepackagedTimelines: items: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - field: - type: string - value: - anyOf: - - type: string - - type: number - required: - - field - - comparator - - value + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + nullable: true type: array - groupBy: + timelinesToInstall: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true type: array - logView: - additionalProperties: false - type: object - properties: - logViewId: - type: string - type: - enum: - - log-view-reference - type: string - required: - - logViewId - - type - timeSize: - type: number - timeUnit: - enum: - - s - - m - - h - - d - type: string required: - - criteria - - count - - timeUnit - - timeSize - - logView - - additionalProperties: false + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. + required: true + responses: + '200': + content: + application/json: + examples: + installResult: + summary: Install result counts + value: + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates a successful call. + '500': + content: + application/json: + examples: + serverError: + summary: Server error + value: + body: Internal error + statusCode: 500 + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/resolve: + get: + description: >- + Resolve a Timeline or Timeline template, surfacing outcomes such as + `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been + remapped during upgrades or imports. Provide **either** `id` for default + Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json: + examples: + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome + value: + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Bad request + value: {} + schema: + additionalProperties: true + type: object + description: Bad Request response. + '404': + content: + application/json: + examples: + notFound: + summary: Not found + value: {} + schema: + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timelines: + get: + description: Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: >- + If `true`, only Timelines that the current user has marked as + favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: >- + Restrict results to `default` investigation timelines or `template` + timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: >- + Field used to sort the list (`title`, `description`, `updated`, or + `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: >- + Filter by timeline lifecycle state (`active`, `draft`, or + `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json: + examples: + timelineList: + summary: Example list response + value: + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 + schema: + type: object + properties: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: + items: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse + type: array + totalCount: + description: The total amount of results + example: 100 + type: number + required: + - timeline + - totalCount + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Error response body + value: + body: get timeline error + statusCode: 400 + schema: + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + /api/upgrade_assistant/status: + get: + description: Check the status of your cluster. + operationId: get-upgrade-status + responses: + '200': + content: + application/json: + examples: + getUpgradeStatusResponseExample1: + value: |- + { + "readyForUpgrade": false, + "cluster": [ + { + "message": "Cluster deprecated issue", + "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." + } + ] + } + description: Indicates a successful call. + summary: Get the upgrade readiness status + tags: + - upgrade + x-state: Technical Preview + /api/uptime/settings: + get: + description: > + You must have `read` privileges for the uptime feature in the + Observability section of the Kibana feature privileges. + operationId: get-uptime-settings + responses: + '200': + content: + application/json: + examples: + getUptimeSettingsResponseExample1: + value: |- + { + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } + schema: + type: object + description: Indicates a successful call + summary: Get uptime settings + tags: + - uptime + put: + description: > + Update uptime setting attributes like `heartbeatIndices`, + `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or + `defaultEmail`. You must have `all` privileges for the uptime feature in + the Observability section of the Kibana feature privileges. A partial + update is supported, provided settings keys will be merged with existing + settings. + operationId: put-uptime-settings + requestBody: + content: + application/json: + examples: + putUptimeSettingsRequestExample1: + description: >- + Run `PUT api/uptime/settings` to update multiple Uptime + settings. + summary: Update multiple settings + value: |- + { + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } + putUptimeSettingsRequestExample2: + description: >- + Run `PUT api/uptime/settings` to update a single Uptime + setting. + summary: Update a setting + value: |- + { + "heartbeatIndices": "heartbeat-8*", + } + schema: type: object properties: - count: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - value: - type: number - required: - - comparator - - value - criteria: - items: - items: - additionalProperties: false - type: object - properties: - comparator: - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - type: string - field: - type: string - value: - anyOf: - - type: string - - type: number - required: - - field - - comparator - - value - type: array - type: array - groupBy: - items: - type: string + certAgeThreshold: + default: 730 + description: >- + The number of days after a certificate is created to trigger + an alert. + type: number + certExpirationThreshold: + default: 30 + description: >- + The number of days before a certificate expires to trigger + an alert. + type: number + defaultConnectors: + default: [] + description: >- + A list of connector IDs to be used as default connectors for + new alerts. type: array - logView: - additionalProperties: false + defaultEmail: + description: | + The default email configuration for new alerts. type: object properties: - logViewId: - type: string - type: - enum: - - log-view-reference - type: string - required: - - logViewId - - type - timeSize: - type: number - timeUnit: - enum: - - s - - m - - h - - d - type: string - required: - - criteria - - count - - timeUnit - - timeSize - - logView - description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. - title: Log Threshold Rule Params - rule_type_id: - enum: - - logs.alert.document.count - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Log threshold - type: object - Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + bcc: + default: [] + items: type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + type: array + cc: + default: [] + items: type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: array + to: + default: [] + items: type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 + type: array + heartbeatIndices: + default: heartbeat-* + description: > + An index pattern string to be used within the Uptime app and + alerts to query Heartbeat data. type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. - properties: - alertOnNoData: - type: boolean - criteria: - items: - additionalProperties: false + responses: + '200': + content: + application/json: + examples: + putUptimeSettingsResponseExample1: + description: A successful response from `PUT api/uptime/settings`. + value: |- + { + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } + schema: type: object - properties: - comparator: - type: string - customMetric: - additionalProperties: false - type: object - properties: - aggregation: - type: string - field: - type: string - id: - type: string - label: - type: string - type: - enum: - - custom - type: string - required: - - type - - id - - field - - aggregation - metric: - type: string - threshold: - items: - type: number - type: array - timeSize: - type: number - timeUnit: - type: string - warningComparator: - type: string - warningThreshold: - items: - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - metric - type: array - filterQuery: - type: string - nodeType: + description: Indicates a successful call + summary: Update uptime settings + tags: + - uptime + /s/{spaceId}/api/observability/slos: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: >- + The page size to use for cursor-based pagination, must be greater or + equal than 1 + example: 1 + in: query + name: size + schema: + default: 1 + type: integer + - description: >- + The cursor to use for fetching the results from, when using a + cursor-base pagination. + in: query + name: searchAfter + schema: + items: type: string + type: array + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + findSloResponse: + summary: A paginated list of SLOs + value: + page: 1 + perPage: 25 + results: + - budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name + : "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + total: 42 + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''invalid'' supplied to: sortBy' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_read] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + createSloKqlExample: + summary: Create an SLO with a KQL indicator + value: + budgetingMethod: occurrences + description: >- + Availability of my web service measured by successful HTTP + responses + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json: + examples: + createSloResponse: + summary: Create SLO response + value: + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '409': + content: + application/json: + examples: + conflictExample: + summary: Conflict + value: + error: Conflict + message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + statusCode: 409 + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/_bulk_delete: + post: + description: > + Bulk delete SLO definitions and their associated summary and rollup + data. This endpoint initiates a bulk deletion operation for SLOs, which + may take some time to complete. The status of the operation can be + checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + operationId: bulkDeleteOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + bulkDeleteRequest: + summary: Bulk delete two SLOs + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 schema: - type: string - sourceId: - type: string - required: - - criteria - - nodeType - - sourceId - title: Metric Inventory Threshold Rule Params - type: object - rule_type_id: - enum: - - metrics.alert.inventory.threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + $ref: '#/components/schemas/SLOs_bulk_delete_request' + required: true + responses: + '200': + content: + application/json: + examples: + bulkDeleteResponse: + summary: Bulk delete response with task ID + value: + taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: >- + Bulk delete SLO definitions and their associated summary and rollup + data. + tags: + - slo + /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: + get: + description: > + Retrieve the status of the bulk deletion operation for SLOs. This + endpoint returns the status of the bulk deletion operation, including + whether it is completed and the results of the operation. + operationId: bulkDeleteStatusOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: The task id of the bulk delete operation + in: path + name: taskId + required: true + schema: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Metric inventory threshold - type: object - Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. - properties: - alertOnGroupDisappear: - description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. - type: boolean - alertOnNoData: - description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. - type: boolean - criteria: - items: - anyOf: - - additionalProperties: false - type: object - properties: - aggType: - enum: - - count - type: string - comparator: - type: string - threshold: - description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. - items: - type: number - type: array - timeSize: - description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - timeUnit: - description: 'The type of units for the time window: seconds, minutes, hours, or days.' - type: string - warningComparator: - type: string - warningThreshold: - items: - description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - aggType - - additionalProperties: false - type: object - properties: - aggType: - type: string - comparator: - type: string - metric: - type: string - threshold: - description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. - items: - type: number - type: array - timeSize: - description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - timeUnit: - description: 'The type of units for the time window: seconds, minutes, hours, or days.' - type: string - warningComparator: - type: string - warningThreshold: - items: - description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - metric - - aggType - - additionalProperties: false - type: object - properties: - aggType: - enum: - - custom - type: string - comparator: - type: string - customMetrics: - items: - anyOf: - - additionalProperties: false - type: object - properties: - aggType: - type: string - field: - type: string - name: - type: string - required: - - name - - aggType - - field - - additionalProperties: false - type: object - properties: - aggType: - enum: - - count - type: string - filter: - type: string - name: - type: string - required: - - name - - aggType - type: array - equation: - type: string - label: - type: string - threshold: - description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. - items: - type: number - type: array - timeSize: - description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: number - timeUnit: - description: 'The type of units for the time window: seconds, minutes, hours, or days.' - type: string - warningComparator: - type: string - warningThreshold: - items: - description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. - type: number - type: array - required: - - threshold - - comparator - - timeUnit - - timeSize - - aggType - - customMetrics - type: array - filterQuery: - description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. - type: string - groupBy: - anyOf: - - type: string - - items: - type: string - type: array - description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' - sourceId: - type: string - required: - - criteria - - sourceId - title: Metric Threshold Rule Params - type: object - rule_type_id: - enum: - - metrics.alert.threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: + responses: + '200': + content: + application/json: + examples: + bulkDeleteStatusComplete: + summary: Completed bulk deletion + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - id: d077e940-1515-11ee-9c50-9d096392f520 + success: true + bulkDeleteStatusPartialFailure: + summary: Completed with partial failure + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found + id: d077e940-1515-11ee-9c50-9d096392f520 + success: false + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_status_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: taskId' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Retrieve the status of the bulk deletion + tags: + - slo + /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: + post: + description: > + The deletion occurs for the specified list of `sloId`. You must have + `all` privileges for the **SLOs** feature in the **Observability** + section of the Kibana feature privileges. + operationId: deleteRollupDataOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + purgeByAgeExample: + summary: Purge rollup data older than 7 days + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + purgePolicy: + age: 7d + purgeType: fixed-age + purgeByTimestampExample: + summary: Purge rollup data before a specific date + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 + purgePolicy: + purgeType: fixed-time + timestamp: '2024-12-31T00:00:00.000Z' + schema: + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' + required: true + responses: + '200': + content: + application/json: + examples: + bulkPurgeResponse: + summary: Bulk purge response with task ID + value: + taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + deleteInstancesExample: + summary: Delete specific SLO instances + value: + list: + - instanceId: host-abc123 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + - instanceId: host-def456 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list/0/sloId' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getSloResponse: + summary: Get SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_read] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json: + examples: + updateSloNameExample: + summary: Update the SLO name and tags + value: + name: Updated Service Availability + tags: + - production + - updated + updateSloObjectiveExample: + summary: Update the SLO objective + value: + objective: + target: 0.995 + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json: + examples: + updateSloResponse: + summary: Update SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: Updated Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - updated + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + content: + application/json: + examples: + resetSloResponse: + summary: Reset SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: >- + field.environment : "production" and service.name : + "my-service" + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: >- + security_exception: unable to authenticate user for REST + request [/api/observability/slos] + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: >- + security_exception: action [slo_write] is unauthorized for + user + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo + /s/{spaceId}/internal/observability/slos/_definitions: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getDefinitionsOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: >- + Indicates if the API returns only outdated SLO or all SLO + definitions + in: query + name: includeOutdatedOnly + schema: + type: boolean + - description: Indicates if the API returns SLO health data with definitions + example: true + in: query + name: includeHealth + schema: + type: boolean + - description: Filters the SLOs by tag + in: query + name: tags + schema: type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Metric threshold - type: object - Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Cluster Health Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_cluster_health - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval + - description: Filters the SLOs by name + example: my service availability + in: query + name: search + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + type: number + - description: Number of SLOs returned by page + example: 100 + in: query + name: perPage + schema: + default: 100 + maximum: 1000 + type: integer + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_find_slo_definitions_response' + description: Successful request + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Get the SLO definitions + tags: + - slo +components: + examples: + Alerting_401_health_response: + summary: Unauthorized response for the get alerting health API. + value: + error: Unauthorized + message: >- + [security_exception] missing authentication credentials for REST + request + statusCode: 401 + Alerting_401_rule_types_response: + summary: Unauthorized response for the get rule types API. + value: + error: Unauthorized + message: >- + [security_exception] missing authentication credentials for REST + request + statusCode: 401 + Alerting_get_health_response: + summary: Retrieve information about the health of the alerting framework. + value: + alerting_framework_health: + decryption_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + execution_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + read_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + has_permanent_encryption_key: true + is_sufficiently_secure: true + Alerting_get_rule_types_response: + summary: Retrieve rule types associated with Kibana machine learning features + value: + - action_groups: + - id: anomaly_score_match + name: Anomaly score matched the condition + - id: recovered + name: Recovered + action_variables: + context: + - description: The bucket timestamp of the anomaly + name: timestamp + - description: The bucket time of the anomaly in ISO8601 format + name: timestampIso8601 + - description: List of job IDs that triggered the alert + name: jobIds + - description: Alert info message + name: message + - description: Indicate if top hits contain interim results + name: isInterim + - description: Anomaly score at the time of the notification action + name: score + - description: Top records + name: topRecords + - description: Top influencers + name: topInfluencers + - description: URL to open in the Anomaly Explorer + name: anomalyExplorerUrl + useWithTripleBracesInTemplates: true + params: [] + state: [] + alerts: + context: ml.anomaly-detection + mappings: + fieldMap: + kibana.alert.anomaly_score: + array: false + type: double + required: false + kibana.alert.anomaly_timestamp: + array: false + type: date + required: false + kibana.alert.is_interim: + array: false + type: boolean + required: false + kibana.alert.job_id: + array: false + type: keyword + required: true + kibana.alert.top_influencers: + array: true + dynamic: false + type: object + properties: + influencer_field_name: + type: keyword + influencer_field_value: + type: keyword + influencer_score: + type: double + initial_influencer_score: + type: double + is_interim: + type: boolean + job_id: + type: keyword + timestamp: + type: date + required: false + kibana.alert.top_records: + array: true + dynamic: false + type: object + properties: + actual: + type: double + by_field_name: + type: keyword + by_field_value: + type: keyword + detector_index: + type: integer + field_name: + type: keyword + function: + type: keyword + initial_record_score: + type: double + is_interim: + type: boolean + job_id: + type: keyword + over_field_name: + type: keyword + over_field_value: + type: keyword + partition_field_name: + type: keyword + partition_field_value: + type: keyword + record_score: + type: double + timestamp: + type: date + typical: + type: double + required: false + shouldWrite: true + authorized_consumers: + alerts: + all: true + read: true + apm: + all: true + read: true + discover: + all: true + read: true + infrastructure: + all: true + read: true + logs: + all: true + read: true + ml: + all: true + read: true + monitoring: + all: true + read: true + siem: + all: true + read: true + slo: + all: true + read: true + stackAlerts: + all: true + read: true + uptime: + all: true + read: true + category: management + default_action_group_id: anomaly_score_match + does_set_recovery_context: true + enabled_in_license: true + has_alerts_mappings: true + has_fields_for_a_a_d: true + id: xpack.ml.anomaly_detection_alert + is_exportable: true + minimum_license_required: platinum + name: Anomaly detection alert + producer: ml + recovery_action_group: + id: recovered + name: Recovered + rule_task_timeout: 5m + - action_groups: + - id: anomaly_detection_realtime_issue + name: Issue detected + - id: recovered + name: Recovered + action_variables: + context: + - description: Results of the rule execution + name: results + - description: Alert info message + name: message + params: [] + state: [] + authorized_consumers: + alerts: + all: true + read: true + apm: + all: true + read: true + discover: + all: true + read: true + infrastructure: + all: true + read: true + logs: + all: true + read: true + ml: + all: true + read: true + monitoring: + all: true + read: true + siem: + all: true + read: true + slo: + all: true + read: true + stackAlerts: + all: true + read: true + uptime: + all: true + read: true + category: management + default_action_group_id: anomaly_detection_realtime_issue + does_set_recovery_context: true + enabled_in_license: true + has_alerts_mappings: false + has_fields_for_a_a_d: false + id: xpack.ml.anomaly_detection_jobs_health + is_exportable: true + minimum_license_required: platinum + name: Anomaly detection jobs health + producer: ml + recovery_action_group: + id: recovered + name: Recovered + rule_task_timeout: 5m + APM_UI_agent_configuration_environments_200_response1: + description: >- + An example of a successful response from `GET + /api/apm/settings/agent-configuration/environments`. + value: + environments: + - alreadyConfigured: true + name: production + - alreadyConfigured: false + name: development + - alreadyConfigured: false + name: ALL_OPTION_VALUE + APM_UI_agent_configuration_intake_object_delete_200_response1: + description: >- + An example of a successful response from `DELETE + /api/apm/settings/agent-configuration`. + value: + result: deleted + APM_UI_agent_configuration_intake_object_delete_request1: + description: >- + Run `DELETE /api/apm/settings/agent-configuration` to delete a + configuration. + value: + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_get_200_response1: + description: >- + An example of a successful response from `GET + /api/apm/settings/agent-configuration`. + value: + - '@timestamp': 1581934104843 + agent_name: go + applied_by_agent: false + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '200' + transaction_sample_rate: '1' + - '@timestamp': 1581934111727 + agent_name: go + applied_by_agent: false + etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 + service: + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '300' + transaction_sample_rate: '1' + - '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_put_200_response1: + description: >- + An example of a successful response from `PUT + /api/apm/settings/agent-configuration`. The response body is + intentionally empty. + value: {} + APM_UI_agent_configuration_intake_object_put_request1: + description: >- + Run `PUT /api/apm/settings/agent-configuration` to create or update + configuration details. + value: + agent_name: nodejs + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_configuration_intake_object_search_200_response1: + description: >- + An example of a successful response from `POST + /api/apm/settings/agent-configuration/search`. + value: + _id: CIaqXXABmQCdPphWj8EJ + _index: .apm-agent-configuration + _score: 2 + _source: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_search_request1: + description: >- + Run `POST /api/apm/settings/agent-configuration/search` to search + configuration details. + value: + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_view_200_response1: + description: >- + An example of a successful response from `GET + /api/apm/settings/agent-configuration/view`. + value: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: true + etag: 5080ed25785b7b19f32713681e79f46996801a5b + id: CIaqXXABmQCdPphWj8EJ + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_keys_object_post_200_response1: + description: >- + An example of a successful response from `POST /api/apm/agent_keys`, + which creates an APM agent API key. + value: + agentKey: + api_key: PjGloCGOTzaZr8ilUPvkjA + encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== + id: 3DCLmn0B3ZMhLUa7WBG9 + name: apm-key + APM_UI_agent_keys_object_post_request1: + description: >- + Run `POST /api/apm/agent_keys` to create an APM agent API key with the + specified privileges. + value: + name: apm-key + privileges: + - event:write + - config_agent:read + APM_UI_annotation_object_post_200_response1: + description: >- + An example of a successful response from `POST + /api/apm/services/opbeans-java/annotation`, which creates an annotation + for a service named `opbeans-java`. + value: + _id: Lc9I93EBh6DbmkeV7nFX + _index: observability-annotations + _primary_term: 1 + _seq_no: 12 + _source: + '@timestamp': '2020-05-08T10:31:30.452Z' + annotation: + type: deployment + event: + created: '2020-05-09T02:34:43.937Z' + message: Deployment 1.2 + service: + name: opbeans-java + version: '1.2' + tags: + - apm + - elastic.co + - customer + _version: 1 + found: true + APM_UI_annotation_object_post_request1: + description: >- + Run `POST /api/apm/services/{serviceName}/annotation` to create a + deployment annotation for a service. + value: + '@timestamp': '2024-01-15T12:00:00.000Z' + message: Deployment 1.2.0 + service: + environment: production + version: 1.2.0 tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Cluster health - type: object - Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active + - apm + - deployment + APM_UI_fleet_apm_server_schema_200_response1: + description: >- + An example of a successful response from `POST + /api/apm/fleet/apm_server_schema`. The response body is intentionally + empty. + value: {} + APM_UI_source_maps_delete_200_response1: + description: >- + An example of a successful response from `DELETE + /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + value: {} + APM_UI_source_maps_get_200_response1: + description: A successful response from `GET /api/apm/sourcemaps`. + value: artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: CPU Usage Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_cpu_usage - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval + - body: + bundleFilepath: /test/e2e/general-usecase/bundle.js + serviceName: foo + serviceVersion: 1.0.0 + sourceMap: + file: static/js/main.chunk.js + mappings: mapping + sourceRoot: '' + sources: + - fleet-source-map-client/src/index.css + - fleet-source-map-client/src/App.js + - webpack:///./src/index.css?bb0a + - fleet-source-map-client/src/index.js + - fleet-source-map-client/src/reportWebVitals.js + sourcesContent: + - content + version: 3 + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: >- + apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: >- + /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_200_response1: + description: A successful response from `POST /api/apm/sourcemaps`. + value: + body: >- + eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: >- + apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: >- + /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + Cases_add_comment_request: + summary: Adds a comment to a case. + value: + comment: A new comment. + owner: cases + type: user + Cases_add_comment_response: + summary: >- + The add comment to case API returns a JSON object that contains details + about the case and its comments. + value: + assignees: [] + category: null + closed_at: null + closed_by: null + comments: + - comment: A new comment. + created_at: '2022-10-02T00:49:47.716Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: null + updated_by: null + version: WzIwNDMxLDFd + connector: + fields: null + id: none + name: none + type: .none + created_at: '2022-03-24T00:37:03.906Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: Field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: true + description: A case description. + duration: null + external_service: null + id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 + observables: [] + owner: cases + settings: + syncAlerts: false + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + total_observables: 0 + totalAlerts: 0 + totalComment: 1 + totalEvents: 0 + updated_at: '2022-06-03T00:49:47.716Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzIzMzgsMV0= + Cases_create_case_request: + summary: Create a security case that uses a Jira connector. + value: + connector: + fields: + issueType: '10006' + parent: null + priority: High + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + description: A case description. + owner: cases + settings: + extractObservables: false + syncAlerts: true + tags: + - tag-1 + title: Case title 1 + Cases_create_case_response: + summary: >- + The create case API returns a JSON object that contains details about + the case. + value: + assignees: [] + closed_at: null + closed_by: null + comments: [] + connector: + fields: + issueType: '10006' + parent: null + priority: High + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + created_at: '2022-10-13T15:33:50.604Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: A case description. + duration: null + external_service: null + id: 66b9aa00-94fa-11ea-9f74-e7e108796192 + observables: [] + owner: cases + settings: + extractObservables: false + syncAlerts: true + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + total_observables: 0 + totalAlerts: 0 + totalComment: 0 + totalEvents: 0 + updated_at: null + updated_by: null + version: WzUzMiwxXQ== + Cases_find_case_activity_response: + summary: Retrieves all activity for a case + value: + page: 1 + perPage: 20 + total: 3 + userActions: + - action: create + comment_id: null + created_at: '2023-10-20T01:17:22.150Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: b4cd0770-07c9-11ed-a5fd-47154cb8767e + owner: cases + payload: + assignees: [] + category: null + connector: + fields: null + id: none + name: none + type: .none + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: A case description. + owner: cases + settings: + syncAlerts: false + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + type: create_case + version: WzM1ODg4LDFd + - action: create + comment_id: 578608d0-03b1-11ed-920c-974bfa104448 + created_at: '2023-10-14T20:12:53.354Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 57af14a0-03b1-11ed-920c-974bfa104448 + owner: cases + payload: + comment: + comment: A new comment + owner: cases + type: user + type: comment + version: WzM1ODg4LDFa + - action: add + comment_id: null + created_at: '2023-10-20T01:10:28.238Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 573c6980-6123-11ed-aa41-81a0a61fe447 + owner: cases + payload: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + type: assignees + version: WzM1ODg4LDFb + Cases_find_case_comments_response: + summary: Paginated list of user comments for a case + value: + comments: + - comment: A new comment + created_at: '2023-10-07T19:32:13.104Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: null + updated_by: null + version: WzIzLDFd + page: 1 + per_page: 20 + total: 1 + Cases_find_case_response: + summary: >- + Retrieve the first five cases with the `tag-1` tag, in ascending order + by last update time. + value: + cases: + - assignees: [] + category: null + closed_at: null + closed_by: null + comments: [] + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-10-12T00:16:36.371Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: Case description + duration: null + external_service: null + id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + incremental_id: 1 + observables: [] + owner: cases + settings: + extractObservables: false + syncAlerts: true + severity: low + status: open + tags: + - tag-1 + title: Case title + total_observables: 0 + totalAlerts: 0 + totalComment: 1 + totalEvents: 0 + updated_at: '2023-10-12T00:27:58.162Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzExMCwxXQ== + count_closed_cases: 0 + count_in_progress_cases: 0 + count_open_cases: 1 + page: 1 + per_page: 5 + total: 1 + Cases_find_connector_response: + summary: Retrieve information about the connectors and their settings. + value: + - actionTypeId: .jira + config: + apiUrl: https://elastic.atlassian.net/ + projectKey: ES + id: 61787f53-4eee-4741-8df6-8fe84fa616f7 + isDeprecated: false + isMissingSecrets: false + isPreconfigured: false + name: my-Jira + referencedByCount: 0 + Cases_get_case_alerts_response: + summary: Retrieves all alerts attached to a case + value: + - attached_at: '2022-07-25T20:09:40.963Z' + id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d + index: .alerts-observability.logs.alerts-default + Cases_get_case_configuration_response: + summary: Get the case configuration. + value: + - closure_type: close-by-user + connector: + fields: null + id: none + name: none + type: .none + created_at: '2024-07-01T17:07:17.767Z' + created_by: + email: null + full_name: null + username: elastic + customFields: + - defaultValue: Custom text field value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: false + error: null + id: 856ee650-6c82-11ee-a20a-6164169afa58 + mappings: [] + observableTypes: [] + owner: cases + templates: + - caseFields: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: Default-category + connector: + fields: null + id: none + name: none + type: .none + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: Default text field value. + description: A default description for cases. + settings: + syncAlerts: false + tags: + - Default case tag + title: Default case title + description: A description of the template. + key: 505932fe-ee3a-4960-a661-c781b5acdb05 + name: template-1 + tags: + - Template tag 1 + updated_at: null + updated_by: null + version: WzEyLDNd + Cases_get_case_observability_response: + summary: >- + Get case response (Observability). Comments are not included; use the + find case comments API. totalComment reflects the actual count. + value: + assignees: + - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + category: null + closed_at: null + closed_by: null + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-11-06T19:29:04.086Z' + created_by: + email: null + full_name: null + username: elastic + customFields: [] + description: An Observability case description. + duration: null + external_service: null + id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 + observables: [] + owner: observability + settings: + extractObservables: false + syncAlerts: false + severity: low + status: in-progress tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: CPU usage - type: object - Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Disk Usage Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_disk_usage - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval + - observability + - tag 1 + title: Observability case title 1 + total_observables: 0 + totalAlerts: 1 + totalComment: 1 + totalEvents: 0 + updated_at: '2023-11-06T19:47:55.662Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzI0NywyXQ== + Cases_get_case_response: + summary: >- + Get case response. Comments are not included; use the find case comments + API. totalComment reflects the actual count. + value: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: null + closed_at: null + closed_by: null + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-10-13T15:33:50.604Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: A case description + duration: null + external_service: null + id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa + incremental_id: 1 + observables: [] + owner: cases + settings: + extractObservables: false + syncAlerts: true + severity: low + status: open tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Disk usage - type: object - Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: ES Version Mismatch Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_elasticsearch_version_mismatch - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval + - tag 1 + title: Case title 1 + total_observables: 0 + totalAlerts: 1 + totalComment: 1 + totalEvents: 0 + updated_at: '2023-10-13T15:40:32.335Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzM2LDFd + Cases_get_comment_response: + summary: A single user comment retrieved from a case + value: + comment: A new comment + created_at: '2023-10-07T19:32:13.104Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: null + updated_by: null + version: WzIzLDFd + Cases_get_reporters_response: + summary: A list of two users that opened cases + value: + - email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + - email: jdoe@example.com + full_name: Jane Doe + profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + username: jdoe + Cases_get_tags_response: + summary: A list of tags that are used in cases + value: + - observability + - security + - tag 1 + - tag 2 + Cases_push_case_response: + summary: >- + The push case API returns a JSON object with details about the case and + the external service. + value: + assignees: [] + category: null + closed_at: null + closed_by: null + comments: [] + connector: + fields: + issueType: '10006' + parent: null + priority: Low + id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 + name: My connector + type: .jira + created_at: '2022-07-29T00:59:39.444Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: [] + description: A case description. + duration: null + external_service: + connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 + connector_name: My connector + external_id: '71926' + external_title: ES-554 + external_url: https://cases.jira.com + pushed_at: '2022-07-29T01:20:58.436Z' + pushed_by: + email: null + full_name: null + username: elastic + id: b917f300-0ed9-11ed-bd18-65557fe66949 + observables: [] + owner: cases + settings: + extractObservables: false + syncAlerts: true + severity: low + status: open tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Elasticsearch version mismatch - type: object - Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Memory Usage Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_jvm_memory_usage - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval + - tag 1 + title: Case title 1 + total_observables: 0 + totalAlerts: 0 + totalComment: 0 + totalEvents: 0 + updated_at: '2022-07-29T01:20:58.436Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzE3NjgsM10= + Cases_response_401: + summary: Authorization information is missing or invalid. + value: + error: Unauthorized + message: Unable to authenticate with the provided credentials. + statusCode: 401 + Cases_set_case_configuration_request: + summary: >- + Set the closure type, custom fields, and default connector for Stack + Management cases. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + customFields: + - defaultValue: My custom field default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: false + owner: cases + templates: + - caseFields: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: Default-category + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: A text field value for the template. + description: A default description for cases. + tags: + - Default case tag + title: Default case title + description: A description of the template. + key: 505932fe-ee3a-4960-a661-c781b5acdb05 + name: template-1 + tags: + - Template tag 1 + Cases_set_case_configuration_response: + summary: This is an example response for case settings. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + created_at: '2024-07-01T17:07:17.767Z' + created_by: + email: null, + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - defaultValue: My custom field default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: false + error: null + id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + - action_type: overwrite + source: title + target: summary + - action_type: overwrite + source: description + target: description + - action_type: append + source: comments + target: comments + - action_type: overwrite + source: tags + target: labels + owner: cases + templates: + - caseFields: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: Default-category + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: A text field value for the template. + description: A default description for cases. + tags: + - Default case tag + title: Default case title + description: A description of the template. + key: 505932fe-ee3a-4960-a661-c781b5acdb05 + name: template-1 + tags: + - Template tag 1 + updated_at: null + updated_by: null + version: WzIwNzMsMV0= + Cases_update_case_configuration_request: + summary: Update the case settings. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + customFields: + - defaultValue: A new default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: true + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + label: my-toggle + type: toggle + required: false + version: WzExOSw0XQ== + Cases_update_case_configuration_response: + summary: This is an example response when the case configuration was updated. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + created_at: '2024-07-01T17:07:17.767Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - defaultValue: A new default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: true + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + label: my-toggle + type: toggle + required: false + error: null + id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + - action_type: overwrite + source: title + target: summary + - action_type: overwrite + source: description + target: description + - action_type: overwrite + source: tags + target: labels + - action_type: append + source: comments + target: comments + owner: cases + templates: [] + updated_at: '2024-07-19T00:52:42.401Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzI2LDNd + Cases_update_case_request: + summary: Update the case description, tags, and connector. + value: + cases: + - connector: + fields: + issueType: '10006' + parent: null + priority: null + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + customFields: + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: false + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My new field value + description: A case description. + id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 + settings: + extractObservables: false + syncAlerts: true + tags: + - tag-1 + version: WzIzLDFd + Cases_update_case_response: + summary: >- + This is an example response when the case description, tags, and + connector were updated. + value: + - assignees: [] + category: null + closed_at: null + closed_by: null + comments: [] + connector: + fields: + issueType: '10006' + parent: null + priority: null + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + created_at: '2023-10-13T09:16:17.416Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My new field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: false + description: A case description. + duration: null + external_service: + connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 + connector_name: Jira + external_id: '10003' + external_title: IS-4 + external_url: https://hms.atlassian.net/browse/IS-4 + pushed_at: '2023-10-13T09:20:40.672Z' + pushed_by: + email: null + full_name: null + username: elastic + id: 66b9aa00-94fa-11ea-9f74-e7e108796192 + observables: [] + owner: cases + settings: + extractObservables: false + syncAlerts: true + severity: low + status: open + tags: + - tag-1 + title: Case title 1 + total_observables: 0 + totalAlerts: 0 + totalComment: 0 + totalEvents: 0 + updated_at: '2023-10-13T09:48:33.043Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzU0OCwxXQ== + Cases_update_comment_request: + summary: Updates a comment of a case. + value: + comment: An updated comment. + id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + owner: cases + type: user + version: Wzk1LDFd + Cases_update_comment_response: + summary: >- + The add comment to case API returns a JSON object that contains details + about the case and its comments. + value: + assignees: [] + category: null + closed_at: null + closed_by: null + comments: + - comment: An updated comment. + created_at: '2023-10-24T00:37:10.832Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: '2023-10-24T01:27:06.210Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzIwNjM3LDFd + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-10-24T00:37:03.906Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My new field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: false + description: A case description. + duration: null + external_service: null + id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 + owner: cases + settings: + syncAlerts: false + severity: low + status: open tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: JVM memory usage - type: object - Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string + - tag 1 + title: Case title 1 + totalAlerts: 0 + totalComment: 1 + totalEvents: 0 + updated_at: '2023-10-24T01:27:06.210Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzIwNjM2LDFd + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: Kibana Version Mismatch Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_kibana_version_mismatch - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Kibana version mismatch - type: object - Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string + pattern: $0,0.00 + products.base_unit_price: + id: number params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - limit: - type: string - threshold: - type: number - required: - - duration - title: License Expiration Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_license_expiration - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: License expiration - type: object - Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string + pattern: $0,0.00 + products.min_price: + id: number params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. - properties: - duration: + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQuery: + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category type: string - filterQueryText: + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - limit: + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - threshold: - type: number - required: - - duration - title: Logstash Version Mismatch Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_logstash_version_mismatch - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Logstash version mismatch - type: object - Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. - properties: - duration: + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQuery: + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name type: string - filterQueryText: + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - limit: + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - threshold: - type: number - required: - - duration - title: Missing Monitoring Data Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_missing_monitoring_data - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Missing monitoring data - type: object - Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. - properties: - duration: + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQuery: + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQueryText: + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - limit: + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - threshold: - type: number - required: - - duration - title: Nodes Changed Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_nodes_changed - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Nodes changed - type: object - Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. - properties: - duration: + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQuery: + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQueryText: + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer type: string - threshold: - type: number - required: - - duration - title: Thread Pool Search Rejections Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_thread_pool_search_rejections - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Thread pool search rejections - type: object - Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. - properties: - duration: - type: string - filterQuery: + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - filterQueryText: + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category type: string - threshold: + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - duration - title: Thread Pool Write Rejections Rule Params - type: object - rule_type_id: - enum: - - monitoring_alert_thread_pool_write_rejections - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Thread pool write rejections - type: object - Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - limit: + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name type: string - threshold: + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - duration - title: CCR Read Exceptions Rule Params - type: object - rule_type_id: - enum: - - monitoring_ccr_read_exceptions - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: CCR read exceptions - type: object - Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. - properties: - duration: - type: string - filterQuery: - type: string - filterQueryText: - type: string - indexPattern: - type: string - limit: + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - threshold: + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - duration - - indexPattern - title: Large Shard Size Rule Params - type: object - rule_type_id: - enum: - - monitoring_shard_size - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Large shard size - type: object - Kibana_HTTP_APIs_new_output_elasticsearch: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_elasticsearch - type: object - Kibana_HTTP_APIs_new_output_kafka: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - client_id: - type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - type: number - config_yaml: - nullable: true - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - hash: - additionalProperties: false - type: object - properties: - hash: - type: string - random: - type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - partition: - enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true - type: string - random: - additionalProperties: false - type: object - properties: - group_events: + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: false - type: object - properties: - group_events: + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - sasl: - additionalProperties: false - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: false - type: object - properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string - required: - - name - - type - - hosts - - auth_type - title: new_output_kafka - type: object - Kibana_HTTP_APIs_new_output_logstash: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - logstash - type: string - required: - - name - - type - - hosts - title: new_output_logstash - type: object - Kibana_HTTP_APIs_new_output_remote_elasticsearch: - additionalProperties: false - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: - additionalProperties: false - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: true - description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. - properties: - alertOnGroupDisappear: - type: boolean - alertOnNoData: + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: boolean - criteria: - items: - additionalProperties: false - type: object - properties: - aggType: - enum: - - custom - type: string - comparator: - type: string - equation: - type: string - label: - type: string - metrics: - items: - anyOf: - - additionalProperties: false - type: object - properties: - aggType: - type: string - field: - type: string - filter: - type: string - name: - type: string - required: - - name - - aggType - - field - - additionalProperties: false - type: object - properties: - aggType: - enum: - - count - type: string - filter: - type: string - name: - type: string - required: - - name - - aggType - type: array - threshold: - items: - type: number - type: array - timeSize: - type: number - timeUnit: - type: string - required: - - threshold - - comparator - - timeUnit - - timeSize - - metrics - type: array - groupBy: - anyOf: - - type: string - - items: - type: string - type: array - noDataBehavior: - enum: - - recover - - remainActive - - alertOnNoData + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - searchConfiguration: - additionalProperties: false - type: object - properties: - filter: - items: - additionalProperties: false - type: object - properties: - meta: - additionalProperties: - nullable: true - type: object - query: - additionalProperties: - nullable: true - type: object - required: - - meta - type: array - index: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - allowHidden: - type: boolean - allowNoIndex: - type: boolean - fieldAttrs: - additionalProperties: - additionalProperties: false - type: object - properties: - count: - type: number - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - type: object - fieldFormats: - additionalProperties: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - type: object - fields: - additionalProperties: - additionalProperties: false - type: object - properties: - aggregatable: - type: boolean - count: - minimum: 0 - type: number - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - esTypes: - items: - type: string - type: array - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - name: - maxLength: 1000 - type: string - readFromDocValues: - type: boolean - runtimeField: - anyOf: - - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - - additionalProperties: false - type: object - properties: - fields: - additionalProperties: - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - type: object - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - composite - type: string - required: - - type - script: - maxLength: 1000000 - type: string - scripted: - type: boolean - searchable: - type: boolean - shortDotsEnable: - type: boolean - subType: - additionalProperties: false - type: object - properties: - multi: - additionalProperties: false - type: object - properties: - parent: - type: string - required: - - parent - nested: - additionalProperties: false - type: object - properties: - path: - type: string - required: - - path - type: - default: string - maxLength: 1000 - type: string - required: - - name - type: object - id: - type: string - managed: - type: boolean - name: - type: string - namespaces: - items: - type: string - type: array - runtimeFieldMap: - additionalProperties: - anyOf: - - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - - additionalProperties: false - type: object - properties: - fields: - additionalProperties: - additionalProperties: false - type: object - properties: - customDescription: - maxLength: 300 - type: string - customLabel: - type: string - format: - additionalProperties: false - type: object - properties: - id: - type: string - params: - nullable: true - required: - - params - popularity: - minimum: 0 - type: number - type: - enum: - - keyword - - long - - double - - date - - ip - - boolean - - geo_point - type: string - required: - - type - type: object - script: - additionalProperties: false - type: object - properties: - source: - type: string - required: - - source - type: - enum: - - composite - type: string - required: - - type - type: object - sourceFilters: - items: - additionalProperties: false - type: object - properties: - clientId: - anyOf: - - type: string - - type: number - value: - type: string - required: - - value - type: array - timeFieldName: - type: string - title: - type: string - type: - type: string - typeMeta: - additionalProperties: true - type: object - properties: {} - version: - type: string - required: - - title - query: - additionalProperties: false - type: object - properties: - language: - type: string - query: - type: string - required: - - language - - query - required: - - index - - query - required: - - criteria - - searchConfiguration - title: Custom Threshold Rule Params - type: object - rule_type_id: - enum: - - observability.rules.custom_threshold - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Custom threshold - type: object - Kibana_HTTP_APIs_output_elasticsearch: - additionalProperties: true - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: output_elasticsearch - type: object - Kibana_HTTP_APIs_output_kafka: - additionalProperties: true - properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - client_id: - type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - type: number - config_yaml: - nullable: true - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - hash: - additionalProperties: true - type: object - properties: - hash: + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - random: - type: boolean - headers: - items: - additionalProperties: true - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSync401Example: + summary: Two anomaly detection jobs required synchronization in this example. + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" + statusCode: 401 + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Observability_AI_Assistant_API_ChatCompleteRequestExample: + summary: Example of completing a chat interaction + value: | + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + } + Observability_AI_Assistant_API_ChatCompleteResponseExample: + summary: Get a chat completion from the Observability AI Assistant + value: > + data: + {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} + + + data: [DONE] + Saved_objects_key_rotation_response: + summary: Encryption key rotation using default parameters. + value: + failed: 0 + successful: 300 + total: 1000 + Saved_objects_resolve_missing_reference_request: + value: + file: file.ndjson + retries: + - id: my-pattern + overwrite: true + type: index-pattern + - destinationId: another-vis + id: my-vis + overwrite: true + type: visualization + - destinationId: yet-another-canvas + id: my-canvas + overwrite: true + type: canvas + - id: my-dashboard + type: dashboard + Saved_objects_resolve_missing_reference_response: + summary: Resolve missing reference errors. + value: + success: true + successCount: 3 + successResults: + - id: my-vis + meta: + icon: visualizeApp + title: Look at my visualization + type: visualization + - id: my-search + meta: + icon: searchApp + title: Look at my search + type: search + - id: my-dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + type: dashboard + Security_Detections_API_SetAlertAssigneesBodyAdd: + value: + assignees: + add: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + remove: [] + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertAssigneesBodyRemove: + value: + assignees: + add: [] + remove: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertTagsBodyAdd: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: + - Duplicate + tags_to_remove: [] + Security_Detections_API_SetAlertTagsBodyRemove: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: [] + tags_to_remove: + - Duplicate + Task_manager_health_APIs_health_200response: + description: A successful response from `GET api/task_manager/_health`. + value: |- + { + "id": "330bbc6a-56cd-44d5-88e3-e3229f14d619", + "timestamp": "2025-03-21T21:30:04.780Z", + "status": "OK", + "last_update": "2025-03-21T21:30:04.455Z", + "stats": { + "configuration": { + "timestamp": "2025-03-21T21:26:10.002Z", + "value": { + "request_capacity": 1000, + "monitored_aggregated_stats_refresh_rate": 60000, + "monitored_stats_running_average_window": 50, + "monitored_task_execution_thresholds": { + "custom": {}, + "default": { + "error_threshold": 90, + "warn_threshold": 80 + } + }, + "claim_strategy": "mget", + "poll_interval": 500, + "capacity": { + "config": 10, + "as_workers": 10, + "as_cost": 20 + } + }, + "status": "OK" + }, + "runtime": { + "timestamp": "2025-03-21T21:30:04.455Z", + "value": { + "polling": { + "last_successful_poll": "2025-03-21T21:30:04.455Z", + "last_polling_delay": "2025-03-21T21:26:10.001Z", + "claim_duration": { + "p50": 17, + "p90": 22, + "p95": 25, + "p99": 27 + }, + "duration": { + "p50": 19, + "p90": 25.5, + "p95": 28, + "p99": 28 + }, + "claim_conflicts": { + "p50": 0, + "p90": 0, + "p95": 0, + "p99": 0 + }, + "claim_mismatches": { + "p50": 0, + "p90": 0, + "p95": 0, + "p99": 0 + }, + "claim_stale_tasks": { + "p50": 0, + "p90": 0, + "p95": 0, + "p99": 0 + }, + "result_frequency_percent_as_number": { + "Failed": 0, + "NoAvailableWorkers": 0, + "NoTasksClaimed": 100, + "RanOutOfCapacity": 0, + "RunningAtCapacity": 0, + "PoolFilled": 0 + }, + "persistence": { + "recurring": 88, + "non_recurring": 12 + } + }, + "drift": { + "p50": 2089, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "drift_by_type": { + "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { + "p50": 2082, + "p90": 2082, + "p95": 2082, + "p99": 2082 + }, + "fleet:check-deleted-files-task": { + "p50": 2080, + "p90": 2080, + "p95": 2080, + "p99": 2080 + }, + "osquery:telemetry-saved-queries": { + "p50": 2080, + "p90": 2080, + "p95": 2080, + "p99": 2080 + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "p50": 2089, + "p90": 2089, + "p95": 2089, + "p99": 2089 + }, + "task_manager:delete_inactive_background_task_nodes": { + "p50": 336.5, + "p90": 2089, + "p95": 2089, + "p99": 2089 + }, + "alerts_invalidate_api_keys": { + "p50": 2086, + "p90": 2086, + "p95": 2086, + "p99": 2086 + }, + "fleet:unenroll-inactive-agents-task": { + "p50": 2080, + "p90": 2080, + "p95": 2080, + "p99": 2080 + }, + "alerting_health_check": { + "p50": 2086, + "p90": 2086, + "p95": 2086, + "p99": 2086 + }, + "Fleet-Usage-Sender": { + "p50": 2079, + "p90": 2079, + "p95": 2079, + "p99": 2079 + }, + "security:endpoint-diagnostics": { + "p50": 2525, + "p90": 2525, + "p95": 2525, + "p99": 2525 + }, + "security:telemetry-lists": { + "p50": 2525, + "p90": 2525, + "p95": 2525, + "p99": 2525 + }, + "security:telemetry-timelines": { + "p50": 2526, + "p90": 2526, + "p95": 2526, + "p99": 2526 + }, + "cases-telemetry-task": { + "p50": 2083, + "p90": 2083, + "p95": 2083, + "p99": 2083 + }, + "osquery:telemetry-packs": { + "p50": 2530, + "p90": 2530, + "p95": 2530, + "p99": 2530 + }, + "Fleet-Metrics-Task": { + "p50": 133.5, + "p90": 2530, + "p95": 2530, + "p99": 2530 + }, + "fleet:delete-unenrolled-agents-task": { + "p50": 2530, + "p90": 2530, + "p95": 2530, + "p99": 2530 + }, + "osquery:telemetry-configs": { + "p50": 2529, + "p90": 2529, + "p95": 2529, + "p99": 2529 + }, + "endpoint:complete-external-response-actions": { + "p50": 519, + "p90": 2526, + "p95": 2526, + "p99": 2526 + }, + "security:telemetry-detection-rules": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "security:telemetry-prebuilt-rule-alerts": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "security:endpoint-meta-telemetry": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "security:telemetry-filterlist-artifact": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "security:telemetry-diagnostic-timelines": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "security:telemetry-configuration": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "security:indices-metadata-telemetry": { + "p50": 3037, + "p90": 3037, + "p95": 3037, + "p99": 3037 + }, + "Fleet-Usage-Logger": { + "p50": 2190, + "p90": 2190, + "p95": 2190, + "p99": 2190 + }, + "obs-ai-assistant:knowledge-base-migration": { + "p50": 2189, + "p90": 2189, + "p95": 2189, + "p99": 2189 + }, + "dashboard_telemetry": { + "p50": 2452, + "p90": 2452, + "p95": 2452, + "p99": 2452 + }, + "session_cleanup": { + "p50": 2569, + "p90": 2569, + "p95": 2569, + "p99": 2569 + }, + "ProductDocBase:EnsureUpToDate": { + "p50": 2452, + "p90": 2452, + "p95": 2452, + "p99": 2452 + }, + "apm-telemetry-task": { + "p50": 2591, + "p90": 2591, + "p95": 2591, + "p99": 2591 + }, + "ML:saved-objects-sync": { + "p50": 2475, + "p90": 2475, + "p95": 2475, + "p99": 2475 + }, + "apm-source-map-migration-task": { + "p50": 1603.5, + "p90": 2987, + "p95": 2987, + "p99": 2987 + }, + "actions_telemetry": { + "p50": 771, + "p90": 771, + "p95": 771, + "p99": 771 + }, + "alerting_telemetry": { + "p50": 768, + "p90": 768, + "p95": 768, + "p99": 768 + }, + "endpoint:metadata-check-transforms-task": { + "p50": 834, + "p90": 834, + "p95": 834, + "p99": 834 + }, + "endpoint:user-artifact-packager": { + "p50": 529.5, + "p90": 835, + "p95": 835, + "p99": 835 + }, + "fleet:bump_agent_policies": { + "p50": 361, + "p90": 361, + "p95": 361, + "p99": 361 + } + }, + "load": { + "p50": 10, + "p90": 100, + "p95": 100, + "p99": 100 + }, + "execution": { + "duration": { + "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { + "p50": 24, + "p90": 24, + "p95": 24, + "p99": 24 + }, + "fleet:check-deleted-files-task": { + "p50": 24, + "p90": 24, + "p95": 24, + "p99": 24 + }, + "osquery:telemetry-saved-queries": { + "p50": 25, + "p90": 25, + "p95": 25, + "p99": 25 + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "p50": 28, + "p90": 28, + "p95": 28, + "p99": 28 + }, + "task_manager:delete_inactive_background_task_nodes": { + "p50": 7.5, + "p90": 29, + "p95": 29, + "p99": 29 + }, + "alerts_invalidate_api_keys": { + "p50": 34, + "p90": 34, + "p95": 34, + "p99": 34 + }, + "fleet:unenroll-inactive-agents-task": { + "p50": 39, + "p90": 39, + "p95": 39, + "p99": 39 + }, + "alerting_health_check": { + "p50": 42, + "p90": 42, + "p95": 42, + "p99": 42 + }, + "Fleet-Usage-Sender": { + "p50": 78, + "p90": 78, + "p95": 78, + "p99": 78 + }, + "security:endpoint-diagnostics": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "security:telemetry-lists": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "security:telemetry-timelines": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "cases-telemetry-task": { + "p50": 458, + "p90": 458, + "p95": 458, + "p99": 458 + }, + "osquery:telemetry-packs": { + "p50": 10, + "p90": 10, + "p95": 10, + "p99": 10 + }, + "Fleet-Metrics-Task": { + "p50": 5, + "p90": 10, + "p95": 10, + "p99": 10 + }, + "fleet:delete-unenrolled-agents-task": { + "p50": 11, + "p90": 11, + "p95": 11, + "p99": 11 + }, + "osquery:telemetry-configs": { + "p50": 12, + "p90": 12, + "p95": 12, + "p99": 12 + }, + "endpoint:complete-external-response-actions": { + "p50": 7, + "p90": 11, + "p95": 11, + "p99": 11 + }, + "security:telemetry-detection-rules": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "security:telemetry-prebuilt-rule-alerts": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "security:endpoint-meta-telemetry": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "security:telemetry-filterlist-artifact": { + "p50": 5, + "p90": 5, + "p95": 5, + "p99": 5 + }, + "security:telemetry-diagnostic-timelines": { + "p50": 5, + "p90": 5, + "p95": 5, + "p99": 5 + }, + "security:telemetry-configuration": { + "p50": 5, + "p90": 5, + "p95": 5, + "p99": 5 + }, + "security:indices-metadata-telemetry": { + "p50": 5, + "p90": 5, + "p95": 5, + "p99": 5 + }, + "Fleet-Usage-Logger": { + "p50": 18, + "p90": 18, + "p95": 18, + "p99": 18 + }, + "obs-ai-assistant:knowledge-base-migration": { + "p50": 8, + "p90": 8, + "p95": 8, + "p99": 8 + }, + "dashboard_telemetry": { + "p50": 12, + "p90": 12, + "p95": 12, + "p99": 12 + }, + "session_cleanup": { + "p50": 58, + "p90": 58, + "p95": 58, + "p99": 58 + }, + "ProductDocBase:EnsureUpToDate": { + "p50": 147, + "p90": 147, + "p95": 147, + "p99": 147 + }, + "apm-telemetry-task": { + "p50": 543, + "p90": 543, + "p95": 543, + "p99": 543 + }, + "ML:saved-objects-sync": { + "p50": 544, + "p90": 544, + "p95": 544, + "p99": 544 + }, + "apm-source-map-migration-task": { + "p50": 1649, + "p90": 3282, + "p95": 3282, + "p99": 3282 + }, + "actions_telemetry": { + "p50": 19, + "p90": 19, + "p95": 19, + "p99": 19 + }, + "alerting_telemetry": { + "p50": 64, + "p90": 64, + "p95": 64, + "p99": 64 + }, + "endpoint:metadata-check-transforms-task": { + "p50": 6, + "p90": 6, + "p95": 6, + "p99": 6 + }, + "endpoint:user-artifact-packager": { + "p50": 10, + "p90": 13, + "p95": 13, + "p99": 13 + }, + "fleet:bump_agent_policies": { + "p50": 9, + "p90": 9, + "p95": 9, + "p99": 9 + } + }, + "duration_by_persistence": { + "recurring": { + "p50": 9, + "p90": 63.39999999999999, + "p95": 474.99999999999966, + "p99": 544 + }, + "non_recurring": { + "p50": 14, + "p90": 2968.500000000001, + "p95": 3282, + "p99": 3282 + } + }, + "persistence": { + "recurring": 88, + "non_recurring": 12 + }, + "result_frequency_percent_as_number": { + "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "fleet:check-deleted-files-task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "osquery:telemetry-saved-queries": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "task_manager:delete_inactive_background_task_nodes": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "alerts_invalidate_api_keys": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "fleet:unenroll-inactive-agents-task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "alerting_health_check": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "Fleet-Usage-Sender": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:endpoint-diagnostics": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-lists": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-timelines": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "cases-telemetry-task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "osquery:telemetry-packs": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "Fleet-Metrics-Task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "fleet:delete-unenrolled-agents-task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "osquery:telemetry-configs": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "endpoint:complete-external-response-actions": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-detection-rules": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-prebuilt-rule-alerts": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:endpoint-meta-telemetry": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-filterlist-artifact": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-diagnostic-timelines": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:telemetry-configuration": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "security:indices-metadata-telemetry": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "Fleet-Usage-Logger": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "obs-ai-assistant:knowledge-base-migration": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "dashboard_telemetry": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "session_cleanup": { + "Success": 0, + "RetryScheduled": 100, + "Failed": 0, + "status": "OK" + }, + "ProductDocBase:EnsureUpToDate": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "apm-telemetry-task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "ML:saved-objects-sync": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "apm-source-map-migration-task": { + "Success": 50, + "RetryScheduled": 50, + "Failed": 0, + "status": "OK" + }, + "actions_telemetry": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "alerting_telemetry": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "endpoint:metadata-check-transforms-task": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "endpoint:user-artifact-packager": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + }, + "fleet:bump_agent_policies": { + "Success": 100, + "RetryScheduled": 0, + "Failed": 0, + "status": "OK" + } + } + } + }, + "status": "OK" + }, + "workload": { + "timestamp": "2025-03-21T21:29:10.367Z", + "value": { + "count": 35, + "cost": 70, + "task_types": { + "Fleet-Metrics-Task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Logger": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Sender": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "ML:saved-objects-sync": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_health_check": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerts_invalidate_api_keys": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "apm-telemetry-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "cases-telemetry-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "dashboard_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "endpoint:complete-external-response-actions": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "endpoint:metadata-check-transforms-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "endpoint:user-artifact-packager": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:check-deleted-files-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:delete-unenrolled-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:unenroll-inactive-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "osquery:telemetry-configs": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "osquery:telemetry-packs": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "osquery:telemetry-saved-queries": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:endpoint-diagnostics": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:endpoint-meta-telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:indices-metadata-telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-configuration": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-detection-rules": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-diagnostic-timelines": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-filterlist-artifact": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-lists": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-prebuilt-rule-alerts": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "security:telemetry-timelines": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "session_cleanup": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:delete_inactive_background_task_nodes": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + } + }, + "non_recurring": 1, + "non_recurring_cost": 2, + "schedule": [ + [ + "1m", + 2 + ], + [ + "60s", + 2 + ], + [ + "5m", + 2 + ], + [ + "10m", + 1 + ], + [ + "15m", + 1 + ], + [ + "45m", + 1 + ], + [ + "1h", + 9 + ], + [ + "3600s", + 1 + ], + [ + "60m", + 1 + ], + [ + "2h", + 1 + ], + [ + "720m", + 2 + ], + [ + "24h", + 7 + ], + [ + "1d", + 3 + ], + [ + "1440m", + 1 + ] + ], + "overdue": 0, + "overdue_cost": 0, + "overdue_non_recurring": 0, + "estimated_schedule_density": [ + 0, + 0, + 0, + 1, + 1, + 1, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "capacity_requirements": { + "per_minute": 4, + "per_hour": 46, + "per_day": 27 + } + }, + "status": "OK" + }, + "capacity_estimation": { + "status": "OK", + "reason": "Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) < capacityPerMinutePerKibana (1200)", + "timestamp": "2025-03-21T21:30:04.780Z", + "value": { + "observed": { + "observed_kibana_instances": 1, + "max_throughput_per_minute_per_kibana": 1200, + "max_throughput_per_minute": 1200, + "minutes_to_drain_overdue": 0, + "avg_recurring_required_throughput_per_minute": 5, + "avg_recurring_required_throughput_per_minute_per_kibana": 5, + "avg_required_throughput_per_minute": 149, + "avg_required_throughput_per_minute_per_kibana": 149 + }, + "proposed": { + "provisioned_kibana": 2, + "min_required_kibana": 1, + "avg_recurring_required_throughput_per_minute_per_kibana": 3, + "avg_required_throughput_per_minute_per_kibana": 75 + } + } + } + } + } + parameters: + APM_UI_elastic_api_version: + description: The version of the API to use + in: header + name: elastic-api-version + required: true + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + APM_UI_kbn_xsrf: + description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + Cases_alert_id: + description: An identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 + type: string + Cases_assignees_filter: + description: > + Filters the returned cases by assignees. Valid values are `none` or + unique identifiers for the user profiles. These identifiers can be found + by using the suggest user profile API. + in: query + name: assignees + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_case_id: + description: >- + The identifier for the case. To retrieve case IDs, use the search cases + (`_find)` API. All non-ASCII characters must be URL encoded. + in: path + name: caseId + required: true + schema: + example: 9c235210-6834-11ea-a78c-6ffb38a34414 + type: string + Cases_category: + description: Filters the returned cases by category. + in: query + name: category + schema: + oneOf: + - $ref: '#/components/schemas/Cases_case_category' + - $ref: '#/components/schemas/Cases_case_categories' + Cases_comment_id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + case or search cases (`_find`) APIs. + in: path + name: commentId + required: true + schema: + example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 + type: string + Cases_configuration_id: + description: An identifier for the configuration. + in: path + name: configurationId + required: true + schema: + example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 + type: string + Cases_connector_id: + description: >- + An identifier for the connector. To retrieve connector IDs, use the find + connectors API. + in: path + name: connectorId + required: true + schema: + example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + example: OR + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: > + Returns only cases that were created after a specific date. The date + must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + example: now-1d + type: string + Cases_ids: + description: > + The cases that you want to removed. To get the case identifiers, use the + search cases (`_find`) API. In the Dev Console, you can specify the + array of cases in the following format: + `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII + characters must be URL encoded. For example: + `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` + in: query + name: ids + required: true + schema: + items: + example: d4e7abb0-b462-11ec-9a8d-698504725a43 maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: - type: string - name: type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + type: array + Cases_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_owner_filter: + description: > + A filter to limit the response to a specific set of applications. If + this parameter is omitted, the response contains information about all + the cases that the user has access to read. + example: cases + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owner' + - $ref: '#/components/schemas/Cases_owners' + Cases_page_index: + description: The page number to return. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + example: 20 + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + example: elastic + in: query + name: reporters + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_search: + description: >- + An Elasticsearch simple_query_string query that filters the objects in + the response. + example: Case title 1 + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' + Cases_severity: + description: The severity of the case. + example: low + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + example: desc + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + example: updatedAt + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + example: open + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + example: tag-1 + in: query + name: tags + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_to: + description: > + Returns only cases that were created before a specific date. The date + must be specified as a KQL data range or date match expression. + example: now+1d + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + example: create_case type: string - partition: + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Saved_objects_saved_object_id: + description: An identifier for the saved object. + in: path + name: id + required: true + schema: + type: string + Saved_objects_saved_object_type: + description: >- + Valid options include `visualization`, `dashboard`, `search`, + `index-pattern`, `config`. + in: path + name: type + required: true + schema: + type: string + Short_URL_APIs_idParam: + description: The identifier for the short URL. + in: path + name: id + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + Alerting_401_response: + properties: + error: enum: - - random - - round_robin - - hash - type: string - password: - nullable: true + - Unauthorized + example: Unauthorized type: string - proxy_id: - nullable: true + message: type: string - random: - additionalProperties: true - type: object - properties: - group_events: - type: number - required_acks: + statusCode: enum: - - 1 - - 0 - - -1 + - 401 + example: 401 type: integer - round_robin: - additionalProperties: true - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: true - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: true - type: object - properties: - password: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string - required: - - name - - type - - hosts - - auth_type - title: output_kafka + title: Unsuccessful rule API response + type: object + Alerting_fieldmap_properties: + title: Field map objects in the get rule types response type: object - Kibana_HTTP_APIs_output_logstash: - additionalProperties: true properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: + array: + description: Indicates whether the field is an array. type: boolean - is_preconfigured: + dynamic: + description: Indicates whether it is a dynamic field mapping. type: boolean - name: + format: + description: > + Indicates the format of the field. For example, if the `type` is + `date_range`, the `format` can be + `epoch_millis||strict_date_optional_time`. type: string - otel_disable_beatsauth: - nullable: true + ignore_above: + description: >- + Specifies the maximum length of a string field. Longer strings are + not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true + path: + description: TBD type: string - secrets: - additionalProperties: true + properties: + additionalProperties: + type: object + properties: + type: + description: The data type for each object property. + type: string + description: > + Details about the object properties. This property is applicable + when `type` is `object`. type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: > + The scaling factor to use when encoding values. This property is + applicable when `type` is `scaled_float`. Values will be multiplied + by this factor at index time and rounded to the closest long value. + type: integer type: - enum: - - logstash + description: Specifies the data type for the field. + example: scaled_float type: string - required: - - name - - type - - hosts - title: output_logstash + APM_UI_400_response: type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + error: + description: Error type + example: Not Found type: string - kibana_url: - nullable: true + message: + description: Error message + example: Not Found type: string - name: + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + message: + description: Error message type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden type: string - proxy_id: - nullable: true + message: + description: Error message type: string - secrets: - additionalProperties: true - type: object - properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch + message: + description: Error message + example: Not Found type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: output_remote_elasticsearch + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true properties: - compression_level: - nullable: true - type: number - disk_queue_compression_enabled: - nullable: true - type: boolean - disk_queue_enabled: - default: false - nullable: true - type: boolean - disk_queue_encryption_enabled: - nullable: true - type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + error: + description: Error type + example: Internal Server Error type: string - loadbalance: - nullable: true - type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: - nullable: true - type: number - queue_flush_timeout: - nullable: true + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 type: number - required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper + APM_UI_501_response: type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + error: + description: Error type + example: Not Implemented type: string - verification_mode: - enum: - - full - - none - - certificate - - strict + message: + description: Error message + example: Not Implemented type: string - title: output_ssl - type: object - Kibana_HTTP_APIs_QueryStreamUpsertRequest: - additionalProperties: false + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: type: object properties: - dashboards: - items: - type: string - type: array - queries: - items: - type: object - properties: - description: - type: string - esql: - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 - type: string - type: - default: match - enum: - - match - - stats - type: string - required: - - id - - title - - description - - esql - type: array - rules: - items: - type: string - type: array - stream: - additionalProperties: false - type: object - properties: - description: - type: string - field_descriptions: - additionalProperties: - type: string - type: object - query: - additionalProperties: false - type: object - properties: - esql: - type: string - view: - type: string - required: - - view - - esql - query_streams: - items: - type: object - properties: - name: - type: string - required: - - name - type: array - type: - enum: - - query - type: string - required: - - description - - type - - query + agent_name: + description: >- + The agent name is used by the UI to determine which settings to + display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' required: - - dashboards - - rules - - queries - - stream - Kibana_HTTP_APIs_RecursiveRecord: - additionalProperties: - anyOf: - - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - - {} - - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - - {} - type: array - - items: {} - type: array - - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration type: object - Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. + applied_by_agent: + description: Applied by agent + example: true type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + etag: + description: > + `etag` is sent by the APM agent to indicate the `etag` of the last + successfully applied configuration. If the `etag` matches an + existing configuration its `applied_by_agent` property will be set + to `true`. Every time a configuration is edited `applied_by_agent` + is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string - params: - additionalProperties: false - description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. - properties: - dependencies: - items: - additionalProperties: false - type: object - properties: - actionGroupsToSuppressOn: - items: - type: string - type: array - ruleId: - type: string - required: - - ruleId - - actionGroupsToSuppressOn - type: array - sloId: - type: string - windows: - items: - additionalProperties: false - type: object - properties: - actionGroup: - type: string - burnRateThreshold: - type: number - id: - type: string - longWindow: - additionalProperties: false - type: object - properties: - unit: - type: string - value: - type: number - required: - - value - - unit - maxBurnRateThreshold: - nullable: true - type: number - shortWindow: - additionalProperties: false - type: object - properties: - unit: - type: string - value: - type: number - required: - - value - - unit - required: - - id - - burnRateThreshold - - maxBurnRateThreshold - - longWindow - - shortWindow - - actionGroup - type: array - required: - - sloId - - windows - title: SLO Burn Rate Rule Params - type: object - rule_type_id: - enum: - - slo.rules.burnRate + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. + privileges: + description: > + The APM agent key privileges. It can take one or more of the + following values: + + * `event:write`, which is required for ingesting APM agent events. * + `config_agent:read`, which is required for APM agents to read agent + configuration remotely. items: + enum: + - event:write + - config_agent:read type: string type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string required: - name - - consumer - - schedule - - rule_type_id - - params - title: SLO burn rate + - privileges + APM_UI_agent_keys_response: type: object - Kibana_HTTP_APIs_StreamlangConditionBlock: - additionalProperties: false + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: type: object properties: - condition: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' - customIdentifier: + compressionAlgorithm: + description: Compression Algorithm type: string - required: - - condition - Kibana_HTTP_APIs_StreamlangStep: - anyOf: - - anyOf: - - additionalProperties: false - description: Grok processor - Extract fields from text using grok patterns - type: object - properties: - action: - enum: - - grok - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to parse with grok patterns - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - pattern_definitions: - additionalProperties: - type: string - type: object - patterns: - description: Grok patterns applied in order to extract fields - items: - description: A non-empty string. - minLength: 1 - type: string - minItems: 1 - type: array - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - patterns - - additionalProperties: false - description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser - type: object - properties: - action: - enum: - - dissect - type: string - append_separator: - description: Separator inserted when target fields are concatenated - minLength: 1 - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to parse with dissect pattern - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - pattern: - description: Dissect pattern describing field boundaries - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - pattern - - additionalProperties: false - description: Date processor - Parse dates from strings using one or more expected formats - type: object - properties: - action: - enum: - - date - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - formats: - description: Accepted input date formats, tried in order - items: - description: A non-empty string. - minLength: 1 - type: string - type: array - from: - description: Source field containing the date/time text - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - locale: - description: Optional locale for date parsing - minLength: 1 - type: string - output_format: - description: Optional output format for storing the parsed date as text - minLength: 1 - type: string - timezone: - description: Optional timezone for date parsing - minLength: 1 - type: string - to: - description: Target field for the parsed date (defaults to source) - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - formats - - additionalProperties: false - type: object - properties: - action: - enum: - - drop_document - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - additionalProperties: false - type: object - properties: - action: - enum: - - math - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - expression: - description: A non-empty string. - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - expression - - to - - additionalProperties: false - description: Rename processor - Change a field name and optionally its location - type: object - properties: - action: - enum: - - rename - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Existing source field to rename or move - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip when source field is missing - type: boolean - override: - description: Allow overwriting the target field if it already exists - type: boolean - to: - description: New field name or destination path - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - to - - additionalProperties: false - description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) - type: object - properties: - action: - enum: - - set - type: string - copy_from: - description: Copy value from another field instead of providing a literal - minLength: 1 - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - override: - description: Allow overwriting an existing target field - type: boolean - to: - description: Target field to set or create - minLength: 1 - type: string - value: - description: Literal value to assign to the target field - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - to - - additionalProperties: false - description: Append processor - Append one or more values to an existing or new array field - type: object - properties: - action: - enum: - - append - type: string - allow_duplicates: - description: If true, do not deduplicate appended values - type: boolean - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - to: - description: Array field to append values to - minLength: 1 - type: string - value: - description: Values to append (must be literal, no templates) - items: {} - minItems: 1 - type: array - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - to - - value - - additionalProperties: false - description: Remove by prefix processor - Remove a field and all nested fields matching the prefix - type: object - properties: - action: - enum: - - remove_by_prefix - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Field to remove along with all its nested fields - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - required: - - action - - from - - additionalProperties: false - description: Remove processor - Delete one or more fields from the document - type: object - properties: - action: - enum: - - remove - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Field to remove from the document - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - replace - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - pattern: - minLength: 1 - type: string - replacement: - type: string - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - pattern - - replacement - - additionalProperties: false - description: Redact processor - Mask sensitive data using Grok patterns - type: object - properties: - action: - enum: - - redact - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to redact sensitive data from - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing (defaults to true) - type: boolean - pattern_definitions: - additionalProperties: - type: string - description: Custom pattern definitions to use in the patterns - type: object - patterns: - description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") - items: - description: A non-empty string. - minLength: 1 - type: string - minItems: 1 - type: array - prefix: - description: Prefix to prepend to the redacted pattern name (defaults to "<") - type: string - suffix: - description: Suffix to append to the redacted pattern name (defaults to ">") - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - patterns - - additionalProperties: false - type: object - properties: - action: - enum: - - uppercase - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - lowercase - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - trim - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - type: object - properties: - action: - enum: - - join - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - delimiter: - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - items: - minLength: 1 - type: string - minItems: 1 - type: array - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - delimiter - - to - - additionalProperties: false - description: Split processor - Split a field value into an array using a separator - type: object - properties: - action: - enum: - - split - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to split into an array - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - preserve_trailing: - description: Preserve empty trailing fields in the split result - type: boolean - separator: - description: Regex separator used to split the field value into an array - minLength: 1 - type: string - to: - description: Target field for the split array (defaults to source) - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - separator - - additionalProperties: false - type: object - properties: - action: - enum: - - sort - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Array field to sort - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - order: - description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" - enum: - - asc - - desc - type: string - to: - description: Target field for the sorted array (defaults to source) - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - additionalProperties: false - description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: >- + The message displayed in the annotation. It defaults to + `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + tags: + description: > + Tags are used by the Applications UI to distinguish APM annotations + from other annotations. Tags may have additional functionality in + future releases. It defaults to `[apm]`. While you can add + additional tags, you cannot remove the `apm` tag. + items: + type: string + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: type: object properties: - action: - enum: - - convert - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - description: Source field to convert to a different data type - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - to: - description: Target field for the converted value (defaults to source) - minLength: 1 + title: type: string type: - description: 'Target data type: integer, long, double, boolean, or string' - enum: - - integer - - long - - double - - boolean - - string type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - type - - additionalProperties: false + event: type: object properties: - action: - enum: - - concat - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - from: - items: - anyOf: - - type: object - properties: - type: - enum: - - field - type: string - value: - minLength: 1 - type: string - required: - - type - - value - - type: object - properties: - type: - enum: - - literal - type: string - value: - type: string - required: - - type - - value - minItems: 1 - type: array - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - to: - minLength: 1 + created: type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - from - - to - - allOf: - - additionalProperties: false - type: object - properties: - action: - enum: - - network_direction - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - destination_ip: - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - source_ip: - minLength: 1 - type: string - target_field: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - source_ip - - destination_ip - - anyOf: - - additionalProperties: false - type: object - properties: - internal_networks: - items: - type: string - type: array - required: - - internal_networks - - additionalProperties: false - type: object - properties: - internal_networks_field: - minLength: 1 - type: string - required: - - internal_networks_field - - additionalProperties: false - description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors + message: + type: string + service: type: object properties: - action: - enum: - - json_extract + environment: type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 + name: type: string - description: - description: Human-readable notes about this processor step + version: type: string - extractions: - description: List of extraction specifications - items: - description: A single extraction specification + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: > + If provided, the agent configuration will be marked as error and + `applied_by_agent` will be set to `false`. + + This is useful for cases where the agent configuration was not + applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: > + `markAsAppliedByAgent=true` means "force setting it to true + regardless of etag". + + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object + properties: + body: type: object properties: - selector: - description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") - minLength: 1 + bundleFilepath: type: string - target_field: - description: Target field to store the extracted value - minLength: 1 + serviceName: type: string - type: - description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. - enum: - - keyword - - integer - - long - - double - - boolean + serviceVersion: type: string - required: - - selector - - target_field - minItems: 1 - type: array - field: - description: Source field containing the JSON string to parse - minLength: 1 - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - description: Skip processing when source field is missing - type: boolean - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - field - - extractions - - additionalProperties: false - type: object - properties: - action: - enum: - - enrich - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - ignore_missing: - type: boolean - override: - type: boolean - policy_name: - description: A non-empty string. - minLength: 1 - type: string - to: - minLength: 1 - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - policy_name - - to - - additionalProperties: false - description: Manual ingest pipeline wrapper around native Elasticsearch processors - type: object - properties: - action: - description: Manual ingest pipeline - executes raw Elasticsearch ingest processors - enum: - - manual_ingest_pipeline - type: string - customIdentifier: - description: Custom identifier to correlate this processor across outputs - minLength: 1 - type: string - description: - description: Human-readable notes about this processor step - type: string - ignore_failure: - description: Continue pipeline execution if this processor fails - type: boolean - on_failure: - description: Fallback processors to run when a processor fails - items: - additionalProperties: {} - type: object - type: array - processors: - description: List of raw Elasticsearch ingest processors to run - items: - additionalProperties: {} - type: object - type: array - tag: - description: Optional ingest processor tag for Elasticsearch - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - description: Conditional expression controlling whether this processor runs - required: - - action - - processors - - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' - Kibana_HTTP_APIs_StreamUpsertRequest: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' - Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: - additionalProperties: false + sourceMap: + type: object + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: >- + The absolute path of the final bundle as used in the web + application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: > + The source map. It can be a string or file upload. It must follow + the + + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + example: create + type: string + Cases_actions_comment_response_properties: + title: Case response properties for actions comments + type: object + properties: + actions: + type: object + properties: + targets: + items: + type: object + properties: + endpointId: + example: 1 + type: string + hostname: + example: host-01 + type: string + type: array + type: + example: isolate + type: string + comment: + example: Isolating the host from the case UI. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - actions + example: actions + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + Cases_add_case_comment_request: + description: >- + The add comment to case API request body varies depending on whether you + are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_case_file_request: + description: >- + Defines the file that will be attached to the case. Optional parameters + will be generated automatically from the file metadata if not defined. + type: object + properties: + file: + description: The file being attached to the case. + format: binary + type: string + filename: + description: >- + The desired name of the file being attached to the case, it can be + different than the name of the file in the filesystem. **This should + not include the file extension.** + type: string + required: + - file + title: Add case file request properties + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + title: Add case comment response properties for alerts + type: object properties: - actions: - default: [] + alertId: items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id + example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + type: string type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + created_at: + example: '2023-11-06T19:29:38.424Z' + format: date-time type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true + created_by: type: object properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + - email + - full_name + - username + id: + example: 73362370-ab1a-11ec-985f-97e55adae8b9 type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time nullable: true type: string - params: - additionalProperties: false - description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. + pushed_by: + nullable: true + type: object properties: - excludeTransforms: - default: [] - items: - type: string + email: + example: null nullable: true - type: array - includeTransforms: - items: - type: string - type: array - testsConfig: - additionalProperties: false + type: string + full_name: + example: null nullable: true - type: object - properties: - errorMessages: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: false - type: boolean - healthCheck: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - notStarted: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - required: - - notStarted - - errorMessages - - healthCheck + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string required: - - includeTransforms - - testsConfig - title: Transform Health Rule Params + - email + - full_name + - username + rule: type: object - rule_type_id: + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: enum: - - transform_health + - alert + example: alert type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true type: string required: - - interval + - email + - full_name + - username + version: + example: WzMwNDgsMV0= + type: string + required: + - type + Cases_alert_identifiers: + description: > + The alert identifiers. It is required only when `type` is `alert`. You + can use an array of strings to add multiple alerts to a case, provided + that they all relate to the same rule; `index` must also be an array + with the same length or number of elements. Adding multiple alerts in + this manner is recommended rather than calling the API multiple times. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-state: Technical preview + Cases_alert_indices: + description: > + The alert indices. It is required only when `type` is `alert`. If you + are adding multiple alerts to a case, use an array of strings; the + position of each index name in the array must match the position of the + corresponding alert identifier in the `alertId` array. This + functionality is in technical preview and may be changed or removed in a + future release. Elastic will work to fix any issues, but features in + technical preview are not subject to the support SLA of official GA + features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-state: Technical preview + Cases_alert_response_properties: + type: object + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + type: object + properties: + uid: + description: >- + A unique identifier for the user profile. These identifiers can be + found by using the suggest user profile API. + example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + type: string + required: + - uid + maxItems: 10 + nullable: true + type: array + Cases_attachment_totals: + description: Counts of alerts, events, and user comments attached to a case. + properties: + alerts: + description: Number of alert attachments on the case. + type: integer + events: + description: Number of event attachments on the case. + type: integer + userComments: + description: Number of user comment attachments on the case. + type: integer + required: + - alerts + - events + - userComments + title: Attachment totals + type: object + Cases_case_categories: + items: + $ref: '#/components/schemas/Cases_case_category' + maxItems: 100 + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_close_sync_reason: + description: > + The close reason to sync to attached alerts when closing the case. Can + be one of following predefined reasons: [false_positive, duplicate, + true_positive, benign_positive, automated_closure, other] or a custom + reason provided by the user. + oneOf: + - enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + - type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_observable: + description: A single observable attached to a case. + properties: + createdAt: + description: When the observable was created. + example: '2024-11-14T10:00:00.000Z' + format: date-time + type: string + description: + description: An optional description for the observable. + example: Source IP + nullable: true + type: string + id: + description: The observable identifier. + example: df927ab8-54ed-47d6-be07-9948c255c097 + type: string + typeKey: + description: The observable type key. + example: observable-type-ipv4 + type: string + updatedAt: + description: When the observable was last updated. + example: '2024-11-14T10:00:00.000Z' + format: date-time + nullable: true + type: string + value: + description: The observable value. + example: 10.0.0.8 + type: string + required: + - id + - typeKey + - value + - description + - createdAt + - updatedAt + title: Case observable + type: object + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + Cases_case_response_created_by_properties: + title: Case response properties for created_by + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + Cases_case_response_get_case: + description: > + Case details returned by the get case API. The comments property is not + included in the response. Use the find case comments API to retrieve + comments. totalComment reflects the actual number of user comments. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified in the + case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: > + The elapsed time from the creation of the case to its closure (in + seconds). If the case has not been closed, the duration is set to + null. If the case was closed after less than half a second, the + duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: > + A monotonically increasing number assigned to each case, unique per + space. This value is generated asynchronously after the case is + created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' tags: - default: [] - description: The tags for the rule. + example: + - tag-1 items: type: string type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + description: >- + The number of user comments on the case. Use the find case comments + API to retrieve comment content. + example: 1 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time nullable: true type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Transform health + - closed_at + - closed_by + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + title: Get case response + type: object + Cases_case_response_properties: + title: Case response properties type: object - Kibana_HTTP_APIs_update_output_elasticsearch: - additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. nullable: true type: string - ca_trusted_fingerprint: + closed_at: + format: date-time nullable: true type: string - config_yaml: - nullable: true + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + actions: '#/components/schemas/Cases_actions_comment_response_properties' + alert: '#/components/schemas/Cases_alert_comment_response_properties' + event: '#/components/schemas/Cases_event_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_actions_comment_response_properties' + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_event_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time type: string - hosts: + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. items: - format: uri - type: string - maxItems: 10 - minItems: 1 + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified in the + case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean type: array + description: + example: A case description. + type: string + duration: + description: > + The elapsed time from the creation of the case to its closure (in + seconds). If the case has not been closed, the duration is set to + null. If the case was closed after less than half a second, the + duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + incremental_id: + description: > + A monotonically increasing number assigned to each case, unique per + space. This value is generated asynchronously after the case is + created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 type: string - otel_disable_beatsauth: + total_observables: + description: The number of observables attached to the case. + example: 0 nullable: true - type: boolean - otel_exporter_config_yaml: + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + example: 0 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time nullable: true type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== type: string - proxy_id: + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + example: null nullable: true type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + full_name: + example: null nullable: true - type: - enum: - - elasticsearch type: string - write_to_logs_streams: + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic nullable: true - type: boolean - title: update_output_elasticsearch + type: string + required: + - email + - full_name + - username + title: Case response properties for pushed_by type: object - Kibana_HTTP_APIs_update_output_kafka: - additionalProperties: false + Cases_case_response_updated_by_properties: + nullable: true properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: + email: + example: null nullable: true type: string - ca_trusted_fingerprint: + full_name: + example: null nullable: true type: string - client_id: + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none + username: + example: elastic + nullable: true type: string - compression_level: - type: number - config_yaml: + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + Cases_case_severity: + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: > + The words and phrases that help categorize cases. It can be an empty + array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: >- + Indicates whether a case is automatically closed when it is pushed to + external systems (`close-by-pushing`) or not automatically closed + (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + fields: + example: null nullable: true type: string - connection_type: + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. enum: - - plaintext - - encryption + - .cases-webhook + example: .cases-webhook type: string - hash: - additionalProperties: false + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. type: object properties: - hash: + issueType: + description: The type of issue. + nullable: true type: string - random: - type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true + type: string + priority: + description: The priority of the issue. + nullable: true + type: string + required: + - issueType + - parent + - priority id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: + description: The name of the connector. type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - partition: + type: + description: The type of connector. enum: - - random - - round_robin - - hash + - .jira + example: .jira type: string - password: + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case without + a connector, specify null. To update a case to remove the connector, + specify null. + example: null nullable: true type: string - proxy_id: - nullable: true + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. To update a case to remove the connector, + specify `none`. + example: none type: string - random: - additionalProperties: false - type: object - properties: - group_events: - type: number - required_acks: + name: + description: >- + The name of the connector. To create a case without a connector, use + `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + type: + description: >- + The type of connector. To create a case without a connector, use + `.none`. To update a case to remove the connector, specify `.none`. enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: false - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: false + - .none + example: .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. nullable: true type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. type: string - secrets: - additionalProperties: false + required: + - issueTypes + - severityCode + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: + category: + description: The category of the incident. + nullable: true + type: string + impact: + description: The effect an incident had on business. + nullable: true + type: string + severity: + description: The severity of the incident. + nullable: true + type: string + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true + type: string + required: + - category + - impact + - severity + - subcategory + - urgency + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. type: string type: + description: The type of connector. enum: - - kafka - type: string - username: - nullable: true - type: string - version: + - .servicenow + example: .servicenow type: string required: + - fields + - id - name - title: update_output_kafka + - type + title: Create case request properties for a ServiceNow ITSM connector + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. type: object - Kibana_HTTP_APIs_update_output_logstash: - additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs. + nullable: true + type: boolean + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs. + nullable: true + type: boolean + priority: + description: The priority of the issue. + nullable: true + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean name: + description: The name of the connector. type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true type: + description: The type of connector. enum: - - logstash + - .servicenow-sir + example: .servicenow-sir type: string - title: update_output_logstash + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. type: object - Kibana_HTTP_APIs_update_output_remote_elasticsearch: - additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + required: + - caseId id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: + description: The name of the connector. type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean type: + description: The type of connector. enum: - - remote_elasticsearch + - .swimlane + example: .swimlane type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_WiredStreamUpsertRequest: - additionalProperties: false - type: object + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + example: .none + type: string + Cases_create_case_request: + description: >- + The create case API request body varies depending on the type of + connector. properties: - dashboards: - items: - type: string - type: array - queries: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: > + Custom field values for a case. Any optional custom fields that are + not specified in the request are set to null. items: type: object properties: - description: - type: string - esql: - type: object - properties: - query: - type: string - required: - - query - evidence: - items: - type: string - type: array - id: - description: A non-empty string. - minLength: 1 - type: string - severity_score: - type: number - title: - description: A non-empty string. - minLength: 1 + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. type: string type: - default: match + description: > + The custom field type. It must match the type specified in the + case configuration settings. enum: - - match - - stats + - text + - toggle type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean required: - - id - - title - - description - - esql - type: array - rules: - items: - type: string + - key + - type + - value + maxItems: 10 + minItems: 0 type: array - stream: - additionalProperties: false - type: object - properties: - description: - type: string - ingest: - additionalProperties: false - type: object - properties: - failure_store: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' - lifecycle: - $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' - processing: - additionalProperties: false - type: object - properties: - steps: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' - type: array - updated_at: {} - required: - - steps - settings: - additionalProperties: false - type: object - properties: - index.number_of_replicas: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.number_of_shards: - additionalProperties: false - type: object - properties: - value: - type: number - required: - - value - index.refresh_interval: - additionalProperties: false - type: object - properties: - value: - anyOf: - - type: string - - enum: - - -1 - type: number - required: - - value - wired: - additionalProperties: false - type: object - properties: - draft: - type: boolean - fields: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' - routing: - items: - type: object - properties: - destination: - description: A non-empty string. - minLength: 1 - type: string - draft: - type: boolean - status: - enum: - - enabled - - disabled - type: string - where: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - required: - - destination - - where - type: array - required: - - fields - - routing - required: - - lifecycle - - processing - - settings - - failure_store - - wired - query_streams: - items: - type: object - properties: - name: - type: string - required: - - name - type: array - type: - enum: - - wired - type: string - required: - - description - - ingest - - type + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' required: - - dashboards - - rules - - queries - - stream - Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: - additionalProperties: false + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_event_comment_response_properties: + title: Case response properties for event comments + type: object properties: - actions: - default: [] + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + eventId: items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id + example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f + type: string type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + - event + example: event + type: string + updated_at: + example: null + format: date-time nullable: true type: string - params: - additionalProperties: false - description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Cases_external_service: + nullable: true + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + type: object properties: - includeInterim: - default: true - type: boolean - jobSelection: - additionalProperties: false - type: object - properties: - groupIds: - default: [] - items: - type: string - type: array - jobIds: - default: [] - items: - type: string - type: array - kqlQueryString: + email: + example: null nullable: true type: string - lookbackInterval: + full_name: + example: null nullable: true type: string - resultType: - enum: - - record - - bucket - - influencer + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - severity: - maximum: 100 - minimum: 0 - type: number - topNBuckets: - minimum: 1 + username: + example: elastic nullable: true - type: number - required: - - jobSelection - - severity - - resultType - - lookbackInterval - - topNBuckets - - kqlQueryString - title: Anomaly Detection Rule Params - type: object - rule_type_id: - enum: - - xpack.ml.anomaly_detection_alert - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. + Cases_find_comments_response: + title: Find case comments response + type: object + properties: + comments: + description: Paginated list of user comments for the case. items: - type: string + $ref: '#/components/schemas/Cases_user_comment_response_properties' type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string + page: + description: The current page index. + type: integer + per_page: + description: The number of items per page. + type: integer + total: + description: The total number of comments. + type: integer required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Anomaly detection + - comments + - page + - per_page + - total + Cases_owner: + description: > + The application that owns the cases: Stack Management, Observability, or + Elastic Security. + enum: + - cases + - observability + - securitySolution + example: cases + type: string + Cases_owners: + items: + $ref: '#/components/schemas/Cases_owner' + type: array + Cases_payload_alert_comment: type: object - Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false + comment: type: object properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: + alertId: + oneOf: + - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + type: string + - items: type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + type: array + index: + oneOf: + - example: .alerts-observability.logs.alerts-default + type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + rule: type: object properties: - blob: - maxLength: 10000 + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + type: string + Cases_payload_assignees: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + Cases_payload_connector: + type: object + properties: + connector: type: object properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. - properties: - excludeJobs: - additionalProperties: false + fields: + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. + example: null nullable: true type: object properties: - groupIds: - default: [] - items: - type: string - type: array - jobIds: - default: [] - items: - type: string - type: array - includeJobs: - additionalProperties: false - type: object - properties: - groupIds: - default: [] - items: - type: string - type: array - jobIds: - default: [] + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. items: type: string type: array - testsConfig: - additionalProperties: false - nullable: true - type: object - properties: - behindRealtime: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - timeInterval: - nullable: true - type: string - required: - - timeInterval - datafeed: - additionalProperties: false - nullable: true - type: object - properties: - enabled: - default: true - type: boolean - delayedData: - additionalProperties: false + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. nullable: true - type: object - properties: - docsCount: - minimum: 1 - nullable: true - type: number - enabled: - default: true - type: boolean - timeInterval: - nullable: true - type: string - required: - - docsCount - - timeInterval - errorMessages: - additionalProperties: false + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. nullable: true - type: object - properties: - enabled: - default: true - type: boolean - mml: - additionalProperties: false + type: boolean + parent: + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. nullable: true - type: object - properties: - enabled: - default: true - type: boolean - required: - - datafeed - - mml - - delayedData - - behindRealtime - - errorMessages - required: - - includeJobs - - excludeJobs - - testsConfig - title: Anomaly Detection Jobs Health Rule Params - type: object - rule_type_id: - enum: - - xpack.ml.anomaly_detection_jobs_health - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + type: boolean + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. + example: none type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Anomaly detection jobs health + name: + description: >- + The name of the connector. To create a case without a connector, + use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + Cases_payload_create_case: type: object - Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: type: object properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + fields: + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. + example: null + nullable: true type: object properties: - blob: - maxLength: 10000 + caseId: + description: The case identifier for Swimlane connectors. type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. - properties: - condition: - additionalProperties: false - type: object - properties: - alertOnNoData: + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. + nullable: true type: boolean - downThreshold: - type: number - groupBy: + impact: + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. + type: string + issueType: + description: The type of issue for Jira connectors. type: string - includeRetests: + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. + nullable: true type: boolean - locationsThreshold: - type: number - recoveryStrategy: - enum: - - firstUp - - conditionNotMet + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. type: string - window: - anyOf: - - additionalProperties: false - type: object - properties: - time: - additionalProperties: false - type: object - properties: - size: - default: 5 - type: number - unit: - default: m - enum: - - s - - m - - h - - d - type: string - required: - - time - - additionalProperties: false - type: object - properties: - numberOfChecks: - default: 5 - maximum: 100 - minimum: 1 - type: number - required: - - window - kqlQuery: + priority: + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. + example: none + type: string + name: + description: >- + The name of the connector. To create a case without a connector, + use `none`. + example: none type: string - locations: - items: - type: string - type: array - monitorIds: - items: - type: string - type: array - monitorTypes: - items: - type: string - type: array - projects: - items: - type: string - type: array - tags: - items: - type: string - type: array - title: Synthetics Monitor Status Rule Params - type: object - rule_type_id: - enum: - - xpack.synthetics.alerts.monitorStatus + type: + $ref: '#/components/schemas/Cases_connector_types' + description: type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' tags: - default: [] - description: The tags for the rule. + example: + - tag-1 items: type: string type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + title: + type: string + Cases_payload_delete: + description: >- + If the `action` is `delete` and the `type` is `delete_case`, the payload + is nullable. + nullable: true + type: object + Cases_payload_description: + type: object + properties: + description: + type: string + Cases_payload_pushed: + type: object + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + Cases_payload_settings: + type: object + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + Cases_payload_severity: + type: object + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + Cases_payload_status: + type: object + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + Cases_payload_tags: + type: object + properties: + tags: + example: + - tag-1 + items: + type: string + type: array + Cases_payload_title: + type: object + properties: + title: + type: string + Cases_payload_user_comment: + type: object + properties: + comment: + type: object + properties: + comment: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + enum: + - user + type: string + Cases_related_case: + description: > + Summary of a case returned when listing cases that contain a given + alert. This is a subset of the full case response. + properties: + createdAt: + description: When the case was created. + format: date-time + type: string + description: + description: The case description. + type: string + id: + description: The case identifier. + type: string + status: + $ref: '#/components/schemas/Cases_case_status' + title: + description: The case title. type: string + totals: + $ref: '#/components/schemas/Cases_attachment_totals' required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Synthetics monitor status + - id + - title + - description + - status + - createdAt + - totals + title: Related case type: object - Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: - additionalProperties: false + Cases_response_4xx: properties: - actions: - default: [] + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful cases API response + type: object + Cases_rule: + description: > + The rule that is associated with the alerts. It is required only when + `type` is `alert`. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will work to fix any + issues, but features in technical preview are not subject to the support + SLA of official GA features. + title: Alerting rule + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + x-state: Technical preview + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_searchFieldsTypeArray: + items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_set_case_configuration_request: + description: >- + External connection details, such as the closure type and default + connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. items: - additionalProperties: false - description: An action that runs under defined conditions. type: object properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + defaultValue: + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 type: string - id: - description: The identifier for the connector saved object. + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + type: + description: The type of the custom field. + enum: + - text + - toggle type: string + required: + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. + type: boolean required: - - id + - key + - label + - required + - type + maxItems: 10 + minItems: 0 type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + type: object + properties: + extractObservables: + description: > + When true, observables (e.g. IPs, hashes, URLs) are automatically + extracted from case comments. Optional; defaults to false when + omitted. + example: false + type: boolean + syncAlerts: + description: Turns alert syncing on or off. + example: true + type: boolean + required: + - syncAlerts + Cases_string: + type: string + Cases_string_array: + items: + $ref: '#/components/schemas/Cases_string' + maxItems: 100 + type: array + Cases_template_tags: + description: > + The words and phrases that help categorize templates. It can be an empty + array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_templates: + items: + type: object + properties: + caseFields: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: type: object properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, therefore + it is recommended to set it to `null`. + nullable: true + type: object id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector IDs, + use the find connectors API. + example: none type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use + the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + customFields: + description: Custom field values in the template. + items: + type: object + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: > + The default value for the custom field when a case uses + the template. If the `type` is `text`, the default value + must be a string. If the `type` is `toggle`, the default + value must be boolean. + oneOf: + - type: string + - type: boolean + type: array + x-state: Technical preview + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + description: + description: A description for the template. + type: string + key: + description: > + A unique key for the template. Must be lower case and composed + only of a-z, 0-9, '_', and '-' characters. It is used in API calls + to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: array + x-state: Technical preview + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + - alert + example: alert type: string - params: - additionalProperties: false - description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. - properties: - certAgeThreshold: - type: number - certExpirationThreshold: - type: number - kqlQuery: - type: string - locations: - items: - type: string - type: array - monitorIds: - items: - type: string - type: array - monitorTypes: - items: - type: string - type: array - projects: - items: - type: string - type: array - search: - type: string - tags: - items: - type: string - type: array - title: Synthetics TLS Rule Params - type: object - rule_type_id: - enum: - - xpack.synthetics.alerts.tls + version: + description: > + The current comment version. To retrieve version values, use the get + comments API. + example: Wzk1LDFd type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + Cases_update_case_comment_request: + description: >- + The update case comment API request body varies depending on whether you + are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: > + You can update settings such as the closure type, custom fields, + templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + fields: + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. + example: none type: string + type: + $ref: '#/components/schemas/Cases_connector_types' required: - - interval - tags: - default: [] - description: The tags for the rule. + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. items: - type: string + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. + type: boolean + required: + - key + - label + - required + - type type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: > + The version of the connector. To retrieve the version value, use the + get configuration API. + example: WzIwMiwxXQ== type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Synthetics TLS + - version + title: Update case configuration request type: object - Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: - additionalProperties: false + Cases_update_case_request: + description: >- + The update case API request body varies depending on the type of + connector. properties: - actions: - default: [] + cases: + description: An array containing one or more case objects. items: - additionalProperties: false - description: An action that runs under defined conditions. type: object properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + closeReason: + $ref: '#/components/schemas/Cases_case_close_sync_reason' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: >- + #/components/schemas/Cases_connector_properties_cases_webhook + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: >- + #/components/schemas/Cases_connector_properties_servicenow_sir + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: > + Custom field values for a case. Any optional custom fields + that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key + value must exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified + in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, + it cannot be explicitly set to null. However, for cases + that existed when the required custom field was added, + the default value stored in Elasticsearch is + `undefined`. The value returned in the API and user + interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' id: - description: The identifier for the connector saved object. + description: The identifier for the case. + maxLength: 30000 type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: > + The current version of the case. To determine this value, use + the get case or search cases (`_find`) APIs. type: string required: - id + - version + maxItems: 100 + minItems: 1 type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval + - user + example: user + type: string + version: + description: > + The current comment version. To retrieve version values, use the get + comments API. + example: Wzk1LDFd + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 nullable: true type: string - params: - additionalProperties: false - description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object properties: - monitorId: + email: + example: null + nullable: true type: string - severity: - type: number - stackVersion: + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true type: string required: - - monitorId + - email + - full_name + - username + id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - category + - comment + - connector + - create_case + - customFields + - delete_case + - description + - extended_fields + - observables + - pushed + - settings - severity - title: Uptime Duration Anomaly Rule Params - type: object - rule_type_id: + - status + - tags + - title + example: create_case + type: string + version: + example: WzM1ODg4LDFd + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + Cases_user_comment_response_properties: + title: Case response properties for user comments + type: object + properties: + comment: + example: A new comment. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: enum: - - xpack.uptime.alerts.durationAnomaly + - user + example: user type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. - type: object - properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + updated_at: + example: null + format: date-time nullable: true type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Uptime duration anomaly + - type + Data_views_400_response: + title: Bad request type: object - Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: >- + Allows the data view saved object to exist before the data is available. + Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. type: object properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 - type: array - investigation_guide: - additionalProperties: false + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' - type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: type: object properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: false - description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. - properties: - availability: - additionalProperties: false + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' type: object - properties: - range: - type: number - rangeUnit: - type: string - threshold: - type: string - required: - - range - - rangeUnit - - threshold - filters: - anyOf: - - additionalProperties: false - type: object - properties: - monitor.type: - items: - type: string - type: array - observer.geo.name: - items: - type: string - type: array - tags: - items: - type: string - type: array - url.port: - items: - type: string - type: array - - type: string - isAutoGenerated: - type: boolean - locations: - items: - type: string - type: array - numTimes: - type: number - search: + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string - shouldCheckAvailability: - type: boolean - shouldCheckStatus: - type: boolean - stackVersion: + name: + description: The data view name. type: string - timerange: - additionalProperties: false + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object - properties: - from: - type: string - to: - type: string - required: - - from - - to - timerangeCount: - type: number - timerangeUnit: - type: string + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' version: - type: number - required: - - numTimes - - shouldCheckStatus - - shouldCheckAvailability - title: Uptime Monitor Status Rule Params - type: object - rule_type_id: - enum: - - xpack.uptime.alerts.monitorStatus + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + source: + description: Script for the runtime field. type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + type: + description: Mapping type of the runtime field. type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Uptime monitor status + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request type: object - Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: - additionalProperties: false properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). - type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: Defines a period that limits whether the action runs. - type: object - properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number - required: - - active - artifacts: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10 type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + forType: + description: Limit the affected saved objects by type. type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true - type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + fromId: + description: The saved object reference to change. type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object params: - additionalProperties: false - description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. - properties: - certAgeThreshold: - type: number - certExpirationThreshold: - type: number - search: - type: string - stackVersion: - type: string - title: Uptime TLS Rule Params + description: Properties for retrieving rollup fields. type: object - rule_type_id: - enum: - - xpack.uptime.alerts.tlsCertificate - type: string - schedule: - additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true - type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Uptime TLS certificate - type: object + - data_view Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. type: object savedObjectsCreated: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated savedObjectsDeleted: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -109643,63 +36781,97 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. properties: anomaly-detector: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' - description: If saved objects are missing for anomaly detection jobs, they are created. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. type: object data-frame-analytics: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' - description: If saved objects are missing for data frame analytics jobs, they are created. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. type: object trained-model: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. properties: anomaly-detector: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' - description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' - description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' - description: If there are saved objects exist for nonexistent trained models, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -109707,7 +36879,11 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -109787,7 +36963,8 @@ components: description: The name associated with the message. type: string role: - $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' + $ref: >- + #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum required: - role required: @@ -109821,16 +36998,34 @@ components: - message - statusCode Saved_objects_attributes: - description: | - The data that you want to create. WARNING: Attributes may be validated depending on the saved object type. Supplying malformed data can cause errors or break Kibana. When creating or persisting raw saved objects outside of Kibana, preserve `coreMigrationVersion` and `typeMigrationVersion` (and related migration metadata) to retain forward compatibility across Kibana versions. + description: > + The data that you want to create. WARNING: Attributes may be validated + depending on the saved object type. Supplying malformed data can cause + errors or break Kibana. When creating or persisting raw saved objects + outside of Kibana, preserve `coreMigrationVersion` and + `typeMigrationVersion` (and related migration metadata) to retain + forward compatibility across Kibana versions. type: object Saved_objects_initial_namespaces: - description: | - Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the "All spaces" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the "All spaces" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used. + description: > + Identifiers for the spaces in which this object is created. If this is + provided, the object is created only in the explicitly defined spaces. + If this is not provided, the object is created in the current space + (default behavior). For shareable object types (registered with + `namespaceType: 'multiple'`), this option can be used to specify one or + more spaces, including the "All spaces" identifier ('*'). For isolated + object types (registered with `namespaceType: 'single'` or + `namespaceType: 'multiple-isolated'`), this option can only be used to + specify a single space, and the "All spaces" identifier ('*') is not + allowed. For global object types (`registered with `namespaceType: + agnostic`), this option cannot be used. type: array Saved_objects_references: - description: | - Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export. + description: > + Objects with `name`, `id`, and `type` properties that describe the other + saved objects that this object references. Use `name` in attributes to + refer to the other saved object, but never the `id`, which can update + automatically during migrations or import and export. type: array Security_AI_Assistant_API_AnonymizationFieldCreateProps: type: object @@ -109923,7 +37118,8 @@ components: example: user.name type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason description: Reason why the anonymization field was not modified. required: - id @@ -109941,12 +37137,15 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - results - summary @@ -109970,7 +37169,8 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array deleted: items: @@ -109981,12 +37181,14 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult type: array updated: description: List of anonymization fields successfully updated. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array required: - updated @@ -110182,7 +37384,9 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: List of field names within the data object that should be anonymized. + description: >- + List of field names within the data object that should be + anonymized. example: - user.name - source.ip @@ -110205,12 +37409,18 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_EsqlContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_HrefContentReference additionalProperties: false description: A union of all content reference types type: object @@ -110362,7 +37572,9 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -110372,7 +37584,8 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -110390,14 +37603,18 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -110433,8 +37650,10 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -110454,13 +37673,16 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -110506,7 +37728,9 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. + description: >- + The field by which to sort the conversations. Possible values are + `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -110567,7 +37791,9 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -110577,7 +37803,8 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -110595,21 +37822,27 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: Fields to extract from the query result, defaults to all fields if not provided or empty. + description: >- + Fields to extract from the query result, defaults to all fields if + not provided or empty. example: - title - author @@ -110620,7 +37853,9 @@ components: type: object properties: description: - description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. + description: >- + Description for when this index or data stream should be queried for + Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -110632,7 +37867,9 @@ components: example: knowledge_base_index type: string queryDescription: - description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. + description: >- + Description of query field used to fetch Knowledge Base content. + Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -110649,8 +37886,10 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -110670,15 +37909,20 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields Security_AI_Assistant_API_InputSchema: - description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. + description: >- + Array of objects defining the input schema, allowing the LLM to extract + structured data to be used in retrieval. items: type: object properties: @@ -110701,7 +37945,8 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue - type: object properties: type: @@ -110741,9 +37986,11 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue additionalProperties: false - - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -110754,9 +38001,11 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue additionalProperties: false - - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -110775,7 +38024,8 @@ components: example: Skipped Entry type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason required: - id - skip_reason @@ -110795,12 +38045,15 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary required: - results - summary @@ -110832,23 +38085,29 @@ components: id: '456' title: New Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array deleted: - description: List of IDs of Knowledge Base Entries that were successfully deleted. + description: >- + List of IDs of Knowledge Base Entries that were successfully + deleted. example: - '789' items: type: string type: array skipped: - description: List of Knowledge Base Entries that were skipped during the bulk action. + description: >- + List of Knowledge Base Entries that were skipped during the bulk + action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -110857,7 +38116,8 @@ components: id: '123' title: Updated Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array required: - updated @@ -110872,11 +38132,15 @@ components: example: 2 type: integer skipped: - description: Number of Knowledge Base Entries that were skipped during the bulk action. + description: >- + Number of Knowledge Base Entries that were skipped during the bulk + action. example: 1 type: integer succeeded: - description: Number of Knowledge Base Entries that were successfully processed during the bulk action. + description: >- + Number of Knowledge Base Entries that were successfully processed + during the bulk action. example: 5 type: integer total: @@ -110913,12 +38177,16 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields discriminator: mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + document: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + index: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -110964,27 +38232,37 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields discriminator: mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + document: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields + index: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields discriminator: mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + document: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + index: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: Indicates if Defend Insights documentation exists in the KnowledgeBase. + description: >- + Indicates if Defend Insights documentation exists in the + KnowledgeBase. example: true type: boolean elser_exists: @@ -111004,7 +38282,9 @@ components: example: complete type: string security_labs_exists: - description: Indicates if Security Labs documentation exists in the KnowledgeBase. + description: >- + Indicates if Security Labs documentation exists in the + KnowledgeBase. example: true type: boolean user_data_exists: @@ -111012,7 +38292,9 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. + description: >- + Knowledge Base resource name for grouping entries, e.g. 'security_labs', + 'user', etc. enum: - security_labs - defend_insights @@ -111100,10 +38382,16 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. + description: >- + When the agent is resumed after an interrupt, this field is + populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. + description: >- + When the agent is interrupted (for example, when user input is + required), this field is populated with the details of the + interrupt. Messages containing interruptValues in the metadata are + excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -111119,7 +38407,9 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + description: >- + A string that represents a timestamp in ISO 8601 format and does not + contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -111130,7 +38420,8 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError type: array err_code: description: Error code indicating the type of failure. @@ -111158,7 +38449,8 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError type: array message: description: Error message describing the issue. @@ -111184,7 +38476,8 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError type: array status_code: description: The HTTP status code associated with the error. @@ -111343,7 +38636,8 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason description: The reason for skipping the prompt. required: - id @@ -111356,12 +38650,15 @@ components: properties: errors: items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - results - summary @@ -111399,7 +38696,8 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult type: array updated: description: List of prompts that were updated. @@ -111556,7 +38854,8 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue - type: object properties: type: @@ -111565,7 +38864,9 @@ components: example: SELECT_OPTION type: string value: - description: The value of the selected option to resume the graph execution with + description: >- + The value of the selected option to resume the graph execution + with example: option_1 type: string required: @@ -111587,7 +38888,8 @@ components: - label: Option 1 - label: Option 2 items: - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption type: array type: enum: @@ -111631,7 +38933,9 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. + description: >- + Object containing Knowledge Base Entry text embeddings and modelId used + to create the embeddings. type: object properties: modelId: @@ -111729,7 +39033,9 @@ components: type: string type: array alert_rule_uuid: - description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) + description: >- + The optional kibana.alert.rule.uuid of the rule that generated this + attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -111738,16 +39044,22 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: The optional id of the user who last updated the attack discovery alert + description: >- + The optional id of the user who last updated the attack discovery + alert type: string alert_updated_by_user_name: - description: The optional username of the user who updated the attack discovery alert + description: >- + The optional username of the user who updated the attack discovery + alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: The optional time the attack discovery alert workflow status was last updated + description: >- + The optional time the attack discovery alert workflow status was + last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -111758,13 +39070,20 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: The (human readable) name of the connector that generated the attack discovery + description: >- + The (human readable) name of the connector that generated the attack + discovery type: string details_markdown: - description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. + description: >- + Details of the attack with bulleted markdown that always uses + special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax + description: >- + An optional, short (no more than a sentence) summary of the attack + discovery featuring only the host.name and user.name fields (when + they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -111773,7 +39092,9 @@ components: description: The unique ID of the attack discovery type: string index: - description: The concrete Elasticsearch index where this attack discovery is stored + description: >- + The concrete Elasticsearch index where this attack discovery is + stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -111782,9 +39103,13 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: Key-value pairs that are used to replace placeholders in the markdown fields + description: >- + Key-value pairs that are used to replace placeholders in the + markdown fields risk_score: - description: The optional, (but typically populated after generation) risk score of the alert + description: >- + The optional, (but typically populated after generation) risk score + of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -111804,10 +39129,14 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) + description: >- + The optional username of the user who generated the attack + discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. + description: >- + The optional array of users who may view the attack discovery. When + empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -111828,7 +39157,8 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction type: array created_at: description: The date the schedule was created @@ -111844,16 +39174,19 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams description: The Attack Discovery schedule configuration parameters schedule: - $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -111875,22 +39208,30 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' - - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' + - $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction + - $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). + description: >- + The action frequency defines when the action runs (for example, only on + schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen summary: - description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle nullable: true required: - summary @@ -111903,7 +39244,9 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` enum: - onActiveAlert - onThrottleInterval @@ -111911,10 +39254,14 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: Object containing the allowed connector fields, which varies according to the connector type. + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. + description: >- + Defines how often schedule actions are taken. Time interval in seconds, + minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -111925,7 +39272,8 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction type: array enabled: description: Indicates whether the schedule is enabled @@ -111934,10 +39282,12 @@ components: description: The name of the schedule type: string params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams description: The Attack Discovery schedule configuration parameters schedule: - $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule description: The Attack Discovery schedule interval required: - name @@ -111957,7 +39307,8 @@ components: message: type: string status: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus description: Status of the execution required: - date @@ -111979,15 +39330,20 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter frequency: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency group: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup id: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -112037,9 +39393,11 @@ components: description: The action type used for sending notifications. type: string id: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -112053,16 +39411,19 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction type: array name: description: The name of the schedule type: string params: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams description: The Attack Discovery schedule configuration parameters schedule: - $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule description: The Attack Discovery schedule interval required: - name @@ -112070,7 +39431,9 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. + description: >- + Allowed field names to sort Attack Discovery results by. Clients should + only pass one of the listed values. enum: - '@timestamp' type: string @@ -112078,7 +39441,10 @@ components: type: object properties: alerts_context_count: - description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation + description: >- + The number of alerts sent as context (max + kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM + for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -112088,19 +39454,29 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user + description: >- + The average duration (avg event.duration) in nanoseconds of + successful generations for the same connector id, for the + current user type: number successful_generations: - description: The number of successful generations for the same connector id, for the current user + description: >- + The number of successful generations for the same connector id, + for the current user type: number discoveries: - description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation + description: >- + The number of new Attack discovery alerts (max + kibana.alert.rule.execution.metrics.alert_counts.new) for this + generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation + description: >- + The unique identifier (kibana.alert.rule.execution.uuid) for the + generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -112131,15 +39507,23 @@ components: type: object properties: alertsIndexPattern: - description: | - The (space specific) index pattern that contains the alerts to use as + description: > + The (space specific) index pattern that contains the alerts to use + as + context for the attack discovery. + Example: .alerts-security.alerts-default type: string anonymizationFields: - description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. + description: >- + The list of fields, and whether or not they are anonymized, allowed + to be sent to LLMs. Consider using the output of the + `/api/security_ai_assistant/anonymization_fields/_find` API (for a + specific Kibana space) to provide this value. items: - $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -112150,8 +39534,10 @@ components: type: string filter: additionalProperties: true - description: |- - An Elasticsearch-style query DSL object used to filter alerts. For example: + description: >- + An Elasticsearch-style query DSL object used to filter alerts. For + example: + ```json { "filter": { "bool": { @@ -112212,7 +39598,9 @@ components: example: 400 type: number Security_Attack_discovery_API_Filters: - description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. + description: >- + The filter array used to define the conditions for when alerts are + selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -112230,7 +39618,9 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + description: >- + A string that represents a timestamp in ISO 8601 format and does not + contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -112286,14 +39676,18 @@ components: properties: add: items: - description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. + description: >- + A list of user profile `uid`s to assign. Users need to activate + their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. + description: >- + A list of user profile `uid`s to unassign. Users need to activate + their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -112351,22 +39745,29 @@ components: type: object properties: requests_per_second: - description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. + description: >- + The throttle for the migration task in sub-requests per second. + Corresponds to requests_per_second on the Reindex API. minimum: 1 type: integer size: - description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. + description: >- + Number of alerts to migrate per batch. Corresponds to the + source.size option on the Reindex API. minimum: 1 type: integer slices: - description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. + description: >- + The number of subtasks for the migration task. Corresponds to slices + on the Reindex API. minimum: 1 type: integer Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsSortCombinations type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -112374,7 +39775,9 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. + description: >- + The status of an alert, which can be `open`, `acknowledged`, + `in-progress`, or `closed`. enum: - open - acknowledged @@ -112385,18 +39788,21 @@ components: type: object properties: duration: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit value: minimum: 1 type: integer @@ -112417,21 +39823,28 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: |- - Describes how alerts will be generated for documents with missing suppress by fields: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + doNotSuppress - per each document a separate alert will be created + suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: Use alert tags to organize related alerts into categories that you can filter and group. + description: >- + Use alert tags to organize related alerts into categories that you can + filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: List of keywords to organize related alerts into categories that you can filter and group. + description: >- + List of keywords to organize related alerts into categories that you can + filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array @@ -112446,29 +39859,46 @@ components: - version - count Security_Detections_API_AnomalyThreshold: - description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. + description: >- + Anomaly score threshold above which the rule creates an alert. Valid + values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: | - Determines if the rule acts as a building block. If yes, the value must be `default`. - By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. - For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: > + Determines if the rule acts as a building block. If yes, the value must + be `default`. + + By default, building-block alerts are not displayed in the UI. These + rules are used as a foundation for other rules that do generate alerts. + + For more information, refer to [About building block + rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -112479,12 +39909,19 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: | + description: > Edits index patterns of rulesClient. - - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. - - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. - - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + + - `add_index_patterns` adds index patterns to rules. If an index pattern + already exists for a rule, no changes are made. + + - `delete_index_patterns` removes index patterns from rules. If an index + pattern does not exist for a rule, no changes are made. + + - `set_index_patterns` sets index patterns for rules, overwriting any + existing index patterns. If the set of index patterns is the same as the + existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -112502,12 +39939,20 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: | + description: > Edits investigation fields of rules. - - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. - - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. - - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + + - `add_investigation_fields` adds investigation fields to rules. If an + investigation field already exists for a rule, no changes are made. + + - `delete_investigation_fields` removes investigation fields from rules. + If an investigation field does not exist for a rule, no changes are + made. + + - `set_investigation_fields` sets investigation fields for rules. If the + set of investigation fields is the same as the existing investigation + fields, no changes are made. type: object properties: type: @@ -112522,11 +39967,18 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: | + description: > Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. - - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. + + - `add_rule_actions` adds rule actions to rules. This action is + non-idempotent, meaning that even if the same rule action already exists + for a rule, it will be added again with a new unique ID. + + - `set_rule_actions` sets rule actions for rules. This action is + non-idempotent, meaning that even if the same set of rule actions + already exists for a rule, it will be set again and the actions will + receive new unique IDs. type: object properties: type: @@ -112539,22 +39991,30 @@ components: properties: actions: items: - $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleAction type: array throttle: - $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' + $ref: >- + #/components/schemas/Security_Detections_API_ThrottleForBulkActions required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: | + description: > Overwrites schedule of rules. - - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" + - `set_schedule` sets a schedule for rules. If the same schedule already + exists for a rule, no changes are made. + + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", + where accepted time units are `s` for seconds, `m` for minutes, and `h` + for hours. The integer must be positive and larger than 0. Examples: + "45s", "30m", "6h" type: object properties: type: @@ -112565,15 +40025,20 @@ components: type: object properties: interval: - description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: | + description: > Lookback time for the rules. - Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. + + Additional look-back time that the rule analyzes. For example, + "10m" means the rule analyzes the last 10 minutes of data in + addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -112603,17 +40068,24 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: | + description: > Edits tags of rules. - - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. - - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. - - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no + changes are made. + + - `delete_tags` removes tags from rules. If a tag does not exist for a + rule, no changes are made. + + - `set_tags` sets tags for rules, overwriting any existing tags. If the + set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -112628,10 +40100,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: | + description: > Edits timeline of rules. - - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. + + - `set_timeline` sets a timeline for rules. If the same timeline already + exists for a rule, no changes are made. type: object properties: type: @@ -112644,7 +40118,8 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle required: - timeline_id - timeline_title @@ -112675,7 +40150,8 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason required: - id - skip_reason @@ -112687,10 +40163,14 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -112701,8 +40181,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -112721,10 +40203,14 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -112735,8 +40221,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -112768,10 +40256,14 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -112782,8 +40274,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -112802,12 +40296,15 @@ components: properties: errors: items: - $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleError type: array results: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResults summary: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionSummary required: - results - summary @@ -112846,7 +40343,13 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. + description: >- + A rule can only be skipped when the bulk action to be performed on it + results in nothing being done. For example, if the `edit` action is used + to add a tag to a rule that already has that tag, or to delete an index + pattern that is not specified in a rule. Objects returned in + `attributes.results.skipped` will only include rules' `id`, `name`, and + `skip_reason`. type: object properties: failed: @@ -112876,10 +40379,14 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -112890,8 +40397,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -112915,10 +40424,14 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -112929,8 +40442,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -112951,10 +40466,14 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -112965,8 +40484,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -112989,7 +40510,9 @@ components: - fill_gaps type: string fill_gaps: - description: Object that describes applying a manual gap fill action for the specified time range. + description: >- + Object that describes applying a manual gap fill action for the + specified time range. type: object properties: end_date: @@ -113002,10 +40525,14 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -113016,8 +40543,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -113037,10 +40566,14 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: Gap auto fill scheduler ID used to determine gap fill status for rules + description: >- + Gap auto fill scheduler ID used to determine gap fill status for + rules type: string gap_fill_statuses: - description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + description: >- + Gap fill statuses to filter rules with gaps by status (used together + with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -113051,8 +40584,10 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: | - Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + description: > + Array of rule `id`s to which a bulk action will be applied. Do not + use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string @@ -113083,7 +40618,9 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + description: >- + List of alert ids. Use field `_id` on alert document or + `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. items: format: nonempty minLength: 1 @@ -113146,7 +40683,9 @@ components: - items: type: string type: array - description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' + description: >- + Map Osquery results columns or static values to Elastic Common Schema + (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} type: object Security_Detections_API_EndpointResponseAction: type: object @@ -113206,14 +40745,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113227,7 +40770,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -113243,24 +40787,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -113287,11 +40842,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -113330,14 +40887,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113351,7 +40912,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -113367,24 +40929,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -113413,11 +40986,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -113448,14 +41023,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113469,11 +41048,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -113487,24 +41067,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -113533,11 +41124,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -113552,14 +41145,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113573,11 +41170,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -113591,24 +41189,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -113637,11 +41246,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -113688,14 +41299,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113709,7 +41324,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -113725,24 +41341,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -113769,11 +41396,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -113812,14 +41441,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113833,7 +41466,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -113849,24 +41483,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -113895,11 +41540,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -113920,14 +41567,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -113941,11 +41592,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -113961,11 +41613,13 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -113973,14 +41627,23 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114009,11 +41672,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -114049,14 +41714,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -114070,11 +41739,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -114088,24 +41758,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114134,11 +41815,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -114164,7 +41847,9 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: - description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. + description: >- + An array of customized field names — that is, fields that the user has + modified from their base value. Defaults to an empty array. items: type: object properties: @@ -114175,18 +41860,27 @@ components: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: - description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). + description: >- + Determines whether an external/prebuilt rule has its original, + unmodified version present when the calculation of its customization + status is performed (`rule_source.is_customized` and + `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: - description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' + $ref: >- + #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields has_base_version: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' + $ref: >- + #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion is_customized: - $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' + $ref: >- + #/components/schemas/Security_Detections_API_IsExternalRuleCustomized type: enum: - external @@ -114221,7 +41915,12 @@ components: - error type: string Security_Detections_API_HistoryWindowStart: - description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. + description: >- + Start date to use when checking if a term has been seen before. Supports + relative dates – for example, now-30d will search the last 30 days of + data when checking if a term is new. We do not recommend using absolute + dates, which can cause issues with rule performance due to querying + increasing amounts of data over time. format: nonempty minLength: 1 type: string @@ -114249,15 +41948,21 @@ components: - migrations - is_outdated Security_Detections_API_IndexPatternArray: - description: | - Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). + description: > + Indices on which the rule functions. Defaults to the Security Solution + indices defined on the Kibana Advanced Settings page (Kibana → Stack + Management → Advanced Settings → `securitySolution:defaultIndex`). + > info + > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. type: object properties: type: @@ -114267,9 +41972,12 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: | - Schema for fields relating to investigation fields. These are user defined fields we use to highlight - in various features in the UI such as alert details flyout and exceptions auto-population from alert. + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. type: object properties: field_names: @@ -114283,14 +41991,19 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -114313,14 +42026,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -114334,7 +42051,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -114350,24 +42068,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114394,11 +42123,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -114427,24 +42158,31 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -114458,7 +42196,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -114474,24 +42213,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114520,11 +42270,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -114534,7 +42286,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -114547,26 +42300,32 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningJobId type: description: Rule type enum: - machine_learning type: string - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -114580,11 +42339,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -114598,24 +42358,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114644,16 +42415,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -114672,21 +42446,27 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -114700,11 +42480,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -114718,24 +42499,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114764,11 +42556,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -114778,13 +42572,25 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields Security_Detections_API_MaxSignals: default: 100 - description: | - Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). + description: > + Maximum number of alerts the rule can create during a single run (the + rule’s Max alerts per run [advanced + setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) + value). + > info - > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. + + > This setting can be superseded by the [Kibana configuration + setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) + `xpack.alerting.rules.run.alerts.max`, which determines the maximum + alerts generated by any rule in the Kibana alerting framework. For + example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the + rule can generate no more than 1000 alerts even if `max_signals` is set + higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: @@ -114897,14 +42703,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -114918,7 +42728,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -114934,24 +42745,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -114978,11 +42800,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115011,25 +42835,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115043,7 +42875,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -115059,24 +42892,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -115105,11 +42949,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115119,7 +42965,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -115151,21 +42998,27 @@ components: enum: - new_terms type: string - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115179,11 +43032,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -115197,24 +43051,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -115243,11 +43108,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115274,8 +43141,10 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - type: object properties: language: @@ -115287,14 +43156,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115308,11 +43181,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -115326,24 +43200,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -115372,11 +43257,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115386,7 +43273,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -115413,7 +43301,8 @@ components: type: object properties: err_code: - $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' + $ref: >- + #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode message: type: string rules: @@ -115432,20 +43321,31 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' + description: >- + To specify a query pack, use the packId field. Example: "packId": + "processes_elastic" type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' + description: >- + To run a single query, use the query field and enter a SQL query. + Example: "query": "SELECT * FROM processes;" type: string saved_query_id: - description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' + description: >- + To run a saved query, use the saved_query_id field and specify the + saved query ID. Example: "saved_query_id": "processes_elastic" type: string timeout: - description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' + description: >- + A timeout period, in seconds, after which the query will stop + running. Overwriting the default timeout allows you to support + queries that require more time to complete. The default and minimum + supported value is 60. The maximum supported value is 900. Example: + "timeout": 120. type: number Security_Detections_API_OsqueryQuery: type: object @@ -115499,13 +43399,18 @@ components: type: object properties: command: - description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' + description: >- + To run an endpoint response action, specify a value for the command + field. Example: "command": "isolate" enum: - kill-process - suspend-process type: string comment: - description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' + description: >- + Add a note that explains or describes the action. You can find your + comment in the response actions history log. Example: "comment": + "Check processes" type: string config: type: object @@ -115557,14 +43462,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115578,7 +43487,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -115594,24 +43504,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -115638,11 +43559,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115676,20 +43599,25 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115703,7 +43631,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -115719,24 +43648,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -115765,11 +43705,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115810,20 +43752,25 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115837,11 +43784,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -115855,24 +43803,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -115901,11 +43860,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -115939,14 +43900,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -115960,11 +43925,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -115978,24 +43944,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -116024,11 +44001,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -116040,7 +44019,11 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: - description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' + description: >- + The reason for closing the alerts. Can be one of following predefined + reasons: [false_positive, duplicate, true_positive, benign_positive, + automated_closure, other] or a custom reason provided by the user + through the advanced settings. oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string @@ -116054,23 +44037,45 @@ components: - other type: string Security_Detections_API_RelatedIntegration: - description: | - Related integration is a potential dependency of a rule. It's assumed that if the user installs - one of the related integrations of a rule, the rule might start to work properly because it will - have source events (generated by this integration) potentially matching the rule's query. + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. - NOTE: Proper work is not guaranteed, because a related integration, if installed, can be - configured differently or generate data that is not necessarily relevant for this rule. - Related integration is a combination of a Fleet package and (optionally) one of the - package's "integrations" that this package contains. It is represented by 3 properties: + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + - `package`: name of the package (required, unique id) + - `version`: version of the package (required, semver-compatible) - - `integration`: name of the integration of this package (optional, id within the package) - There are Fleet packages like `windows` that contain only one integration; in this case, - `integration` should be unspecified. There are also packages like `aws` and `azure` that contain + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -116092,23 +44097,35 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: | - Describes an Elasticsearch field that is needed for the rule to function. + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and - Almost all types of Security rules check source event documents for a match to some kind of - query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - Required field is an event field that must be present in the source indices of a given rule. + + Required field is an event field that must be present in the source + indices of a given rule. + @example + const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; + @example + const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -116117,7 +44134,10 @@ components: type: object properties: ecs: - description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. + description: >- + Indicates whether the field is ECS-compliant. This property is only + present in responses. Its value is computed based on field’s name + and type. type: boolean name: description: Name of an Elasticsearch field @@ -116138,7 +44158,10 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. type: object properties: name: @@ -116174,7 +44197,7 @@ components: execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: @@ -116213,7 +44236,9 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: Overrides generated alerts' risk_score with a value from the source event + description: >- + Overrides generated alerts' risk_score with a value from the source + event items: type: object properties: @@ -116276,27 +44301,34 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: | + description: > Object containing an action’s conditional filters. - - `timeframe` (object, optional): Object containing the time frame for when this action can be run. + + - `timeframe` (object, optional): Object containing the time frame for + when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which + gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -116306,7 +44338,9 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: Optionally groups actions by use cases. Use `default` for alert notifications. + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -116320,8 +44354,10 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: | - Object containing the allowed connector fields, which varies according to the connector type. + description: > + Object containing the allowed connector fields, which varies according + to the connector type. + For Slack: @@ -116369,22 +44405,30 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + machine_learning: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + saved_query: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + threat_match: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + threshold: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. @@ -116401,8 +44445,11 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: | - Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. + description: > + Array of [exception + containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), + which define exceptions that prevent the rule from generating alerts + even when its other criteria are met. type: object properties: id: @@ -116436,7 +44483,10 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. + description: >- + Count of frozen indices queried during the rule execution. These + indices could not be entirely excluded after applying the time range + filter. minimum: 0 type: integer gap_range: @@ -116457,7 +44507,9 @@ components: type: object properties: type: - description: The type of reason for the gap (rule_disabled or rule_did_not_run) + description: >- + The type of reason for the gap (rule_disabled or + rule_did_not_run) enum: - rule_disabled - rule_did_not_run @@ -116465,25 +44517,50 @@ components: required: - type total_enrichment_duration_ms: - description: Total time spent enriching documents during current rule execution cycle + description: >- + Total time spent enriching documents during current rule execution + cycle minimum: 0 type: integer total_indexing_duration_ms: - description: Total time spent indexing documents during current rule execution cycle + description: >- + Total time spent indexing documents during current rule execution + cycle minimum: 0 type: integer total_search_duration_ms: - description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: |- - Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. - - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. - - running - Rule execution started but not reached any intermediate or final status. - - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. - - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. - - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. enum: - going to run - running @@ -116510,12 +44587,14 @@ components: message: type: string metrics: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionMetrics status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder required: - date - status @@ -116525,22 +44604,33 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. + description: >- + String array used to describe common reasons why the rule may issue + false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: | - The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. + description: > + The query and filter context array used to define the conditions for + when alerts are created from events. Defaults to an empty array. + > info + > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -116550,10 +44640,13 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: | + description: > Placeholder for metadata about the rule. + > info - > This field is overwritten when you save changes to the rule’s settings. + + > This field is overwritten when you save changes to the rule’s + settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -116561,19 +44654,31 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. + description: >- + Sets which field in the source event is used to populate the alert's + `signal.rule.name` value (in the UI, this value is displayed on the + Rules page in the Rule column). When unspecified, the rule’s `name` + value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. + description: >- + A dynamic unique identifier for the rule object. It is randomly + generated when a rule is created and cannot be changed after that. It is + always a UUID. It is unique within a given Kibana space. The same + prebuilt Elastic rule, when installed in two different Kibana spaces or + two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -116599,7 +44704,8 @@ components: type: array requests: items: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -116623,14 +44729,22 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: | - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. + description: > + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used + by the rule to create alerts. + + + - For indicator match rules, only the query’s results are used to + determine whether an alert is generated. - - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. + - ES|QL rules have additional query requirements. Refer to [Create + ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) + rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. + description: >- + Array containing notes about or references to relevant information about + the rule. Defaults to an empty array. items: type: string type: array @@ -116656,26 +44770,47 @@ components: threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: - description: | + description: > The rule's revision number. - It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. + + It represents the version of rule's object in Kibana. It is set to `0` + when the rule is installed or created and then gets incremented on each + update. + > info - > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. + + > Not all updates to any rule fields will increment the revision. Only + those fields that are considered static `rule parameters` can trigger + revision increments. For example, an update to a rule's query or index + fields will increment the rule's revision by `1`. However, changes to + dynamic or technical fields like enabled or execution_summary will not + cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. + description: >- + A stable unique identifier for the rule object. It can be assigned + during rule creation. It can be any string, but often is a UUID. It + should be unique not only within a given Kibana space, but also across + spaces and Elastic environments. The same prebuilt Elastic rule, when + installed in two different Kibana spaces or two different Elastic + environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. items: type: string type: array @@ -116683,31 +44818,47 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + machine_learning: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + saved_query: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + threat_match: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + threshold: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps propertyName: type Security_Detections_API_RuleVersion: - description: | + description: > The rule's version number. - - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). + + - For prebuilt rules it represents the version of the rule's content in + the source [detection-rules](https://github.com/elastic/detection-rules) + repository (and the corresponding `security_detection_engine` Fleet + package that is used for distributing prebuilt rules). + - For custom rules it is set to `1` when the rule is created. + > info - > It is not incremented on each update. Compare this to the `revision` field. + + > It is not incremented on each update. Compare this to the `revision` + field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: @@ -116733,17 +44884,22 @@ components: - runscript type: string comment: - description: Add a note that explains or describes the action. You can find your comment in the response actions history log + description: >- + Add a note that explains or describes the action. You can find your + comment in the response actions history log type: string config: type: object properties: linux: - $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' + $ref: >- + #/components/schemas/Security_Detections_API_RunScriptOsConfigValues macos: - $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' + $ref: >- + #/components/schemas/Security_Detections_API_RunScriptOsConfigValues windows: - $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' + $ref: >- + #/components/schemas/Security_Detections_API_RunScriptOsConfigValues required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -116760,21 +44916,28 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. + description: >- + Kibana [saved + search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) + used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -116788,7 +44951,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -116804,24 +44968,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -116848,11 +45023,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -116881,25 +45058,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -116913,7 +45098,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -116929,24 +45115,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -116975,11 +45172,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -116989,7 +45188,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -117019,21 +45219,27 @@ components: enum: - saved_query type: string - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -117047,11 +45253,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -117065,24 +45272,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -117111,16 +45329,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -117136,8 +45357,10 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - type: object properties: language: @@ -117149,14 +45372,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -117170,11 +45397,376 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + + > info + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SetAlertAssigneesBody: + type: object + properties: + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + required: + - assignees + - ids + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase + Security_Detections_API_SetAlertsStatusByIdsBase: + type: object + properties: + signal_ids: + description: >- + List of alert ids. Use field `_id` on alert document or + `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase + Security_Detections_API_SetAlertsStatusByQueryBase: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - query + - status + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetAlertTagsBody: + type: object + properties: + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + required: + - ids + - tags + Security_Detections_API_SetupGuide: + description: >- + Populates the rule’s setup guide with instructions on rule prerequisites + such as required integrations, configuration steps, and anything else + needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: > + Severity level of alerts produced by the rule, which must be one of the + following: + + * `low`: Alerts that are of interest but generally not considered to be + security incidents + + * `medium`: Alerts that require investigation + + * `high`: Alerts that require immediate investigation + + * `critical`: Alerts that indicate it is highly likely a security + incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + description: Source event field used to override the default `severity`. + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: > + > info + + > Currently, only threats described using the MITRE ATT&CK™ + framework are supported. + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Detections_API_ThreatMapping: + description: > + Array of entries objects that define mappings between the source event + fields and the values in the Elasticsearch threat index. Each entries + object must contain these fields: + + + - field: field from the event indices on which the rule runs + + - type: must be mapping + + - value: field from the Elasticsearch threat index + + You can use Boolean and and or logic to define the conditions for when + matching fields and values generate alerts. Sibling entries objects are + evaluated using or logic, whereas multiple entries in a single entries + object use and logic. See Example of Threat Match rule which uses both + `and` and `or` logic. + items: + type: object + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMappingEntry: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + Security_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -117188,340 +45780,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. - > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' - Security_Detections_API_SetAlertAssigneesBody: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - required: - - assignees - - ids - Security_Detections_API_SetAlertsStatusByIds: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' - Security_Detections_API_SetAlertsStatusByIdsBase: - type: object - properties: - signal_ids: - description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' - Security_Detections_API_SetAlertsStatusByQueryBase: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - query - - status - Security_Detections_API_SetAlertTags: - description: Object with list of tags to add and remove. - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetAlertTagsBody: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - Security_Detections_API_SetupGuide: - description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. - type: string - Security_Detections_API_Severity: - description: | - Severity level of alerts produced by the rule, which must be one of the following: - * `low`: Alerts that are of interest but generally not considered to be security incidents - * `medium`: Alerts that require investigation - * `high`: Alerts that require immediate investigation - * `critical`: Alerts that indicate it is highly likely a security incident has occurred - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - description: Source event field used to override the default `severity`. - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Detections_API_SkippedAlertsIndexMigration: - type: object - properties: - index: - type: string - required: - - index - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - description: | - > info - > Currently, only threats described using the MITRE ATT&CK™ framework are supported. - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - description: Elasticsearch indices used to check which field values generate alerts. - items: - type: string - type: array - Security_Detections_API_ThreatIndicatorPath: - description: Defines the path to the threat indicator in the indicator documents (optional) - type: string - Security_Detections_API_ThreatMapping: - description: | - Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. - - field: field from the event indices on which the rule runs - - type: must be mapping - - value: field from the Elasticsearch threat index - - You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. - items: - type: object - properties: - entries: - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMappingEntry: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - negate: - type: boolean - type: - enum: - - mapping - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' - alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' - required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -117548,11 +45835,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -117581,25 +45870,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -117613,7 +45910,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -117629,24 +45927,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -117675,11 +45984,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -117689,7 +46000,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -117735,21 +46047,27 @@ components: enum: - threat_match type: string - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -117763,11 +46081,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -117781,24 +46100,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -117827,16 +46157,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -117861,8 +46194,10 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - type: object properties: language: @@ -117874,14 +46209,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -117895,11 +46234,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -117913,24 +46253,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -117959,11 +46310,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -117973,9 +46326,12 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields Security_Detections_API_ThreatQuery: - description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. + description: >- + Query used to determine which fields in the Elasticsearch index are used + for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -118050,7 +46406,8 @@ components: type: object properties: duration: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration required: - duration Security_Detections_API_ThresholdCardinality: @@ -118062,7 +46419,9 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. + description: >- + The threshold value from which an alert is generated based on + unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -118070,7 +46429,10 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. + description: >- + The field on which the threshold is applied. If you specify an empty + array ([]), alerts are generated when the query returns at least the + number of results specified in the value field. oneOf: - type: string - items: @@ -118083,14 +46445,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -118104,7 +46470,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -118120,24 +46487,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -118164,11 +46542,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -118197,25 +46577,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -118229,7 +46617,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -118245,24 +46634,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -118291,11 +46691,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -118305,7 +46707,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -118315,7 +46718,8 @@ components: type: object properties: alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -118337,21 +46741,27 @@ components: enum: - threshold type: string - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -118365,11 +46775,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -118383,24 +46794,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -118429,16 +46851,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRulePatchFields Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -118457,8 +46882,10 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - type: object properties: language: @@ -118470,14 +46897,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -118491,11 +46922,12 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_UUID' + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -118509,24 +46941,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -118555,11 +46998,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -118569,17 +47014,26 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: | + description: > Defines the maximum interval in which a rule’s actions are executed. + > info - > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. - > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. + + > The rule level `throttle` field is deprecated in Elastic Security 8.8 + and will remain active for at least the next 12 months. + + > In Elastic Security 8.8 and later, you can use the `frequency` field + to define frequencies for individual actions. Actions without + frequencies will acquire a converted version of the rule’s `throttle` + field. In the response, the converted `throttle` setting appears in the + individual actions' `frequency` field. enum: - rule - 1h @@ -118596,10 +47050,17 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. + description: >- + Specifies the name of the event timestamp field used for sorting a + sequence of events. Not to be confused with `timestamp_override`, which + specifies the more general field used for querying events within a + range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. + description: >- + Sets the time field used to query indices. When unspecified, rules query + the `@timestamp` field. The source field must be an Elasticsearch date + data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -118634,7 +47095,10 @@ components: type: object properties: _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. type: string created_at: description: Autogenerated date of object creation. @@ -118644,28 +47108,39 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId immutable: type: boolean list_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName namespace_type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. type: string type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType updated_at: description: Autogenerated date of last object update. format: date-time @@ -118674,7 +47149,8 @@ components: description: Autogenerated value - user that last updated object. type: string version: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion required: - id - list_id @@ -118694,17 +47170,30 @@ components: example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: | + description: > The exception list's human-readable string identifier. + For endpoint artifacts, use one of the following values: - * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + + * `endpoint_list`: [Elastic Endpoint exception + list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + + * `endpoint_trusted_apps`: [Trusted applications + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + + * `endpoint_trusted_devices`: [Trusted devices + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + + * `endpoint_event_filters`: [Event filters + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + + * `endpoint_blocklists`: [Blocklists + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -118719,10 +47208,14 @@ components: type: object properties: _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. type: string comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray created_at: description: Autogenerated date of object creation. format: date-time @@ -118731,32 +47224,46 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray expire_time: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId list_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName namespace_type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. type: string type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType updated_at: description: Autogenerated date of last object update. format: date-time @@ -118809,24 +47316,32 @@ components: - comment (string): Comments about the exception item. items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -118834,7 +47349,8 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - exists @@ -118859,7 +47375,8 @@ components: - id - type operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - list @@ -118875,7 +47392,8 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - match @@ -118893,14 +47411,16 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - match_any type: string value: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString minItems: 1 type: array required: @@ -118914,7 +47434,8 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - wildcard @@ -118931,7 +47452,8 @@ components: properties: entries: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem minItems: 1 type: array field: @@ -118946,16 +47468,21 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. + description: >- + The exception item’s expiration date, in ISO format. This field is only + available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: @@ -118980,11 +47507,14 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: - description: String array containing words and phrases to help categorize exception items. + description: >- + String array containing words and phrases to help categorize exception + items. format: nonempty minLength: 1 type: string @@ -119011,15 +47541,20 @@ components: Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType type: array Security_Endpoint_Exceptions_API_ExceptionListTags: - description: String array containing words and phrases to help categorize exception containers. + description: >- + String array containing words and phrases to help categorize exception + containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: - description: The type of exception list to be created. Different list types may denote where they can be utilized. + description: >- + The type of exception list to be created. Different list types may + denote where they can be utilized. enum: - detection - rule_default @@ -119035,14 +47570,21 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: | - Determines whether the exception container is available in all Kibana spaces or just the space + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + in which it is created, where: + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. - For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. + + For endpoint artifacts, the `namespace_type` must always be `agnostic`. + Space awareness for endpoint artifacts is enforced based on Elastic + Defend policy assignments. enum: - agnostic - single @@ -119056,12 +47598,17 @@ components: minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: - description: | - Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + description: > + Specifies the Elasticsearch data type of excludes the list container + holds. Some common examples: + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR + notation) enum: - binary - boolean @@ -119124,7 +47671,8 @@ components: isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' + running-processes: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcesses runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' @@ -119142,7 +47690,8 @@ components: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcesses - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object @@ -119154,7 +47703,9 @@ components: type: object properties: canEncrypt: - description: Whether the Kibana instance has encryption enabled for response actions. + description: >- + Whether the Kibana instance has encryption enabled for + response actions. type: boolean required: - data @@ -119170,9 +47721,11 @@ components: type: object properties: agent_id: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentId pending_actions: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema required: - agent_id - pending_actions @@ -119209,7 +47762,8 @@ components: type: string Security_Endpoint_Management_API_Cancel: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -119235,7 +47789,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -119246,7 +47803,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -119259,7 +47818,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -119329,8 +47889,10 @@ components: type: object properties: downloadUri: - description: | - The server relative URI to download the file associated with the output of the response action. + description: > + The server relative URI to download the file associated with the + output of the response action. + URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference @@ -119358,7 +47920,9 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + original: >- + version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -119438,7 +48002,8 @@ components: properties: {} Security_Endpoint_Management_API_Execute: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -119447,7 +48012,8 @@ components: properties: content: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_DownloadUri - type: object properties: code: @@ -119485,7 +48051,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -119496,7 +48065,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -119509,7 +48080,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -119524,7 +48096,9 @@ components: minLength: 1 type: string timeout: - description: The maximum timeout value in seconds before the command is terminated. + description: >- + The maximum timeout value in seconds before the command is + terminated. minimum: 1 type: integer required: @@ -119602,7 +48176,8 @@ components: data: description: The list of response actions. items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. @@ -119636,7 +48211,8 @@ components: type: array Security_Endpoint_Management_API_GetFile: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -119645,7 +48221,8 @@ components: properties: content: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_DownloadUri - type: object properties: code: @@ -119680,7 +48257,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -119691,7 +48271,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -119704,7 +48286,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -119727,7 +48310,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be specified + here. The action will be logged in any cases associated with the + specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -119790,7 +48376,8 @@ components: type: array Security_Endpoint_Management_API_Isolate: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: @@ -119800,10 +48387,12 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -119854,7 +48443,9 @@ components: - type: object properties: process_name: - description: The name of the process to terminate. Valid for SentinelOne agent type only. + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: @@ -119863,7 +48454,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -119874,7 +48468,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -119887,7 +48483,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -119913,7 +48510,9 @@ components: - type: object properties: process_name: - description: The name of the process to terminate. Valid for SentinelOne agent type only. + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -119924,7 +48523,9 @@ components: example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: - description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. + description: >- + Parameters for Run Script response action against Microsoft Defender + Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: @@ -119947,7 +48548,8 @@ components: type: object Security_Endpoint_Management_API_MemoryDump: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -119959,13 +48561,17 @@ components: code: type: string disk_free_space: - description: The free space on the host machine in bytes after the memory dump is written to disk + description: >- + The free space on the host machine in bytes after the + memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: - description: The path to the memory dump compressed file on the host machine + description: >- + The path to the memory dump compressed file on the + host machine type: string title: Memory dump output type: object @@ -120019,7 +48625,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -120030,7 +48639,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -120043,7 +48654,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -120096,7 +48708,9 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + original: >- + version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -120155,7 +48769,9 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' + kernel: >- + 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 + UTC 2021 name: Linux platform: ubuntu type: linux @@ -120178,7 +48794,9 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + original: >- + version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -120285,31 +48903,40 @@ components: - type: object properties: execute: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending execute actions. get-file: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending get-file actions. isolate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending isolate actions. kill-process: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending kill-process actions. running-processes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending running-processes (get processes) actions. scan: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending scan actions. suspend-process: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending suspend-process actions. unisolate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending unisolate (release) actions. upload: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType description: Number of pending upload actions. - additionalProperties: true type: object @@ -120317,7 +48944,9 @@ components: type: object properties: note: - description: A note associated with the protection updates for the given package policy. + description: >- + A note associated with the protection updates for the given package + policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object @@ -120362,7 +48991,8 @@ components: type: object properties: data: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: @@ -120378,7 +49008,9 @@ components: type: object properties: completedAt: - description: The date and time the response action was completed for the agent ID + description: >- + The date and time the response action was completed for the + agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID @@ -120386,7 +49018,9 @@ components: wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean - description: The state of the response action for each agent ID that it was sent to + description: >- + The state of the response action for each agent ID that it was sent + to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' @@ -120407,7 +49041,9 @@ components: name: description: The host name type: string - description: An object containing the host names associated with the agent IDs the response action was sent to + description: >- + An object containing the host names associated with the agent IDs + the response action was sent to type: object id: description: The response action ID @@ -120425,7 +49061,9 @@ components: format: uuid properties: content: - description: The response action output content for the agent ID. Exact format depends on the response action command. + description: >- + The response action output content for the agent ID. Exact + format depends on the response action command. oneOf: - type: object - type: string @@ -120439,12 +49077,17 @@ components: - content title: Agent ID type: object - description: | - The outputs of the response action for each agent ID that it was sent to. Content different depending on the - response action command and will only be present for agents that have responded to the response action + description: > + The outputs of the response action for each agent ID that it was + sent to. Content different depending on the + + response action command and will only be present for agents that + have responded to the response action type: object parameters: - description: The parameters of the response action. Content different depending on the response action command + description: >- + The parameters of the response action. Content different depending + on the response action command type: object startedAt: description: The response action start time @@ -120460,7 +49103,8 @@ components: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -120469,8 +49113,10 @@ components: properties: content: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` @@ -120501,7 +49147,8 @@ components: type: string Security_Endpoint_Management_API_Runscript: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -120510,7 +49157,8 @@ components: properties: content: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_DownloadUri - type: object properties: code: @@ -120522,9 +49170,12 @@ components: type: object parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: @@ -120559,7 +49210,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -120570,7 +49224,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -120583,7 +49239,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -120594,16 +49251,22 @@ components: description: | One of the following set of parameters must be provided oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters required: - parameters Security_Endpoint_Management_API_Scan: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -120628,7 +49291,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -120639,7 +49305,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -120652,7 +49320,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -120671,7 +49340,9 @@ components: required: - parameters Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: Parameters for Run Script response action against SentinelOne agent type. + description: >- + Parameters for Run Script response action against SentinelOne agent + type. example: agent_type: sentinel_one endpoint_ids: @@ -120681,7 +49352,9 @@ components: scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: - description: The script ID from SentinelOne scripts library that will be executed. + description: >- + The script ID from SentinelOne scripts library that will be + executed. minLength: 1 type: string scriptInput: @@ -120722,7 +49395,8 @@ components: type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -120769,7 +49443,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -120780,7 +49457,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -120793,7 +49472,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -120836,7 +49516,8 @@ components: type: array Security_Endpoint_Management_API_Unisolate: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: @@ -120846,10 +49527,12 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails Security_Endpoint_Management_API_Upload: allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: object properties: outputs: @@ -120867,8 +49550,10 @@ components: type: string type: object parameters: - description: | - The parameters for upload returned on the details are derived via the API from the file that + description: > + The parameters for upload returned on the details are derived + via the API from the file that + was uploaded at the time that the response action was submitted type: object properties: @@ -120887,7 +49572,10 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + description: >- + If this action is associated with any alerts, they can be + specified here. The action will be logged in any cases + associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -120898,7 +49586,9 @@ components: minItems: 1 type: array case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. + description: >- + The IDs of cases where the action taken will be logged. Max of + 50. example: - case-id-1 - case-id-2 @@ -120911,7 +49601,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -120949,7 +49640,9 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: A list of action IDs that should include the complete output of the action. Max of 50. + description: >- + A list of action IDs that should include the complete output of the + action. Max of 50. example: - action-id-1 - action-id-2 @@ -120971,7 +49664,8 @@ components: description: Business unit the asset belongs to. type: string criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel description: The criticality level assigned to this asset. nullable: true environment: @@ -121027,7 +49721,10 @@ components: - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. + description: >- + The criticality level of the asset for bulk upload. The value + `unassigned` is used to indicate that the criticality level is not + assigned and is only used for bulk upload. enum: - low_impact - medium_impact @@ -121037,8 +49734,10 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts - type: object properties: '@timestamp': @@ -121066,7 +49765,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - asset entity: @@ -121076,7 +49776,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality id: @@ -121090,7 +49791,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality name: @@ -121104,7 +49806,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality name: @@ -121118,7 +49821,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality name: @@ -121184,11 +49888,13 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - type: object properties: criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality_level Security_Entity_Analytics_API_DateRange: @@ -121199,13 +49905,17 @@ components: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: - description: Start of the lookback period (date math or ISO string, e.g. "now-10d") + description: >- + Start of the lookback period (date math or ISO string, e.g. + "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: - description: The type of Elasticsearch or Kibana resource backing an engine component. + description: >- + The type of Elasticsearch or Kibana resource backing an engine + component. enum: - entity_engine - entity_definition @@ -121220,7 +49930,9 @@ components: - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: - description: Status of an individual Elasticsearch or Kibana resource backing an engine. + description: >- + Status of an individual Elasticsearch or Kibana resource backing an + engine. type: object properties: errors: @@ -121251,9 +49963,10 @@ components: description: Whether the component is currently installed. type: boolean metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' + $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' resource: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource required: - id - installed @@ -121277,17 +49990,23 @@ components: required: - type Security_Entity_Analytics_API_EngineDescriptor: - description: Describes a single entity engine, including its configuration and current status. + description: >- + Describes a single entity engine, including its configuration and + current status. type: object properties: delay: default: 1m - description: The delay before the transform processes new data, allowing late-arriving documents to be included. + description: >- + The delay before the transform processes new data, allowing + late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: - description: Throttle value for the number of documents processed per second. Use -1 for no throttle. + description: >- + Throttle value for the number of documents processed per second. Use + -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. @@ -121309,7 +50028,9 @@ components: example: 10 type: integer filter: - description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. + description: >- + An optional Kibana Query Language (KQL) filter applied to source + documents before aggregation. example: 'host.name: "my-host"' type: string frequency: @@ -121376,7 +50097,10 @@ components: required: - entities Security_Entity_Analytics_API_Entity: - description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. + description: >- + An entity record from the Entity Store. The `entity` namespace is a + root-level field in the latest index, unlike source logs where it is + nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' @@ -121431,7 +50155,9 @@ components: - record Security_Entity_Analytics_API_EntityField: additionalProperties: false - description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. + description: >- + Core entity fields shared across all entity types. The `entity` + namespace is a root-level field in the Entity Store latest index. type: object properties: attributes: @@ -121443,7 +50169,9 @@ components: description: Whether the entity is classified as an asset. type: boolean managed: - description: Whether the entity is managed (for example, via a directory service). + description: >- + Whether the entity is managed (for example, via a directory + service). type: boolean mfa_enabled: description: Whether multi-factor authentication is enabled for the entity. @@ -121485,799 +50213,275 @@ components: format: date-time type: string last_seen: - description: When the entity was last observed. - format: date-time - type: string - name: - description: Human-readable name of the entity. - example: jane.doe - type: string - relationships: - additionalProperties: false - description: Connections between this entity and other entities. - type: object - properties: - accessed_frequently_by: - description: Entity IDs that frequently access this entity. - items: - type: string - type: array - accesses_frequently: - description: Entity IDs this entity accesses frequently. - items: - type: string - type: array - accesses_infrequently: - description: Entity IDs this entity accesses infrequently. - items: - type: string - type: array - communicates_with: - description: Entity IDs this entity communicates with. - items: - type: string - type: array - dependent_of: - description: Entity IDs that depend on this entity. - items: - type: string - type: array - depends_on: - description: Entity IDs this entity depends on. - items: - type: string - type: array - owned_by: - description: Entity IDs that own this entity. - items: - type: string - type: array - owns: - description: Entity IDs owned by this entity. - items: - type: string - type: array - supervised_by: - description: Entity IDs that supervise this entity. - items: - type: string - type: array - supervises: - description: Entity IDs supervised by this entity. - items: - type: string - type: array - risk: - additionalProperties: false - description: Risk scoring information for the entity. - type: object - properties: - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - source: - description: The source that produced this entity record. - type: string - sub_type: - description: Optional sub-type classification for the entity. - type: string - type: - description: The entity type. - example: user - type: string - required: - - id - Security_Entity_Analytics_API_EntityRiskLevels: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - Security_Entity_Analytics_API_EntityRiskScoreRecord: - type: object - properties: - '@timestamp': - description: The time at which the risk score was calculated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - calculation_run_id: - description: Unique identifier for the scoring run that produced this document. - type: string - category_1_count: - description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). - type: integer - category_1_score: - description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. - format: double - type: number - category_2_count: - type: integer - category_2_score: - format: double - type: number - criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' - criticality_modifier: - format: double - type: number - id_field: - description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. - example: host.name - type: string - id_value: - description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. - example: example.host - type: string - inputs: - description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' - type: array - modifiers: - description: A list of modifiers that were applied to the risk score calculation. - items: - type: object - properties: - contribution: - format: double - type: number - metadata: - additionalProperties: true - type: object - modifier_value: - format: double - type: number - subtype: - type: string - type: - type: string - required: - - type - - contribution - type: array - notes: - items: - type: string - type: array - related_entities: - items: - type: object - properties: - entity_id: - type: string - relationship_type: - type: string - type: array - score_type: - description: Distinguishes base, propagated, and resolution scores. - enum: - - base - - propagated - - resolution - type: string - required: - - '@timestamp' - - id_field - - id_value - - calculated_level - - calculated_score - - calculated_score_norm - - category_1_score - - category_1_count - - inputs - - notes - Security_Entity_Analytics_API_EntitySourceType: - enum: - - index - - entity_analytics_integration - - store - type: string - Security_Entity_Analytics_API_EntityType: - description: The type of entity. - enum: - - user - - host - - service - - generic - type: string - Security_Entity_Analytics_API_Filter: - type: object - properties: - kuery: - oneOf: - - type: string - - type: object - Security_Entity_Analytics_API_GenericEntity: - additionalProperties: false - description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. - type: object - properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time - type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - required: - - entity - Security_Entity_Analytics_API_HostEntity: - additionalProperties: false - description: An entity record representing a host, stored in the Entity Store latest index. - type: object - properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time - type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. + description: When the entity was last observed. format: date-time type: string - host: + name: + description: Human-readable name of the entity. + example: jane.doe + type: string + relationships: additionalProperties: false - description: Elastic Common Schema (ECS) host fields collected on the entity. + description: Connections between this entity and other entities. type: object properties: - architecture: - description: Observed CPU architectures. + accessed_frequently_by: + description: Entity IDs that frequently access this entity. items: type: string type: array - domain: - description: Observed host domains. + accesses_frequently: + description: Entity IDs this entity accesses frequently. items: type: string type: array - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - hostname: - description: Observed hostnames. + accesses_infrequently: + description: Entity IDs this entity accesses infrequently. items: type: string type: array - id: - description: Observed host IDs. + communicates_with: + description: Entity IDs this entity communicates with. items: type: string type: array - ip: - description: Observed IP addresses. + dependent_of: + description: Entity IDs that depend on this entity. items: type: string type: array - mac: - description: Observed MAC addresses. + depends_on: + description: Entity IDs this entity depends on. items: type: string type: array - name: - description: Primary host name. - type: string - os: - additionalProperties: false - description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - oneOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - oneOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' - type: - description: Observed host types. + owned_by: + description: Entity IDs that own this entity. items: type: string type: array - required: - - name - required: - - entity - Security_Entity_Analytics_API_IdField: - enum: - - host.name - - user.name - - service.name - - entity.id - type: string - Security_Entity_Analytics_API_IndexPattern: - description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. - example: logs-* - type: string - Security_Entity_Analytics_API_InspectQuery: - description: Debug information about the Elasticsearch query executed. - type: object - properties: - dsl: - description: Elasticsearch query DSL that was executed. - items: - type: string - type: array - response: - description: Raw Elasticsearch responses. - items: - type: string - type: array - required: - - dsl - - response - Security_Entity_Analytics_API_Integrations: - type: object - properties: - syncData: - description: integrations latest full sync and update syncData - type: object - properties: - lastFullSync: - description: Timestamp of the last full sync from integrations - format: date-time - type: string - lastUpdateProcessed: - description: Timestamp of the last update processed from integrations - format: date-time - type: string - syncMarkerIndex: - description: Index to read latest sync markers from - type: string - Security_Entity_Analytics_API_Interval: - description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, - example: 1h - pattern: ^[1-9]\d*[smh]$ - type: string - Security_Entity_Analytics_API_Matcher: - type: object - properties: - fields: - items: - type: string - type: array - values: - description: | - Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. - oneOf: - - items: - type: string - type: array - - items: - type: boolean - type: array - required: - - fields - - values - Security_Entity_Analytics_API_Metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' - Security_Entity_Analytics_API_MonitoredUserDoc: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - - type: object - properties: - '@timestamp': - format: date-time - type: string - event: - type: object - properties: - '@timestamp': - format: date-time - type: string - ingested: - format: date-time - type: string - user: - type: object - properties: - entity: - type: object - properties: - attributes: - type: object - properties: - Privileged: - description: Indicates if the user is privileged. - type: boolean - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoredUserUpdateDoc: - type: object - properties: - entity_analytics_monitoring: - type: object - properties: - labels: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' - type: array - id: - type: string - labels: - type: object - properties: - source_ids: + owns: + description: Entity IDs owned by this entity. items: type: string type: array - source_integrations: + supervised_by: + description: Entity IDs that supervise this entity. items: type: string type: array - sources: + supervises: + description: Entity IDs supervised by this entity. items: - enum: - - csv - - index_sync - - api + type: string type: array - user: - type: object - properties: - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoringEngineDescriptor: - type: object - properties: - error: + risk: + additionalProperties: false + description: Risk scoring information for the entity. type: object properties: - message: - description: Error message typically only present if the engine is in error state - type: string - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' - required: - - status - Security_Entity_Analytics_API_MonitoringEntitySource: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - - type: object - properties: - id: - type: string - required: - - type - - name - - id - - managed - Security_Entity_Analytics_API_MonitoringEntitySourceProperties: - allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - - type: object - properties: - managed: - type: boolean - Security_Entity_Analytics_API_MonitoringLabel: - type: object - properties: - field: - type: string + calculated_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number source: + description: The source that produced this entity record. type: string - value: + sub_type: + description: Optional sub-type classification for the entity. + type: string + type: + description: The entity type. + example: user type: string required: - - field - - value - - source - Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: - description: The status of the Privilege Monitoring Engine + - id + Security_Entity_Analytics_API_EntityRiskLevels: enum: - - started - - error - - disabled - - not_installed + - Unknown + - Low + - Moderate + - High + - Critical type: string - Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: - type: object - properties: - index: - nullable: true - type: integer - message: - type: string - username: - nullable: true - type: string - required: - - message - - index - - username - Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: - type: object - properties: - failedOperations: - type: integer - successfulOperations: - type: integer - totalOperations: - type: integer - uploaded: - type: integer - required: - - successfulOperations - - uploaded - - failedOperations - - totalOperations - Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: - type: object - properties: - full_error: - type: string - message: - type: string - required: - - message - - full_error - Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: - type: object - properties: - success: - type: boolean - Security_Entity_Analytics_API_RiskScoreInput: - description: A generic representation of a document contributing to a Risk Score. + Security_Entity_Analytics_API_EntityRiskScoreRecord: type: object properties: - category: - description: The risk category of the risk input document. - example: category_1 + '@timestamp': + description: The time at which the risk score was calculated. + example: '2017-07-21T17:32:28Z' + format: date-time type: string - contribution_score: + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. format: double type: number - description: - description: A human-readable description of the risk input document. - example: 'Generated from Detection Engine Rule: Malware Prevention Alert' - type: string - entity_id: - description: The EUID of the entity within the graph that generated this alert. - type: string - id: - description: The unique identifier (`_id`) of the original source document - example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c - type: string - index: - description: The unique index (`_index`) of the original source document - example: .internal.alerts-security.alerts-default-000001 - type: string - risk_score: - description: The weighted risk score of the risk input document. + calculated_score_norm: + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. format: double maximum: 100 minimum: 0 type: number - timestamp: - description: The @timestamp of the risk input document. - example: '2017-07-21T17:32:28Z' - type: string - required: - - id - - index - - description - - category - Security_Entity_Analytics_API_ServiceEntity: - additionalProperties: false - description: An entity record representing a service, stored in the Entity Store latest index. - type: object - properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time - type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time - type: string - service: - additionalProperties: false - description: Elastic Common Schema (ECS) service fields collected on the entity. - type: object - properties: - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - name: - description: Primary service name. - type: string - risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' - required: - - name - required: - - entity - Security_Entity_Analytics_API_StoreStatus: - description: The overall operational status of the Entity Store. - enum: - - not_installed - - installing - - running - - stopped - - error - type: string - Security_Entity_Analytics_API_TaskManagerUnavailableResponse: - description: Task manager is unavailable - type: object - properties: - message: + calculation_run_id: + description: Unique identifier for the scoring run that produced this document. type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - Security_Entity_Analytics_API_TransformStatsMetadata: - description: Statistics from the underlying Elasticsearch transform. - type: object - properties: - delete_time_in_ms: - description: Total time spent deleting documents, in milliseconds. - type: integer - documents_deleted: - description: Total number of documents deleted from the destination index. - type: integer - documents_indexed: - description: Total number of documents written to the destination index. - type: integer - documents_processed: - description: Total number of source documents processed. - type: integer - exponential_avg_checkpoint_duration_ms: - description: Exponential moving average of checkpoint duration, in milliseconds. - type: integer - exponential_avg_documents_indexed: - description: Exponential moving average of documents indexed per checkpoint. - type: integer - exponential_avg_documents_processed: - description: Exponential moving average of documents processed per checkpoint. - type: integer - index_failures: - description: Total number of failed index operations. - type: integer - index_time_in_ms: - description: Total time spent indexing documents, in milliseconds. - type: integer - index_total: - description: Total number of index operations. - type: integer - pages_processed: - description: Number of composite aggregation pages processed. - type: integer - processing_time_in_ms: - description: Total time spent processing results, in milliseconds. - type: integer - processing_total: - description: Total number of processing operations. - type: integer - search_failures: - description: Total number of failed search operations. - type: integer - search_time_in_ms: - description: Total time spent on search queries, in milliseconds. - type: integer - search_total: - description: Total number of search operations. - type: integer - trigger_count: - description: Number of times the transform has been triggered. + category_1_count: + description: >- + The number of risk input documents that contributed to the Category + 1 score (`category_1_score`). type: integer - required: - - pages_processed - - documents_processed - - documents_indexed - - trigger_count - - index_time_in_ms - - index_total - - index_failures - - search_time_in_ms - - search_total - - search_failures - - processing_time_in_ms - - processing_total - - exponential_avg_checkpoint_duration_ms - - exponential_avg_documents_indexed - - exponential_avg_documents_processed - Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: - type: object - properties: - enabled: - type: boolean - filter: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' - identifierField: - description: Field used to query the entity store for index-type sources - type: string - indexPattern: + category_1_score: + description: >- + The contribution of Category 1 to the overall risk score + (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: + type: integer + category_2_score: + format: double + type: number + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + criticality_modifier: + format: double + type: number + id_field: + description: >- + The identifier field defining this risk score. Coupled with + `id_value`, uniquely identifies the entity being scored. + example: host.name type: string - integrationName: + id_value: + description: >- + The identifier value defining this risk score. Coupled with + `id_field`, uniquely identifies the entity being scored. + example: example.host type: string - integrations: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' - matchers: + inputs: + description: >- + A list of the highest-risk documents contributing to this risk + score. Useful for investigative purposes. items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array - name: + modifiers: + description: A list of modifiers that were applied to the risk score calculation. + items: + type: object + properties: + contribution: + format: double + type: number + metadata: + additionalProperties: true + type: object + modifier_value: + format: double + type: number + subtype: + type: string + type: + type: string + required: + - type + - contribution + type: array + notes: + items: + type: string + type: array + related_entities: + items: + type: object + properties: + entity_id: + type: string + relationship_type: + type: string + type: array + score_type: + description: Distinguishes base, propagated, and resolution scores. + enum: + - base + - propagated + - resolution type: string - queryRule: - description: KQL query used to filter data from the provided index patterns + required: + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + Security_Entity_Analytics_API_EntitySourceType: + enum: + - index + - entity_analytics_integration + - store + type: string + Security_Entity_Analytics_API_EntityType: + description: The type of entity. + enum: + - user + - host + - service + - generic + type: string + Security_Entity_Analytics_API_Filter: + type: object + properties: + kuery: + oneOf: + - type: string + - type: object + Security_Entity_Analytics_API_GenericEntity: + additionalProperties: false + description: >- + A generic entity record. Maps only the `entity` and `asset` namespaces. + Add additional field mappings here as needed. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time type: string - range: - $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' - Security_Entity_Analytics_API_UserEntity: + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + required: + - entity + Security_Entity_Analytics_API_HostEntity: additionalProperties: false - description: An entity record representing a user, stored in the Entity Store latest index. + description: >- + An entity record representing a host, stored in the Entity Store latest + index. type: object properties: '@timestamp': @@ -122297,44 +50501,80 @@ components: description: When the event was ingested into Elasticsearch. format: date-time type: string - user: + host: additionalProperties: false - description: Elastic Common Schema (ECS) user fields collected on the entity. + description: Elastic Common Schema (ECS) host fields collected on the entity. type: object properties: + architecture: + description: Observed CPU architectures. + items: + type: string + type: array domain: - description: Observed user domains. + description: Observed host domains. items: type: string type: array - email: - description: Observed email addresses. + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + hostname: + description: Observed hostnames. items: type: string type: array - full_name: - description: Observed full names of the user. + id: + description: Observed host IDs. items: type: string type: array - hash: - description: Observed user hashes. + ip: + description: Observed IP addresses. items: type: string type: array - id: - description: Observed user IDs. + mac: + description: Observed MAC addresses. items: type: string type: array name: - description: Primary user name. + description: Primary host name. type: string - risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + os: additionalProperties: false - roles: - description: Observed roles assigned to the user. + description: >- + Elastic Common Schema (ECS) host.os fields collected on the + entity latest index. + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + oneOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + oneOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + type: + description: Observed host types. items: type: string type: array @@ -122342,1274 +50582,746 @@ components: - name required: - entity - Security_Entity_Analytics_API_UserName: - type: object - properties: - entity_analytics_monitoring: - description: Entity analytics monitoring configuration for the user - type: object - properties: - labels: - description: Array of labels associated with the user - items: - type: object - properties: - field: - description: The field name for the label - type: string - source: - description: The source where this label was created (api, csv, or index_sync) - enum: - - api - - csv - - index_sync - type: string - value: - description: The value of the label - type: string - type: array - user: - type: object - properties: - name: - description: The name of the user. - type: string - Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: - example: - matchedEntities: 1 - status: success - type: object - properties: - error: - description: Error message if the row failed to process - example: Invalid entity type - type: string - matchedEntities: - description: Number of entities matched for this row - example: 1 - type: integer - status: - enum: - - success - - failure - - unmatched - example: success - type: string - required: - - status - - matchedEntities - Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: - example: - euid: user:john.doe - status: success - type: object - properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success - type: string - required: - - euid - - status - Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: - example: - euid: user:john.doe - status: success - type: object - properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success - type: string - required: - - euid - - status - Security_Entity_Analytics_API_WatchlistObject: - example: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - type: object - properties: - createdAt: - description: Timestamp indicating when the watchlist was created - format: date-time - type: string - description: - description: Description of the watchlist - type: string - entityCount: - description: Number of entities in the watchlist - type: number - entitySourceIds: - description: List of entity source IDs associated with the watchlist - items: - type: string - type: array - id: - description: The unique ID of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: The name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - type: number - updatedAt: - description: Timestamp indicating when the watchlist was last updated - format: date-time - type: string - required: - - name - - riskModifier - - managed - Security_Exceptions_API_BlocklistHashOrPathEntry: - type: object - properties: - field: - description: File hash or path field - enum: - - file.hash.md5 - - file.hash.sha1 - - file.hash.sha256 - - file.path - - file.path.caseless - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Must be match_any for blocklists - enum: - - match_any - type: string - value: - description: Array of hash values or file paths - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - Security_Exceptions_API_BlocklistLinuxProperties: - description: Blocklist list item properties (Linux, code signature not supported). + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + - service.name + - entity.id + type: string + Security_Entity_Analytics_API_IndexPattern: + description: >- + An additional Elasticsearch index pattern to include as a source for + entity data. Merged with the default data view indices when the engine + runs. + example: logs-* + type: string + Security_Entity_Analytics_API_InspectQuery: + description: Debug information about the Elasticsearch query executed. type: object properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - items: - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists - type: string - os_types: - description: Linux-only + dsl: + description: Elasticsearch query DSL that was executed. items: - enum: - - linux type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_BlocklistMacProperties: - description: Blocklist list item properties (macOS, code signature not supported). - type: object - properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - items: - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - minItems: 1 type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists - type: string - os_types: - description: macOS-only + response: + description: Raw Elasticsearch responses. items: - enum: - - macos type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: - type: object - properties: - entries: - description: Nested subject_name entries - items: - type: object - properties: - field: - description: Certificate subject name - enum: - - subject_name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Match type for subject name - enum: - - match - - match_any - type: string - value: - oneOf: - - description: Single subject name (used with match) - type: string - - description: Array of subject names (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 type: array - field: - description: Windows code signature field - enum: - - file.Ext.code_signature - type: string - type: - description: Must be nested for Windows code signature - enum: - - nested - type: string required: - - field - - type - - entries - Security_Exceptions_API_BlocklistWindowsProperties: - description: Blocklist list item properties (Windows, supports code signature). + - dsl + - response + Security_Entity_Analytics_API_Integrations: type: object properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - * Code signature entry: only 1 allowed - items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists + syncData: + description: integrations latest full sync and update syncData + type: object + properties: + lastFullSync: + description: Timestamp of the last full sync from integrations + format: date-time + type: string + lastUpdateProcessed: + description: Timestamp of the last update processed from integrations + format: date-time + type: string + syncMarkerIndex: + description: Index to read latest sync markers from type: string - os_types: - description: Windows-only + Security_Entity_Analytics_API_Interval: + description: >- + Interval in which enrich policy runs. For example, `"1h"` means the rule + runs every hour. Must be less than or equal to half the duration of the + lookback period, + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + Security_Entity_Analytics_API_Matcher: + type: object + properties: + fields: items: - enum: - - windows type: string - maxItems: 1 - minItems: 1 type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + values: + description: > + Matcher values. Must be either an array of strings (e.g. group or + role names) or an array of booleans (e.g. integration-derived flags + like privileged_group_member). Mixed types are intentionally not + supported for simplicity and predictability. + oneOf: + - items: + type: string + type: array + - items: + type: boolean + type: array required: - - list_id - Security_Exceptions_API_CreateExceptionListItemBase: + - fields + - values + Security_Entity_Analytics_API_Metadata: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata + Security_Entity_Analytics_API_MonitoredUserDoc: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + - type: object + properties: + '@timestamp': + format: date-time + type: string + event: + type: object + properties: + '@timestamp': + format: date-time + type: string + ingested: + format: date-time + type: string + user: + type: object + properties: + entity: + type: object + properties: + attributes: + type: object + properties: + Privileged: + description: Indicates if the user is privileged. + type: boolean + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoredUserUpdateDoc: type: object properties: - comments: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' - expire_time: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' - Security_Exceptions_API_CreateExceptionListItemBlocklistMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' - Security_Exceptions_API_CreateExceptionListItemComment: + entity_analytics_monitoring: + type: object + properties: + labels: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel + type: array + id: + type: string + labels: + type: object + properties: + source_ids: + items: + type: string + type: array + source_integrations: + items: + type: string + type: array + sources: + items: + enum: + - csv + - index_sync + - api + type: array + user: + type: object + properties: + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoringEngineDescriptor: type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + error: + type: object + properties: + message: + description: >- + Error message typically only present if the engine is in error + state + type: string + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus required: - - comment - Security_Exceptions_API_CreateExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' - type: array - Security_Exceptions_API_CreateExceptionListItemEndpointList: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_CreateExceptionListItemEventFilters: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_CreateExceptionListItemGeneric: + - status + Security_Entity_Analytics_API_MonitoringEntitySource: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - example: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties + - type: object properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] + id: + type: string required: - - list_id - - entries - Security_Exceptions_API_CreateExceptionListItemHostIsolation: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: + - type + - name + - id + - managed + Security_Entity_Analytics_API_MonitoringEntitySourceProperties: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' - Security_Exceptions_API_CreateRuleExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' - type: array - Security_Exceptions_API_CreateRuleExceptionListItemProps: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties + - type: object + properties: + managed: + type: boolean + Security_Entity_Analytics_API_MonitoringLabel: type: object properties: - comments: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' - default: [] - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - expire_time: - format: date-time + field: + type: string + source: + type: string + value: type: string - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - - type - - name - - description - - entries - Security_Exceptions_API_EndpointArtifactTags: - default: [] - description: | - Tags for categorization. Special tags for scope control: - * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) - * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) - items: - type: string - type: array - Security_Exceptions_API_EndpointListProperties: - description: Elastic Endpoint exception list item properties. + - field + - value + - source + Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: + description: The status of the Privilege Monitoring Engine + enum: + - started + - error + - disabled + - not_installed + type: string + Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: type: object properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - description: | - Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - - **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. - list_id: - enum: - - endpoint_list - example: endpoint_list + index: + nullable: true + type: integer + message: + type: string + username: + nullable: true type: string - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_EventFiltersProperties: - description: Event filters list item properties. + - message + - index + - username + Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: type: object properties: - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - description: | - Exception entries for the event filter. - - **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) - - **Minimum requirement:** At least 1 entry required - list_id: - enum: - - endpoint_event_filters - example: endpoint_event_filters - type: string - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + failedOperations: + type: integer + successfulOperations: + type: integer + totalOperations: + type: integer + uploaded: + type: integer required: - - list_id - Security_Exceptions_API_ExceptionList: + - successfulOperations + - uploaded + - failedOperations + - totalOperations + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - immutable: - type: boolean - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - updated_at: - description: Autogenerated date of last object update. - format: date-time + full_error: type: string - updated_by: - description: Autogenerated value - user that last updated object. + message: type: string - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListDescription: - description: Describes the exception list. - example: This list tracks allowlisted values. - type: string - Security_Exceptions_API_ExceptionListHumanId: - description: | - The exception list's human-readable string identifier. - - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) - example: simple_list - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListId: - description: Exception list's identifier. - example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItem: + - message + - full_error + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: type: object properties: - _version: - description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. - type: string - comments: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string - description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' - entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' - expire_time: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string - required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListItemComment: + success: + type: boolean + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - created_at: - description: Autogenerated date of object creation. - format: date-time + category: + description: The risk category of the risk input document. + example: category_1 type: string - created_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - updated_at: - description: Autogenerated date of last object update. - format: date-time + contribution_score: + format: double + type: number + description: + description: A human-readable description of the risk input document. + example: 'Generated from Detection Engine Rule: Malware Prevention Alert' type: string - updated_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Exceptions_API_ExceptionListItemCommentArray: - description: | - Array of comment fields: - - - comment (string): Comments about the exception item. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' - type: array - Security_Exceptions_API_ExceptionListItemDescription: - description: Describes the exception list. - type: string - Security_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' - discriminator: - propertyName: type - Security_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - exists + entity_id: + description: The EUID of the entity within the graph that generated this alert. + type: string + id: + description: The unique identifier (`_id`) of the original source document + example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + type: string + index: + description: The unique index (`_index`) of the original source document + example: .internal.alerts-security.alerts-default-000001 + type: string + risk_score: + description: The weighted risk score of the risk input document. + format: double + maximum: 100 + minimum: 0 + type: number + timestamp: + description: The @timestamp of the risk input document. + example: '2017-07-21T17:32:28Z' type: string required: - - type - - field - - operator - Security_Exceptions_API_ExceptionListItemEntryList: + - id + - index + - description + - category + Security_Entity_Analytics_API_ServiceEntity: + additionalProperties: false + description: >- + An entity record representing a service, stored in the Entity Store + latest index. type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - list: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false type: object properties: - id: - $ref: '#/components/schemas/Security_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ListType' + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + service: + additionalProperties: false + description: Elastic Common Schema (ECS) service fields collected on the entity. + type: object + properties: + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + name: + description: Primary service name. + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord required: - - id - - type - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - list - type: string + - name required: - - type - - field - - list - - operator - Security_Exceptions_API_ExceptionListItemEntryMatch: + - entity + Security_Entity_Analytics_API_StoreStatus: + description: The overall operational status of the Entity Store. + enum: + - not_installed + - installing + - running + - stopped + - error + type: string + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - match + message: type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + status_code: + minimum: 400 + type: integer required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchAny: + - status_code + - message + Security_Entity_Analytics_API_TransformStatsMetadata: + description: Statistics from the underlying Elasticsearch transform. type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - match_any - type: string - value: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - minItems: 1 - type: array + delete_time_in_ms: + description: Total time spent deleting documents, in milliseconds. + type: integer + documents_deleted: + description: Total number of documents deleted from the destination index. + type: integer + documents_indexed: + description: Total number of documents written to the destination index. + type: integer + documents_processed: + description: Total number of source documents processed. + type: integer + exponential_avg_checkpoint_duration_ms: + description: Exponential moving average of checkpoint duration, in milliseconds. + type: integer + exponential_avg_documents_indexed: + description: Exponential moving average of documents indexed per checkpoint. + type: integer + exponential_avg_documents_processed: + description: Exponential moving average of documents processed per checkpoint. + type: integer + index_failures: + description: Total number of failed index operations. + type: integer + index_time_in_ms: + description: Total time spent indexing documents, in milliseconds. + type: integer + index_total: + description: Total number of index operations. + type: integer + pages_processed: + description: Number of composite aggregation pages processed. + type: integer + processing_time_in_ms: + description: Total time spent processing results, in milliseconds. + type: integer + processing_total: + description: Total number of processing operations. + type: integer + search_failures: + description: Total number of failed search operations. + type: integer + search_time_in_ms: + description: Total time spent on search queries, in milliseconds. + type: integer + search_total: + description: Total number of search operations. + type: integer + trigger_count: + description: Number of times the transform has been triggered. + type: integer required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + - pages_processed + - documents_processed + - documents_indexed + - trigger_count + - index_time_in_ms + - index_total + - index_failures + - search_time_in_ms + - search_total + - search_failures + - processing_time_in_ms + - processing_total + - exponential_avg_checkpoint_duration_ms + - exponential_avg_documents_indexed + - exponential_avg_documents_processed + Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' - type: - enum: - - wildcard + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryNested: - type: object - properties: - entries: + indexPattern: + type: string + integrationName: + type: string + integrations: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' + matchers: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' - minItems: 1 + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' type: array - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: - enum: - - nested + name: type: string - required: - - type - - field - - entries - Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - Security_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Exceptions_API_ExceptionListItemExpireTime: - description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. - format: date-time - type: string - Security_Exceptions_API_ExceptionListItemHumanId: - description: Human readable string identifier, e.g. `trusted-linux-processes` - example: simple_list_item - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemId: - description: Exception's identifier. - example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListItemName: - description: Exception list name. - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListItemTags: - items: - description: String array containing words and phrases to help categorize exception items. - format: nonempty - minLength: 1 - type: string - type: array - Security_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Exceptions_API_ExceptionListMeta: - additionalProperties: true - description: Placeholder for metadata about the list container. - type: object - Security_Exceptions_API_ExceptionListName: - description: The name of the exception list. - example: My exception list - type: string - Security_Exceptions_API_ExceptionListOsType: - description: Use this field to specify the operating system. - enum: - - linux - - macos - - windows - type: string - Security_Exceptions_API_ExceptionListOsTypeArray: - description: Use this field to specify the operating system. Only enter one value. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListsImportBulkError: + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + Security_Entity_Analytics_API_UserEntity: + additionalProperties: false + description: >- + An entity record representing a user, stored in the Entity Store latest + index. type: object properties: - error: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false type: object properties: - message: + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time type: string - status_code: - type: integer - required: - - status_code - - message - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - required: - - error - Security_Exceptions_API_ExceptionListsImportBulkErrorArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' - type: array - Security_Exceptions_API_ExceptionListTags: - description: String array containing words and phrases to help categorize exception containers. - items: - type: string - type: array - Security_Exceptions_API_ExceptionListType: - description: The type of exception list to be created. Different list types may denote where they can be utilized. - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Exceptions_API_ExceptionListVersion: - description: The document version, automatically increasd on updates. - minimum: 1 - type: integer - Security_Exceptions_API_ExceptionNamespaceType: - description: | - Determines whether the exception container is available in all Kibana spaces or just the space - in which it is created, where: - - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. - enum: - - agnostic - - single - type: string - Security_Exceptions_API_FindExceptionListItemsFilter: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_FindExceptionListsFilter: - example: exception-list.attributes.name:%Detection%20List - type: string - Security_Exceptions_API_HostIsolationProperties: - description: Host isolation exceptions list item properties. - type: object - properties: - entries: - description: Exactly one entry allowed for host isolation exceptions - items: - type: object - properties: - field: - description: Must be destination.ip - enum: - - destination.ip + user: + additionalProperties: false + description: Elastic Common Schema (ECS) user fields collected on the entity. + type: object + properties: + domain: + description: Observed user domains. + items: type: string - operator: - description: Must be the value "included" - enum: - - included + type: array + email: + description: Observed email addresses. + items: type: string - type: - description: Must be match - enum: - - match + type: array + full_name: + description: Observed full names of the user. + items: type: string - value: - description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") + type: array + hash: + description: Observed user hashes. + items: type: string - required: - - field - - type - - value - - operator - maxItems: 1 - minItems: 1 - type: array - list_id: - enum: - - endpoint_host_isolation_exceptions - example: endpoint_host_isolation_exceptions - type: string - os_types: - description: Must include all three operating systems (windows, linux, macos) - items: - enum: - - windows - - linux - - macos - type: string - maxItems: 3 - minItems: 3 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + type: array + id: + description: Observed user IDs. + items: + type: string + type: array + name: + description: Primary user name. + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + additionalProperties: false + roles: + description: Observed roles assigned to the user. + items: + type: string + type: array + required: + - name required: - - list_id - Security_Exceptions_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ListType: - description: | - Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - - - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_PlatformErrorResponse: + - entity + Security_Entity_Analytics_API_UserName: + type: object + properties: + entity_analytics_monitoring: + description: Entity analytics monitoring configuration for the user + type: object + properties: + labels: + description: Array of labels associated with the user + items: + type: object + properties: + field: + description: The field name for the label + type: string + source: + description: >- + The source where this label was created (api, csv, or + index_sync) + enum: + - api + - csv + - index_sync + type: string + value: + description: The value of the label + type: string + type: array + user: + type: object + properties: + name: + description: The name of the user. + type: string + Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: + example: + matchedEntities: 1 + status: success type: object properties: error: + description: Error message if the row failed to process + example: Invalid entity type type: string - message: - type: string - statusCode: + matchedEntities: + description: Number of entities matched for this row + example: 1 type: integer + status: + enum: + - success + - failure + - unmatched + example: success + type: string required: - - statusCode - - error - - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: + - status + - matchedEntities + Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: + example: + euid: user:john.doe + status: success type: object properties: - message: + error: + description: Error message if the entity failed to process + example: Invalid entity type + type: string + euid: + description: The EUID of the entity + example: user:john.doe + type: string + status: + enum: + - success + - failure + - not_found + example: success type: string - status_code: - type: integer required: - - status_code - - message - Security_Exceptions_API_TrustedAppHashEntry: + - euid + - status + Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: + example: + euid: user:john.doe + status: success type: object properties: - field: - description: Process hash field - enum: - - process.hash.md5 - - process.hash.sha1 - - process.hash.sha256 + error: + description: Error message if the entity failed to process + example: Invalid entity type type: string - operator: - enum: - - included + euid: + description: The EUID of the entity + example: user:john.doe type: string - type: - description: Hash entries only support match type + status: enum: - - match - type: string - value: - description: Hash value (MD5, SHA1, or SHA256) + - success + - failure + - not_found + example: success type: string required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + - euid + - status + Security_Entity_Analytics_API_WatchlistObject: + example: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' type: object properties: - entries: - description: Must include exactly 2 entries - one for subject_name and one for trusted + createdAt: + description: Timestamp indicating when the watchlist was created + format: date-time + type: string + description: + description: Description of the watchlist + type: string + entityCount: + description: Number of entities in the watchlist + type: number + entitySourceIds: + description: List of entity source IDs associated with the watchlist items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 + type: string type: array - field: - description: macOS code signature field - enum: - - process.code_signature + id: + description: The unique ID of the watchlist type: string - type: - enum: - - nested + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: The name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + type: number + updatedAt: + description: Timestamp indicating when the watchlist was last updated + format: date-time type: string required: - - field - - type - - entries - Security_Exceptions_API_TrustedAppPathEntry: + - name + - riskModifier + - managed + Security_Exceptions_API_BlocklistHashOrPathEntry: type: object properties: field: - description: Process executable path field + description: File hash or path field enum: - - process.executable.caseless + - file.hash.md5 + - file.hash.sha1 + - file.hash.sha256 + - file.path + - file.path.caseless type: string operator: + description: Must be the value "included" enum: - included type: string type: - description: Path supports both match and wildcard types + description: Must be match_any for blocklists enum: - - match - - wildcard + - match_any type: string value: - description: Executable path - type: string + description: Array of hash values or file paths + items: + type: string + minItems: 1 + type: array required: - field - type - value - operator - Security_Exceptions_API_TrustedAppsLinuxProperties: - description: Trusted applications list item properties (Linux). + Security_Exceptions_API_BlocklistLinuxProperties: + description: Blocklist list item properties (Linux, code signature not supported). type: object properties: entries: - description: Process hash or executable path entries (code signature not supported on Linux) + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry minItems: 1 type: array list_id: enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + - endpoint_blocklists + example: endpoint_blocklists type: string os_types: - description: Must be Linux only + description: Linux-only items: enum: - linux @@ -123621,26 +51333,27 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_TrustedAppsMacProperties: - description: Trusted applications list item properties (macOS). + Security_Exceptions_API_BlocklistMacProperties: + description: Blocklist list item properties (macOS, code signature not supported). type: object properties: entries: - description: Process hash, executable path, or code signature entries + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' + $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry minItems: 1 type: array list_id: enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + - endpoint_blocklists + example: endpoint_blocklists type: string os_types: - description: Must be macOS only + description: macOS-only items: enum: - macos @@ -123652,125 +51365,18 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_TrustedAppsWindowsProperties: - description: Trusted applications list item properties (Windows). - type: object - properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Windows only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: - type: object - properties: - entries: - description: Must include exactly 2 entries - one for subject_name and one for trusted - items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: Windows code signature field - enum: - - process.Ext.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedDevicesMacProperties: - description: Trusted devices list item properties (macOS-only, username not supported). + Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: type: object properties: entries: - description: Exception entries for the trusted device (duplicate field entries are not allowed) + description: Nested subject_name entries items: type: object properties: field: - description: Device field to match against + description: Certificate subject name enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name + - subject_name type: string operator: description: Must be the value "included" @@ -123778,17 +51384,16 @@ components: - included type: string type: - description: Entry match type + description: Match type for subject name enum: - match - - wildcard - match_any type: string value: oneOf: - - description: Single value (used with match or wildcard) + - description: Single subject name (used with match) type: string - - description: Array of values (used with match_any) + - description: Array of subject names (used with match_any) items: type: string minItems: 1 @@ -123800,147 +51405,45 @@ components: - operator minItems: 1 type: array - list_id: + field: + description: Windows code signature field enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + - file.Ext.code_signature type: string - os_types: - description: macOS-only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: Trusted devices list item properties (Windows + macOS, username not supported). - type: object - properties: - entries: - description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) - items: - type: object - properties: - field: - description: Device field to match against (username not available for multi-OS) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: + type: + description: Must be nested for Windows code signature enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + - nested type: string - os_types: - description: Must include both Windows and macOS (username field not allowed) - items: - enum: - - windows - - macos - type: string - maxItems: 2 - minItems: 2 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: Trusted devices list item properties (Windows-only, allows username field). - type: object - properties: - entries: - description: Exception entries for the trusted device (duplicate field entries are not allowed) - items: - type: object - properties: - field: - description: Device field to match against (user.name is Windows-only) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - - user.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator + - field + - type + - entries + Security_Exceptions_API_BlocklistWindowsProperties: + description: Blocklist list item properties (Windows, supports code signature). + type: object + properties: + entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + * Code signature entry: only 1 allowed + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry minItems: 1 type: array list_id: enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + - endpoint_blocklists + example: endpoint_blocklists type: string os_types: - description: Must be Windows-only to allow username field + description: Windows-only items: enum: - windows @@ -123952,25 +51455,22 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_UpdateExceptionListItemBase: + Security_Exceptions_API_CreateExceptionListItemBase: type: object properties: - _version: - description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. - type: string comments: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription expire_time: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - description: Either `id` or `item_id` must be specified + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -123984,322 +51484,839 @@ components: - type - name - description - Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: + Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' - Security_Exceptions_API_UpdateExceptionListItemComment: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: + Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment type: array - Security_Exceptions_API_UpdateExceptionListItemEndpointList: + Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_UpdateExceptionListItemEventFilters: + Security_Exceptions_API_CreateExceptionListItemEventFilters: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_UpdateExceptionListItemGeneric: + Security_Exceptions_API_CreateExceptionListItemGeneric: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - example: - comments: [] - description: Updated description + description: This is a sample detection type exception item. entries: + - field: actingProcess.file.signer + operator: excluded + type: exists - field: host.name operator: included - type: match - value: rock01 + type: match_any + value: + - saturn + - jupiter item_id: simple_list_item - name: Updated name + list_id: simple_list + name: Sample Exception List Item namespace_type: single - tags: [] + os_types: + - linux + tags: + - malware type: simple type: object properties: entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray default: [] tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + default: [] required: + - list_id - entries - Security_Exceptions_API_UpdateExceptionListItemHostIsolation: + Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: + Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Lists_API_FindListItemsCursor: - description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListItemsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_FindListsCursor: - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_List: + - $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: '2025-01-08T04:47:34.273Z' + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: format: date-time type: string + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + Security_Exceptions_API_EndpointArtifactTags: + default: [] + description: > + Tags for categorization. Special tags for scope control: + + * `"policy:all"` - Global artifact (applies to all Elastic Defend + policies) + + * `"policy:"` - Private artifact (applies to specific Elastic + Defend policy only, where `` is the Elastic Defend + integration policy ID) + items: + type: string + type: array + Security_Exceptions_API_EndpointListProperties: + description: Elastic Endpoint exception list item properties. + type: object + properties: + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + description: > + Exception entries for endpoint security exceptions (used to prevent + detection rule alerts). + + + **Fully flexible:** Supports any field name for maximum + compatibility with detection rules. No field restrictions are + enforced. + list_id: + enum: + - endpoint_list + example: endpoint_list + type: string + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_EventFiltersProperties: + description: Event filters list item properties. + type: object + properties: + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + description: > + Exception entries for the event filter. + + + **Flexible field support:** Any event field name is allowed (e.g., + `process.name`, `file.path`, `event.action`, `dns.question.name`, + etc.) + + + **Minimum requirement:** At least 1 entry required + list_id: + enum: + - endpoint_event_filters + example: endpoint_event_filters + type: string + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_ExceptionList: + type: object + properties: + _version: + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. + type: string created_at: description: Autogenerated date of object creation. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. - example: elastic type: string description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription id: - $ref: '#/components/schemas/Security_Lists_API_ListId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: type: boolean + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: - $ref: '#/components/schemas/Security_Lists_API_ListName' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. type: string type: - $ref: '#/components/schemas/Security_Lists_API_ListType' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. - example: elastic type: string version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - id + - list_id - type - name - description - immutable + - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by - Security_Lists_API_ListDescription: - description: Describes the value list. + Security_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + example: This list tracks allowlisted values. + type: string + Security_Exceptions_API_ExceptionListHumanId: + description: > + The exception list's human-readable string identifier. + + + For endpoint artifacts, use one of the following values: + + + * `endpoint_list`: [Elastic Endpoint exception + list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + + * `endpoint_trusted_apps`: [Trusted applications + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + + * `endpoint_trusted_devices`: [Trusted devices + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + + * `endpoint_event_filters`: [Event filters + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + + * `endpoint_blocklists`: [Blocklists + list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + example: simple_list format: nonempty minLength: 1 type: string - Security_Lists_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd + Security_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string - Security_Lists_API_ListItem: + Security_Exceptions_API_ExceptionListItem: type: object properties: _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: '2025-01-08T04:47:34.273Z' - format: date-time + description: >- + The version id, normally returned by the API when the item was + retrieved. Use it ensure updates are done against the latest + version. type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray created_at: description: Autogenerated date of object creation. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. - example: elastic type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: Field used in search to ensure all containers are sorted and returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. type: string type: - $ref: '#/components/schemas/Security_Lists_API_ListType' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. - example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. - example: elastic type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - - type + - item_id - list_id - - value + - type + - name + - description + - entries + - namespace_type + - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by - Security_Lists_API_ListItemId: - description: Value list item's identifier. - example: 54b01cfb-058d-44b9-838c-282be16c91cd + Security_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' + type: array + Security_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + Security_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Exceptions_API_ExceptionListItemExpireTime: + description: >- + The exception item’s expiration date, in ISO format. This field is only + available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + example: simple_list_item format: nonempty minLength: 1 type: string - Security_Lists_API_ListItemMetadata: + Security_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemMeta: additionalProperties: true - description: Placeholder for metadata about the value list item. type: object - Security_Lists_API_ListItemPrivileges: + Security_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + description: >- + String array containing words and phrases to help categorize exception + items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object + Security_Exceptions_API_ExceptionListName: + description: The name of the exception list. + example: My exception list + type: string + Security_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListsImportBulkError: + type: object + properties: + error: type: object - username: - type: string + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - description: The value used to evaluate exceptions. - format: nonempty - minLength: 1 + - error + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Exceptions_API_ExceptionListTags: + description: >- + String array containing words and phrases to help categorize exception + containers. + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + description: >- + The type of exception list to be created. Different list types may + denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists type: string - Security_Lists_API_ListMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list. - type: object - Security_Lists_API_ListName: - description: Value list's name. - example: List of bad IPs - format: nonempty - minLength: 1 + Security_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + + + For endpoint artifacts, the `namespace_type` must always be `agnostic`. + Space awareness for endpoint artifacts is enforced based on Elastic + Defend policy assignments. + enum: + - agnostic + - single type: string - Security_Lists_API_ListPrivileges: + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + example: exception-list.attributes.name:%Detection%20List + type: string + Security_Exceptions_API_HostIsolationProperties: + description: Host isolation exceptions list item properties. type: object properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean + entries: + description: Exactly one entry allowed for host isolation exceptions + items: type: object - type: object - username: + properties: + field: + description: Must be destination.ip + enum: + - destination.ip + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match + enum: + - match + type: string + value: + description: >- + Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or + "10.0.0.0/8") + type: string + required: + - field + - type + - value + - operator + maxItems: 1 + minItems: 1 + type: array + list_id: + enum: + - endpoint_host_isolation_exceptions + example: endpoint_host_isolation_exceptions type: string + os_types: + description: Must include all three operating systems (windows, linux, macos) + items: + enum: + - windows + - linux + - macos + type: string + maxItems: 3 + minItems: 3 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - description: | - Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + - list_id + Security_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ListType: + description: > + Specifies the Elasticsearch data type of excludes the list container + holds. Some common examples: + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR + notation) enum: - binary - boolean @@ -124325,17 +52342,12 @@ components: - short - text type: string - Security_Lists_API_ListVersion: - description: The document version number. - example: 1 - minimum: 1 - type: integer - Security_Lists_API_ListVersionId: - description: | - The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. - example: WzIsMV0= + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 type: string - Security_Lists_API_PlatformErrorResponse: + Security_Exceptions_API_PlatformErrorResponse: type: object properties: error: @@ -124348,7 +52360,9 @@ components: - statusCode - error - message - Security_Lists_API_SiemErrorResponse: + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: type: object properties: message: @@ -124358,878 +52372,1020 @@ components: required: - status_code - message - Security_Osquery_API_ArrayQueries: - description: An array of queries to run. - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: + Security_Exceptions_API_TrustedAppHashEntry: type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_CopyPacksResponse: - description: The response for copying a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + field: + description: Process hash field + enum: + - process.hash.md5 + - process.hash.sha1 + - process.hash.sha256 + type: string + operator: + enum: + - included + type: string + type: + description: Hash entries only support match type + enum: + - match + type: string + value: + description: Hash value (MD5, SHA1, or SHA256) + type: string + required: + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: type: object properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' - items: - type: object + entries: + description: >- + Must include exactly 2 entries - one for subject_name and one for + trusted + items: + oneOf: + - type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - id: + field: + enum: + - subject_name type: string - interval: - type: integer - platform: + operator: + enum: + - included type: string - query: + type: + enum: + - match type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: + value: + description: Certificate subject name type: string - type: array - saved_object_id: - description: The saved object ID of the copied pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object + required: + - field + - type + - value + - operator + - type: object properties: - key: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match type: string value: - type: number - type: array - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: macOS code signature field + enum: + - process.code_signature + type: string + type: + enum: + - nested + type: string required: - - data - Security_Osquery_API_CopySavedQueryResponse: - description: The response for copying a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + - field + - type + - entries + Security_Exceptions_API_TrustedAppPathEntry: type: object properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - required: - - saved_object_id - - id + field: + description: Process executable path field + enum: + - process.executable.caseless + type: string + operator: + enum: + - included + type: string + type: + description: Path supports both match and wildcard types + enum: + - match + - wildcard + type: string + value: + description: Executable path + type: string required: - - data - Security_Osquery_API_CreateLiveQueryRequestBody: - example: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppsLinuxProperties: + description: Trusted applications list item properties (Linux). type: object properties: - agent_all: - description: When `true`, the query runs on all agents. - type: boolean - agent_ids: - description: A list of agent IDs to run the query on. + entries: + description: >- + Process hash or executable path entries (code signature not + supported on Linux) + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Linux only items: + enum: + - linux type: string + maxItems: 1 + minItems: 1 type: array - agent_platforms: - description: A list of agent platforms to run the query on. + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsMacProperties: + description: Trusted applications list item properties (macOS). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be macOS only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsWindowsProperties: + description: Trusted applications list item properties (Windows). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries items: - type: string + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry + minItems: 1 type: array - agent_policy_ids: - description: A list of agent policy IDs to run the query on. + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Windows only items: + enum: + - windows type: string + maxItems: 1 + minItems: 1 type: array - alert_ids: - description: A list of alert IDs associated with the live query. + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: >- + Must include exactly 2 entries - one for subject_name and one for + trusted items: - type: string + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 type: array - case_ids: - description: A list of case IDs associated with the live query. + field: + description: Windows code signature field + enum: + - process.Ext.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedDevicesMacProperties: + description: >- + Trusted devices list item properties (macOS-only, username not + supported). + type: object + properties: + entries: + description: >- + Exception entries for the trusted device (duplicate field entries + are not allowed) items: - type: string + type: object + properties: + field: + description: Device field to match against + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - event_ids: - description: A list of event IDs associated with the live query. + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: macOS-only items: + enum: + - macos type: string + maxItems: 1 + minItems: 1 type: array - metadata: - description: Custom metadata object associated with the live query. - nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - Security_Osquery_API_CreateLiveQueryResponse: - description: The response for creating a live query. - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agent_ids: [] - agent_platforms: [] - agent_policy_ids: [] - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - metadata: - execution_context: - name: osquery - url: /app/osquery/live_queries/new - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsMacProperties: + description: >- + Trusted devices list item properties (Windows + macOS, username not + supported). type: object properties: - data: - type: object - properties: - '@timestamp': - description: The timestamp when the action was created. - format: date-time - type: string - action_id: - description: The ID of the action. - type: string - agent_all: - description: Whether the query targets all agents. - type: boolean - agent_ids: - description: The agent IDs targeted by the action. - items: - type: string - type: array - agent_platforms: - description: The agent platforms targeted. - items: + entries: + description: >- + Exception entries for the trusted device (duplicate field entries + are not allowed, username not available when targeting both OS) + items: + type: object + properties: + field: + description: >- + Device field to match against (username not available for + multi-OS) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name type: string - type: array - agent_policy_ids: - description: The agent policy IDs targeted. - items: + operator: + description: Must be the value "included" + enum: + - included type: string - type: array - agents: - description: The resolved list of agent IDs. - items: + type: + description: Entry match type + enum: + - match + - wildcard + - match_any type: string - type: array - expiration: - description: The expiration date of the action. - format: date-time - type: string - input_type: - description: The input type. - type: string - metadata: - description: Custom metadata associated with the action. - type: object - pack_id: - description: The pack ID if the query was run from a pack. - type: string - queries: - description: The queries in this action. - items: - type: object - properties: - action_id: + value: + oneOf: + - description: Single value (used with match or wildcard) type: string - agents: + - description: Array of values (used with match_any) items: type: string + minItems: 1 type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - type: string - platform: - type: string - query: - type: string - saved_query_id: - type: string - timeout: - type: integer - version: - type: string - type: array - type: - description: The action type. - type: string - user_id: - description: The user who created the action. - type: string - required: - - action_id + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must include both Windows and macOS (username field not allowed) + items: + enum: + - windows + - macos + type: string + maxItems: 2 + minItems: 2 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - data - Security_Osquery_API_CreatePacksRequestBody: - example: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - - fleet-server-policy - queries: - my_query: - ecs_mapping: - client.port: - field: port - tags: - value: - - tag1 - - tag2 - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - shards: - fleet-server-policy: 58 - my_policy_id: 35 - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreatePacksResponse: - description: The response for creating a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + - list_id + Security_Exceptions_API_TrustedDevicesWindowsProperties: + description: >- + Trusted devices list item properties (Windows-only, allows username + field). type: object properties: - data: - type: object - properties: - created_at: - description: The date and time the pack was created. - format: date-time - type: string - created_by: - description: The user who created the pack. - nullable: true - type: string - created_by_profile_uid: - description: The profile UID of the user who created the pack. - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: + entries: + description: >- + Exception entries for the trusted device (duplicate field entries + are not allowed) + items: + type: object + properties: + field: + description: Device field to match against (user.name is Windows-only) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + - user.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) type: string - value: - type: number - type: array - updated_at: - description: The date and time the pack was last updated. - format: date-time - type: string - updated_by: - description: The user who last updated the pack. - nullable: true - type: string - updated_by_profile_uid: - description: The profile UID of the user who last updated the pack. - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must be Windows-only to allow username field + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - data - Security_Osquery_API_CreateSavedQueryRequestBody: - example: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - version: 2.8.0 + - list_id + Security_Exceptions_API_UpdateExceptionListItemBase: type: object properties: + _version: + description: >- + The version ID, normally returned by the API when the item is + retrieved. Use it to ensure updates are made against the latest + version. + type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + expire_time: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_CreateSavedQueryResponse: - description: The response for creating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - description: An interval, in seconds, on which to run the query. May be returned as number or string. - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - description: Whether the saved query is prebuilt. - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - description: The saved object ID of the saved query. - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - description: The query timeout in seconds. - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - data - Security_Osquery_API_DefaultSuccessResponse: - example: {} - type: object - properties: {} - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields - example: - host.uptime: - field: total_seconds - type: object - Security_Osquery_API_ECSMappingArray: - description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment type: array - Security_Osquery_API_ECSMappingArrayItem: - description: ECS mapping item in saved-object storage format (key-value pair). + Security_Exceptions_API_UpdateExceptionListItemEndpointList: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_UpdateExceptionListItemEventFilters: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_UpdateExceptionListItemGeneric: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - example: + comments: [] + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + item_id: simple_list_item + name: Updated name + namespace_type: single + tags: [] + type: simple + type: object + properties: + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + required: + - entries + Security_Exceptions_API_UpdateExceptionListItemHostIsolation: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: >- + #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + description: >- + Returns the items that come after the last item returned in the previous + call (use the `cursor` value returned in the previous call). This + parameter uses the `tie_breaker_id` field to ensure all items are sorted + and returned correctly. + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_FindListsCursor: + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_List: type: object properties: - key: - description: The ECS field name. + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: 2025-01-08T04:47:34.273Z + format: date-time type: string - value: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - Security_Osquery_API_ECSMappingArrayOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - nullable: true - Security_Osquery_API_ECSMappingItem: + created_at: + description: Autogenerated date of object creation. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + tie_breaker_id: + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + description: Describes the value list. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItem: type: object properties: - field: - description: The ECS field to map to. - example: host.uptime + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + created_at: + description: Autogenerated date of object creation. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + tie_breaker_id: + description: >- + Field used in search to ensure all containers are sorted and + returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: 2025-01-08T04:47:34.273Z + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic type: string value: - description: The value to map to the ECS field. - example: total_seconds - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - description: Enables the pack. - example: true - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryDetailsResponse: - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 0 - ecs_mapping: - host.uptime: - field: total_seconds - failed: 1 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - status: completed - successful: 0 - status: completed - user_id: elastic + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + description: Value list item's identifier. + example: 54b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: type: object properties: - data: + application: + additionalProperties: + type: boolean type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - pack_name: - type: string - prebuilt_pack: + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: type: boolean - queries: - description: The queries with their execution status. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - docs: - description: Number of result documents. - type: integer - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - failed: - description: Number of failed queries. - type: integer - id: - type: string - pending: - description: Number of pending agents. - type: integer - query: - type: string - responded: - description: Total responded agents. - type: integer - saved_query_id: - type: string - status: - description: Status of this individual query. - enum: - - completed - - running - type: string - successful: - description: Number of successful agents. - type: integer - type: array - status: - description: Global status of the live query (completed, running). - enum: - - completed - - running - type: string - tags: - items: - type: string - type: array - user_id: - type: string - user_profile_uid: - type: string - Security_Osquery_API_FindLiveQueryResponse: - example: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - result_counts: - error_agents: 0 - responded_agents: 1 - successful_agents: 1 - total_rows: 42 - user_id: elastic - total: 1 + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + example: List of bad IPs + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + description: > + Specifies the Elasticsearch data type of excludes the list container + holds. Some common examples: + + + - `keyword`: Many ECS fields are Elasticsearch keywords + + - `ip`: IP addresses + + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR + notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Lists_API_ListVersion: + description: The document version number. + example: 1 + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: > + The version id, normally returned by the API when the document is + retrieved. Use it ensure updates are done against the latest version. + example: WzIsMV0= + type: string + Security_Lists_API_PlatformErrorResponse: type: object properties: - data: - type: object - properties: - items: - description: An array of live query action items. - items: - type: object - properties: - _source: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - queries: - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - type: string - query: - type: string - saved_query_id: - type: string - type: array - result_counts: - description: Result count statistics (present when withResultCounts is true). - type: object - properties: - error_agents: - type: integer - responded_agents: - type: integer - successful_agents: - type: integer - total_rows: - type: integer - user_id: - type: string - type: array - total: - description: The total number of live queries. - type: integer - Security_Osquery_API_FindPackResponse: - description: The details of a single query pack. + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_CopyPacksResponse: + description: The response for copying a pack. example: data: - created_at: '2022-07-25T19:41:10.263Z' + created_at: '2025-02-26T13:37:30.452Z' created_by: elastic - description: '' - enabled: true - name: test_pack - namespaces: - - default + description: My pack + enabled: false + name: my_pack_copy policy_ids: [] queries: - uptime: - ecs_mapping: - message: - field: days - interval: 3600 - query: select * from uptime - read_only: false - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - shards: {} - type: osquery-pack - updated_at: '2022-07-25T20:12:01.455Z' + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic - version: 1 type: object properties: data: - description: The pack details. type: object properties: created_at: @@ -125241,31 +53397,54 @@ components: created_by_profile_uid: type: string description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' - namespaces: - description: The namespaces the pack belongs to. - items: - type: string - type: array policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean + description: >- + Pack queries in saved-object storage format (array). Note: the + read endpoint returns object format. + items: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array saved_object_id: - description: The saved object ID of the pack. + description: The saved object ID of the copied pack. type: string shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - type: - description: The saved object type. - type: string + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: + type: string + value: + type: number + type: array updated_at: format: date-time type: string @@ -125282,134 +53461,26 @@ components: - name required: - data - Security_Osquery_API_FindPacksResponse: - description: A paginated list of query packs. - example: - data: - - created_at: '2023-10-31T00:00:00Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: My pack description - enabled: true - name: My Pack - policy_ids: [] - queries: - - ecs_mapping: - - key: host.uptime - value: - field: total_seconds - id: uptime - interval: 3600 - query: select * from uptime; - read_only: false - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2023-10-31T00:00:00Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - page: 1 - per_page: 10 - total: 1 - type: object - properties: - data: - description: An array of pack objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - queries: - description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' - items: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of packs. - type: integer - required: - - page - - per_page - - total - - data - Security_Osquery_API_FindSavedQueryDetailResponse: - description: The details of a single saved query. + Security_Osquery_API_CopySavedQueryResponse: + description: The response for copying a saved query. example: data: - created_at: '2022-07-26T09:28:08.597Z' + created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds - id: saved_query_id + id: my_saved_query_copy interval: '60' platform: linux,darwin - prebuilt: false query: select * from uptime; - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - updated_at: '2022-07-26T09:28:08.597Z' + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic - version: 2.8.0 type: object properties: data: @@ -125424,9 +53495,10 @@ components: created_by_profile_uid: type: string description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -125434,17 +53506,15 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' timeout: type: integer updated_at: @@ -125455,620 +53525,228 @@ components: type: string updated_by_profile_uid: type: string - version: - oneOf: - - type: integer - - type: string required: - saved_object_id - id required: - data - Security_Osquery_API_FindSavedQueryResponse: - description: A paginated list of saved queries. - example: - data: - - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: 2.8.0 - page: 1 - per_page: 100 - total: 11 - type: object - properties: - data: - description: An array of saved query objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id - type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of saved queries. - type: integer - required: - - page - - per_page - - total - - data - Security_Osquery_API_GetLiveQueryResultsResponse: - description: The response for getting live query results. - example: - data: - edges: - - _id: doc1 - _source: {} - - _id: doc2 - _source: {} - total: 2 - type: object - properties: - data: - type: object - properties: - edges: - description: The result rows from the query execution. - items: - type: object - properties: - _id: - type: string - _source: - description: The Elasticsearch document source containing query results. - type: object - type: array - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetScheduledActionResultsResponse: + Security_Osquery_API_CreateLiveQueryRequestBody: example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; type: object properties: - aggregations: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. + agent_all: + description: When `true`, the query runs on all agents. + type: boolean + agent_ids: + description: A list of agent IDs to run the query on. items: - type: object + type: string + type: array + agent_platforms: + description: A list of agent platforms to run the query on. + items: + type: string + type: array + agent_policy_ids: + description: A list of agent policy IDs to run the query on. + items: + type: string + type: array + alert_ids: + description: A list of alert IDs associated with the live query. + items: + type: string + type: array + case_ids: + description: A list of case IDs associated with the live query. + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + event_ids: + description: A list of event IDs associated with the live query. + items: + type: string type: array - inspect: - description: Debug/inspection data for the search query. - type: object metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. + description: Custom metadata object associated with the live query. + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + Security_Osquery_API_CreateLiveQueryResponse: + description: The response for creating a live query. example: data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agent_ids: [] + agent_platforms: [] + agent_policy_ids: [] + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + metadata: + execution_context: + name: osquery + url: /app/osquery/live_queries/new + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: host.uptime: - - '67890' - total: 2 + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic type: object properties: data: - description: The query results data wrapper. type: object properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - type: object - properties: - data: - description: The list of unified history rows for the current page. - items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' - type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. - type: string - required: - - data - - hasMore - Security_Osquery_API_Interval: - description: An interval, in seconds, on which to run the query. - example: '60' - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - description: The kuery to filter the results by. - example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' - nullable: true - type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. + '@timestamp': + description: The timestamp when the action was created. + format: date-time type: string - agentAll: - description: Whether the query targeted all agents. + action_id: + description: The ID of the action. + type: string + agent_all: + description: Whether the query targets all agents. type: boolean - agentIds: - description: List of targeted agent IDs. + agent_ids: + description: The agent IDs targeted by the action. items: type: string type: array - agentPlatforms: - description: List of targeted agent platforms. + agent_platforms: + description: The agent platforms targeted. items: type: string type: array - agentPolicyIds: - description: List of targeted agent policy IDs. + agent_policy_ids: + description: The agent policy IDs targeted. items: type: string type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: The saved query ID, if the live query was based on a saved query. - type: string - source: - description: Whether this was a manually run live query or triggered by a rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - description: An object of queries. - type: object - Security_Osquery_API_ObjectQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_PackDescription: - description: The pack description. - example: Pack description - type: string - Security_Osquery_API_PackDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - nullable: true - Security_Osquery_API_PackId: - description: The ID of the pack. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - description: The pack name. - example: my_pack - type: string - Security_Osquery_API_PageOrUndefined: - description: The page number to return. The default is 1. - example: 1 - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - description: The number of results to return per page. The default is 20. - example: 20 - nullable: true - type: integer - Security_Osquery_API_Platform: - description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. - example: linux,darwin - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - description: A list of agents policy IDs. - example: - - policyId1 - - policyId2 - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - description: The SQL query you want to run. - example: select * from uptime; - type: string - Security_Osquery_API_QueryId: - description: The ID of the query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - description: Indicates whether the query is removed. - example: false - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryDescription: - description: The saved query description. - example: Saved query description - type: string - Security_Osquery_API_SavedQueryDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - nullable: true - Security_Osquery_API_SavedQueryId: - description: The ID of a saved query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. + agents: + description: The resolved list of agent IDs. + items: + type: string + type: array + expiration: + description: The expiration date of the action. + format: date-time type: string - scheduleId: - description: The schedule ID for the scheduled query. + input_type: + description: The input type. type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled + metadata: + description: Custom metadata associated with the action. + type: object + pack_id: + description: The pack ID if the query was run from a pack. type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled + queries: + description: The queries in this action. + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + id: + type: string + platform: + type: string + query: + type: string + saved_query_id: + type: string + timeout: + type: integer + version: + type: string + type: array + type: + description: The action type. type: string - required: - - sourceType - - source - Security_Osquery_API_Shards: - additionalProperties: - type: number - description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. - example: - policy_id: 50 - type: object - Security_Osquery_API_Snapshot: - description: Indicates whether the query is a snapshot. - example: true - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - description: Specifies the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Osquery_API_SortOrUndefined: - default: createdAt - description: The field that is used to sort the results. - example: createdAt - nullable: true - type: string - Security_Osquery_API_UnifiedHistoryRow: - discriminator: - mapping: - live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - propertyName: sourceType - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. - type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer + user_id: + description: The user who created the action. + type: string + required: + - action_id required: - - id - - timestamp - - queryText - - agentCount - Security_Osquery_API_UpdatePacksRequestBody: + - data + Security_Osquery_API_CreatePacksRequestBody: example: - name: updated_my_pack_name + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + - fleet-server-policy + queries: + my_query: + ecs_mapping: + client.port: + field: port + tags: + value: + - tag1 + - tag2 + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + shards: + fleet-server-policy: 58 + my_policy_id: 35 type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdatePacksResponse: - description: The response for updating a pack. + Security_Osquery_API_CreatePacksResponse: + description: The response for creating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true - name: updated_my_pack_name + name: my_pack policy_ids: - my_policy_id queries: @@ -126085,7 +53763,7 @@ components: shards: 47638692-7c4c-4053-aa3e-7186f28df349: 35 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:40:16.297Z' + updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 1 type: object @@ -126094,76 +53772,112 @@ components: type: object properties: created_at: + description: The date and time the pack was created. format: date-time type: string created_by: + description: The user who created the pack. nullable: true type: string created_by_profile_uid: + description: The profile UID of the user who created the pack. type: string description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined enabled: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: description: The saved object ID of the pack. type: string shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: + type: string + value: + type: number + type: array updated_at: + description: The date and time the pack was last updated. format: date-time type: string updated_by: + description: The user who last updated the pack. nullable: true type: string updated_by_profile_uid: + description: The profile UID of the user who last updated the pack. type: string version: description: The pack version number. type: integer - Security_Osquery_API_UpdateSavedQueryRequestBody: + required: + - saved_object_id + - name + required: + - data + Security_Osquery_API_CreateSavedQueryRequestBody: example: - id: updated_my_saved_query_name + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + version: 2.8.0 type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: - $ref: '#/components/schemas/Security_Osquery_API_Query' + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: - $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_UpdateSavedQueryResponse: - description: The response for updating a saved query. + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_CreateSavedQueryResponse: + description: The response for creating a saved query. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description - id: updated_my_saved_query_name + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id interval: '60' + platform: linux,darwin + prebuilt: false query: select * from uptime; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:40:16.297Z' + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic - version: WzQzMTcsMV0= + version: 2.8.0 type: object properties: data: @@ -126178,28 +53892,35 @@ components: created_by_profile_uid: type: string description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: + description: >- + An interval, in seconds, on which to run the query. May be + returned as number or string. oneOf: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_Platform' + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' prebuilt: + description: Whether the saved query is prebuilt. type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_Removed' + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' saved_object_id: + description: The saved object ID of the saved query. type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' timeout: + description: The query timeout in seconds. type: integer updated_at: format: date-time @@ -126211,4636 +53932,4569 @@ components: type: string version: description: The saved query version. - type: string + oneOf: + - type: integer + - type: string required: - saved_object_id - id required: - data - Security_Osquery_API_Version: - description: Uses the Osquery versions greater than or equal to the specified version string. - example: 1.0.0 - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: | - How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - - type: object - properties: - eventId: - description: | - Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - nullable: true - type: string - note: - description: The text of the note - example: This is an example text - nullable: true - type: string - timelineId: - description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - timelineId: - description: The `savedObjectId` of the timeline that this pinned event is associated with - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: - type: object - properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true - type: string - placeholder: - nullable: true - type: string - searchable: - nullable: true - type: boolean - type: - nullable: true - type: string - Security_Timeline_API_DataProviderQueryMatch: - type: object - properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' - type: object - properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true - type: object - properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true - type: string - formattedValue: - nullable: true - type: string - index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true - type: string - value: - nullable: true - type: string - missing: - nullable: true - type: string - query: - nullable: true - type: string - range: - nullable: true - type: string - script: - nullable: true - type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). - type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - description: The list of failed Timeline imports - items: - type: object - properties: - error: - description: The error containing the reason why the timeline could not be imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - type: string - type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 - type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 - type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e - type: string - version: - description: The version of the note - example: WzQ2LDFd - type: string - required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + Security_Osquery_API_DefaultSuccessResponse: + example: {} type: object - properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true - type: string - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - type: string - version: - description: The version of this pinned event - example: WzQ2LDFe - type: string - required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + properties: {} + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: >- + Map osquery results columns or static values to Elastic Common Schema + (ECS) fields + example: + host.uptime: + field: total_seconds + type: object + Security_Osquery_API_ECSMappingArray: + description: >- + ECS mapping in saved-object storage format (array of key-value pairs). + The find and copy pack endpoints return this format. The read endpoint + returns object format (ECSMapping). + items: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + type: array + Security_Osquery_API_ECSMappingArrayItem: + description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: - created: - description: The time the pinned event was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true - type: string - updated: - description: The last time the pinned event was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + key: + description: The ECS field name. type: string - Security_Timeline_API_QueryMatchResult: + value: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + Security_Osquery_API_ECSMappingArrayOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + nullable: true + Security_Osquery_API_ECSMappingItem: type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string field: - nullable: true - type: string - operator: - nullable: true + description: The ECS field to map to. + example: host.uptime type: string value: + description: The value to map to the ECS field. + example: total_seconds oneOf: - - nullable: true - type: string + - type: string - items: type: string - nullable: true type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' - alias_target_id: - type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' - required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + description: Enables the pack. + example: true + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryDetailsResponse: + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 0 + ecs_mapping: + host.uptime: + field: total_seconds + failed: 1 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + status: completed + successful: 0 + status: completed + user_id: elastic type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true - type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true - type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true - type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true + data: type: object properties: - eventCategoryField: - nullable: true + '@timestamp': + format: date-time type: string - query: - nullable: true + action_id: type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true + agents: + items: + type: string + type: array + expiration: + format: date-time type: string - timestampField: - nullable: true + pack_id: type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true - type: string - excludedRowRendererIds: - description: A list of row renderers that should not be used when in `Event renderers` mode - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - description: A list of filters that should be applied to the query - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - description: A list of index names to use in the query (e.g. when the default data view has been modified) - example: - - .logs* - items: - type: string - nullable: true - type: array - kqlMode: - description: |- - Indicates whether the KQL bar filters the query results or searches for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true - type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. For Timelines, the value is `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true - type: string - updated: - description: The last time the Timeline was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true - type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + pack_name: type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd + prebuilt_pack: + type: boolean + queries: + description: The queries with their execution status. + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + docs: + description: Number of result documents. + type: integer + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + failed: + description: Number of failed queries. + type: integer + id: + type: string + pending: + description: Number of pending agents. + type: integer + query: + type: string + responded: + description: Total responded agents. + type: integer + saved_query_id: + type: string + status: + description: Status of this individual query. + enum: + - completed + - running + type: string + successful: + description: Number of successful agents. + type: integer + type: array + status: + description: Global status of the live query (completed, running). + enum: + - completed + - running type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. + tags: + items: + type: string + type: array + user_id: + type: string + user_profile_uid: + type: string + Security_Osquery_API_FindLiveQueryResponse: example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + result_counts: + error_agents: 0 + responded_agents: 1 + successful_agents: 1 + total_rows: 42 + user_id: elastic + total: 1 + type: object + properties: + data: + type: object + properties: + items: + description: An array of live query action items. + items: + type: object + properties: + _source: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + queries: + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + id: + type: string + query: + type: string + saved_query_id: + type: string + type: array + result_counts: + description: >- + Result count statistics (present when withResultCounts + is true). + type: object + properties: + error_agents: + type: integer + responded_agents: + type: integer + successful_agents: + type: integer + total_rows: + type: integer + user_id: + type: string + type: array + total: + description: The total number of live queries. + type: integer + Security_Osquery_API_FindPackResponse: + description: The details of a single query pack. + example: + data: + created_at: '2022-07-25T19:41:10.263Z' + created_by: elastic + description: '' + enabled: true + name: test_pack + namespaces: + - default + policy_ids: [] + queries: + uptime: + ecs_mapping: + message: + field: days + interval: 3600 + query: select * from uptime + read_only: false + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + shards: {} + type: osquery-pack + updated_at: '2022-07-25T20:12:01.455Z' + updated_by: elastic + version: 1 type: object properties: - filterQuery: - nullable: true + data: + description: The pack details. type: object properties: - kuery: - nullable: true - type: object - properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true + created_at: + format: date-time type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' - - type: object - properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: A list of all the ids of notes that are associated to this Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: A list of all the ids of pinned events that are associated to this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: A list of all the pinned events that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' + created_by: nullable: true - type: array - pinnedEventIds: + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + namespaces: + description: The namespaces the pack belongs to. items: type: string - nullable: true type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: + description: The saved object type. + type: string + updated_at: + format: date-time + type: string + updated_by: nullable: true - type: array - savedObjectId: type: string - version: + updated_by_profile_uid: type: string + version: + description: The pack version number. + type: integer required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - Short_URL_APIs_urlResponse: + - saved_object_id + - name + required: + - data + Security_Osquery_API_FindPacksResponse: + description: A paginated list of query packs. + example: + data: + - created_at: '2023-10-31T00:00:00Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: My pack description + enabled: true + name: My Pack + policy_ids: [] + queries: + - ecs_mapping: + - key: host.uptime + value: + field: total_seconds + id: uptime + interval: 3600 + query: select * from uptime; + read_only: false + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2023-10-31T00:00:00Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + page: 1 + per_page: 10 + total: 1 type: object properties: - accessCount: + data: + description: An array of pack objects. + items: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + description: >- + Pack queries in saved-object storage format (array). Note: the + read endpoint returns object format. + items: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name + type: array + page: + description: The current page number. type: integer - accessDate: - type: string - createDate: - type: string - id: - description: The identifier for the short URL. - type: string - locator: + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of packs. + type: integer + required: + - page + - per_page + - total + - data + Security_Osquery_API_FindSavedQueryDetailResponse: + description: The details of a single saved query. + example: + data: + created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: + data: type: object properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: - description: The identifier for the locator. + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: type: string - state: - description: The locator parameters. - type: object - version: - description: The version of Kibana when the short URL was created. + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + type: integer + updated_at: + format: date-time type: string - slug: - description: | - A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. - type: string - SLOs_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - type: string - statusCode: - example: 401 - type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden - type: object - properties: - error: - example: Forbidden - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" - type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found - type: object - properties: - error: - example: Not Found - type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - type: string - statusCode: - example: 404 - type: number + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + - data + Security_Osquery_API_FindSavedQueryResponse: + description: A paginated list of saved queries. + example: + data: + - created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + version: 2.8.0 + page: 1 + per_page: 100 + total: 11 type: object properties: - error: - example: Conflict - type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - type: string - statusCode: - example: 409 - type: number - required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references + data: + description: An array of saved query objects. items: type: object properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined id: - description: Dashboard saved-object id + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: type: string - required: - - id - type: array - title: Artifacts - type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_bulk_delete_request: - description: | - The bulk delete SLO request takes a list of SLOs Definition id to delete. - properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id type: array + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of saved queries. + type: integer required: - - list - title: Bulk delete SLO request + - page + - per_page + - total + - data + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + example: + data: + edges: + - _id: doc1 + _source: {} + - _id: doc2 + _source: {} + total: 2 type: object - SLOs_bulk_delete_response: - description: | - The bulk delete SLO response returns a taskId that can be used to poll for its status properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - title: Bulk delete SLO response + data: + type: object + properties: + edges: + description: The result rows from the query execution. + items: + type: object + properties: + _id: + type: string + _source: + description: >- + The Elasticsearch document source containing query + results. + type: object + type: array + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 type: object - SLOs_bulk_delete_status_response: - description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found - type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true - type: boolean - results: - description: The results of the bulk deletion operation, including the success status and any errors for each SLO + aggregations: + $ref: >- + #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. items: type: object - properties: - error: - description: The error message if the deletion operation failed for this SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion - type: object - SLOs_bulk_purge_rollup_request: - description: | - The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: Specifies whether documents will be purged based on a specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: Specifies whether documents will be purged based on a specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string + inspect: + description: Debug/inspection data for the search query. type: object - required: - - list - - purgePolicy - title: Bulk Purge Rollup data request + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 type: object - SLOs_bulk_purge_rollup_response: - description: | - The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - title: Bulk Purge Rollup data response + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... type: object - SLOs_create_slo_request: - description: | - The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars - example: my-super-slo-id - type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags + data: + description: The list of unified history rows for the current page. items: - type: string + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response - type: object - properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: >- + A base64-encoded cursor to fetch the next page. Absent when there + are no more results. type: string required: - - id - SLOs_delete_slo_instances_request: - description: | - The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + - data + - hasMore + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + example: '60' + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' + nullable: true + type: string + Security_Osquery_API_LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: type: string - required: - - sloId - - instanceId - type: array - required: - - list - title: Delete SLO instances request + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: >- + The saved query ID, if the live query was based on a saved + query. + type: string + source: + description: >- + Whether this was a manually run live query or triggered by a + rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string + required: + - sourceType + - source + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. type: object - SLOs_error_budget: - title: Error budget + Security_Osquery_API_ObjectQueriesItem: type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. - example: true - type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number - required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: - type: object - title: Filter + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_PackDescription: + description: The pack description. + example: Pack description + type: string + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + Security_Osquery_API_PackId: + description: The ID of the pack. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + description: The pack name. + example: my_pack + type: string + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + example: 1 + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + example: 20 + nullable: true + type: integer + Security_Osquery_API_Platform: + description: >- + Restricts the query to a specified platform. The default is all + platforms. To specify multiple platforms, use commas. For example, + `linux,darwin`. + example: linux,darwin + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + example: + - policyId1 + - policyId2 + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + example: select * from uptime; + type: string + Security_Osquery_API_QueryId: + description: The ID of the query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + example: false + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + example: Saved query description + type: string + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: - nullable: true - type: string - controlledBy: - type: string - disabled: - type: boolean - field: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. type: string - group: + packName: + description: The name of the pack containing the query. type: string - index: + queryName: + description: The name of the query within the pack. type: string - isMultiIndex: - type: boolean - key: + queryText: + description: The SQL query that was executed. type: string - negate: - type: boolean - params: - type: object - type: + scheduleId: + description: The schedule ID for the scheduled query. type: string - value: + timestamp: + description: The timestamp of the most recent response for this execution. type: string - title: FilterMeta - type: object - SLOs_find_slo_definitions_response: - description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - type: object properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response - type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response - type: object - SLOs_group_by: - description: optional group by field or fields to use to generate an SLO per distinct value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. type: string - service: - description: The APM service name - example: o11y-app + scheduleId: + description: The schedule ID for the scheduled query. type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled type: string - transactionType: - description: The APM transaction type or "*" - example: request + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled type: string required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - sourceType + - source + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: >- + An object with shard configuration for policies included in the pack. + For each policy, set the shard configuration to a percentage (1–100) of + target hosts. + example: + policy_id: 50 type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + example: true + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + example: desc + type: string + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + example: createdAt + nullable: true + type: string + Security_Osquery_API_UnifiedHistoryRow: + discriminator: + mapping: + live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + propertyName: sourceType + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. type: string - required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "good" metric. - example: A - type: string - metrics: - description: List of metrics with their name, aggregation type, and field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "total" metric. - example: A - type: string - metrics: - description: List of metrics with their name, aggregation type, and field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type + - id + - timestamp + - queryText + - agentCount + Security_Osquery_API_UpdatePacksRequestBody: + example: + name: updated_my_pack_name type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdatePacksResponse: + description: The response for updating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: updated_my_pack_name + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:40:16.297Z' + updated_by: elastic + version: 1 + type: object + properties: + data: type: object properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 + created_at: + format: date-time type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + created_by: + nullable: true type: string - good: - description: | - An object defining the "good" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' - type: string - from: - description: The starting value of the range. Only required for "range" aggregations. - example: 0 - type: number - to: - description: The ending value of the range. Only required for "range" aggregations. - example: 100 - type: number - required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* + created_by_profile_uid: type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp + description: + $ref: >- + #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. type: string - total: - description: | - An object defining the "total" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' - type: string - from: - description: The starting value of the range. Only required for "range" aggregations. - example: 0 - type: number - to: - description: The ending value of the range. Only required for "range" aggregations. - example: 100 - type: number - required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom - type: string - required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + Security_Osquery_API_UpdateSavedQueryRequestBody: + example: + id: updated_my_saved_query_name type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_UpdateSavedQueryResponse: + description: The response for updating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + id: updated_my_saved_query_name + interval: '60' + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:40:16.297Z' + updated_by: elastic + version: WzQzMTcsMV0= + type: object + properties: + data: type: object properties: - dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 + created_at: + format: date-time type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + created_by: + nullable: true type: string - index: - description: The index or index pattern to use - example: my-service-* + created_by_profile_uid: type: string - metric: - description: | - An object defining the metrics, equation, and threshold to determine if it's a good slice or not - type: object - properties: - comparator: - description: The comparator to use to compare the equation to the threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: List of metrics with their name, aggregation type, and field. - items: - anyOf: - - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' - discriminator: - mapping: - avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' - last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - propertyName: aggregation - type: array - threshold: - description: The threshold used to determine if the metric is a good slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp + description: + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The saved query version. type: string required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice - type: string + - saved_object_id + - id required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string + - data + Security_Osquery_API_Version: + description: >- + Uses the Osquery versions greater than or equal to the specified version + string. + example: 1.0.0 + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_AssociatedFilterType: + description: > + How the note is associated with a Timeline saved object and/or an event + (`eventId`). `all`: no association-based restriction from this + parameter. `document_only`: document-linked notes (non-empty `eventId`) + without timeline association in the API's internal sense; post-filtering + drops notes without a usable `eventId`. `saved_object_only`: timeline + notes with no linked event (`eventId` empty or absent); post-filtering + keeps timeline-only notes. `document_and_saved_object`: notes on a + timeline and linked to an event; post-filtering enforces a real + `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter + than missing `eventId` in some cases). + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan + type: string + Security_Timeline_API_BareNote: + allOf: + - $ref: >- + #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata - type: object properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: + eventId: + description: > + Elasticsearch document `_id` for the event or alert this note + refers to. Same value as the `documentIds` query parameter when + fetching notes via GET /api/note. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + nullable: true type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: + note: + description: The text of the note + example: This is an example text + nullable: true type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string + timelineId: + description: >- + The `savedObjectId` of the Timeline this note belongs to (not + the note's own ID). + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: >- + #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata - type: object properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + timelineId: + description: >- + The `savedObjectId` of the timeline that this pinned event is + associated with + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: type: object properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: the target objective for each slice when using a timeslices budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} - example: 5m - type: string - required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. - properties: - frequency: - default: 1m - description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. - example: 5m - type: string - preventInitialBackfill: - default: false - description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. - example: true + aggregatable: + nullable: true type: boolean - syncDelay: - default: 1m - description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. - example: 5m - type: string - syncField: - description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. - example: event.ingested + category: + nullable: true type: string - title: Settings - type: object - SLOs_slo_definition_response: - title: SLO definition response - type: object - properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + columnHeaderType: + nullable: true type: string description: - description: The description of the SLO. - example: My SLO description + nullable: true type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + example: + nullable: true type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + id: + nullable: true type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags + indexes: items: type: string + nullable: true type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + name: + nullable: true type: string - version: - description: The internal SLO version - example: 2 - type: number - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response - type: object - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + placeholder: + nullable: true type: string - description: - description: The description of the SLO. - example: My SLO description + searchable: + nullable: true + type: boolean + type: + nullable: true type: string + Security_Timeline_API_DataProviderQueryMatch: + type: object + properties: enabled: - description: Indicate if the SLO is enabled - example: true + nullable: true + type: boolean + excluded: + nullable: true type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + nullable: true type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + kqlQuery: + nullable: true type: string name: - description: The name of the SLO. - example: My Service SLO + nullable: true type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true type: string - version: - description: The internal SLO version - example: 2 - type: number - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data - properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary - type: object - SLOs_summary_status: + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status + - default + - template type: string - SLOs_time_window: - description: Defines properties for the SLO time window + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: type: object properties: - duration: - description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' - example: 30d + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: type: string - type: - description: Indicates weither the time window is a rolling or a calendar aligned time window. - enum: - - rolling - - calendarAligned - example: rolling + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: type: string required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. + example: + favoriteDate: 1741337636741 + userName: elastic type: object properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + favoriteDate: + nullable: true + type: number + fullName: + nullable: true type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + userName: + nullable: true type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + Security_Timeline_API_FilterTimelineResult: + example: + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' type: object properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + exists: + nullable: true type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + match_all: + nullable: true type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: - type: object - properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "percentile" - enum: - - percentile - example: percentile + meta: + nullable: true + type: object + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true type: string - field: - description: The field of the metric. - example: processor.processed + query: + nullable: true type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + range: + nullable: true type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + script: + nullable: true type: string - percentile: - description: The percentile value. - example: 95 + Security_Timeline_API_GetNotesResult: + type: object + properties: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + description: >- + Number of notes returned (may be adjusted after the query when + `associatedFilter` applies post-filtering). type: number required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: | - The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: + type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags + errors: + description: The list of failed Timeline imports items: - type: string + type: object + properties: + error: + description: >- + The error containing the reason why the timeline could not be + imported + type: object + properties: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON + type: string + status_code: + description: The HTTP status code of the error + example: 400 + type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request - type: object - Synthetics_browserMonitorFields: + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true - type: object + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object properties: - ignore_https_errors: - default: false - description: Ignore HTTPS errors. - type: boolean - inline_script: - description: The inline script. - type: string - playwright_options: - description: Playwright options. - type: object - screenshots: - default: 'on' - description: The screenshot option. - enum: - - 'on' - - 'off' - - only-on-failure - type: string - synthetics_args: - description: Synthetics agent CLI arguments. + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: items: type: string + nullable: true type: array - type: - description: The monitor type. - enum: - - browser + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e + type: string + version: + description: The version of the note + example: WzQ2LDFd + type: string + required: + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe type: string required: - - inline_script - - type - title: Browser monitor fields - Synthetics_commonMonitorFields: - title: Common monitor fields + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: - alert: - description: | - The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. - type: object - enabled: - default: true - description: Specify whether the monitor is enabled. - type: boolean - labels: - additionalProperties: - type: string - description: | - Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors. - type: object - locations: - description: | - The location to deploy the monitor. - Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. - To list available locations you can: - - - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. - externalDocs: - url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts - items: - type: string - type: array - name: - description: The monitor name. - type: string - namespace: - default: default - description: | - The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. - type: string - params: - description: The monitor parameters. - type: string - private_locations: - description: | - The private locations to which the monitors will be deployed. - These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. - You can specify a private location using the location's name. - To list available private locations you can: - - - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. - - > info - > You can provide `locations` or `private_locations` or both. At least one is required. - items: - type: string - type: array - retest_on_failure: - default: true - description: | - Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. - type: boolean - schedule: - description: | - The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. + created: + description: >- + The time the pinned event was created, using a 13-digit Epoch + timestamp. + example: 1587468588922 + nullable: true type: number - service.name: - description: The APM service name. + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true type: string - tags: - description: An array of tags. - items: - type: string - type: array - timeout: - default: 16 - description: | - The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. - - For browser monitors, the minimum timeout is 30 seconds. Browser monitor timeouts are only applied when the monitor runs on private locations. If a browser monitor specifies a timeout but has no private locations configured, the timeout will have no effect and a warning will be returned in the response. + updated: + description: >- + The last time the pinned event was updated, using a 13-digit Epoch + timestamp + example: 1741344876825 + nullable: true type: number - required: - - name - Synthetics_getParameterResponse: - title: Get parameter response + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true + type: string + Security_Timeline_API_QueryMatchResult: type: object properties: - description: - description: | - The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + displayField: + nullable: true type: string - id: - description: The unique identifier of the parameter. + displayValue: + nullable: true type: string - key: - description: The key of the parameter. + field: + nullable: true type: string - namespaces: - description: | - The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. - items: + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: >- + #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + required: + - timeline + - outcome + Security_Timeline_API_ResponseNote: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: type: string type: array - tags: - description: | - An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: + type: object + properties: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true type: array - value: - description: | - The value associated with the parameter. It will be included in the response if the user has write permissions. + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true type: string - Synthetics_getPrivateLocation: - additionalProperties: true - properties: - agentPolicyId: - description: The ID of the agent policy associated with the private location. + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: >- + id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: >- + d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true type: string - geo: - description: Geographic coordinates (WGS84) for the location. + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true type: object properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - id: - description: The unique identifier of the private location. - type: string - isInvalid: - description: | - Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. - type: boolean - label: - description: A label for the private location. - type: string - namespace: - description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true type: string - title: Post a private location - type: object - Synthetics_httpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' + nullable: true type: object properties: - check: - description: The check request settings. - type: object - properties: - request: - description: An optional request to send to the remote host. - type: object - properties: - body: - description: Optional request body content. - type: string - headers: - description: | - A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. - type: object - method: - description: The HTTP method to use. - enum: - - HEAD - - GET - - POST - - OPTIONS - type: string - response: - additionalProperties: true - description: The expected response. - type: object - properties: - body: - type: object - headers: - description: A dictionary of expected HTTP headers. If the header is not found, the check fails. - type: object - ipv4: - default: true - description: If `true`, ping using the ipv4 protocol. - type: boolean - ipv6: - default: true - description: If `true`, ping using the ipv6 protocol. - type: boolean - max_redirects: - default: 0 - description: The maximum number of redirects to follow. - type: number - mode: - default: any - description: | - The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. - enum: - - all - - any - type: string - password: - description: | - The password for authenticating with the server. The credentials are passed with the request. - type: string - proxy_headers: - description: Additional headers to send to proxies during CONNECT requests. - type: object - proxy_url: - description: The URL of the proxy to use for this monitor. + eventCategoryField: + nullable: true type: string - response: - description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. - type: object - ssl: - description: | - The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. - enum: - - http + query: + nullable: true type: string - url: - description: The URL to monitor. + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true type: string - username: - description: | - The username for authenticating with the server. The credentials are passed with the request. + timestampField: + nullable: true type: string - required: - - type - - url - title: HTTP monitor fields - Synthetics_icmpMonitorFields: + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all + nullable: true + type: string + excludedRowRendererIds: + description: >- + A list of row renderers that should not be used when in `Event + renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + description: >- + A list of index names to use in the query (e.g. when the default + data view has been modified) + example: + - .logs* + items: + type: string + nullable: true + type: array + kqlMode: + description: >- + Indicates whether the KQL bar filters the query results or searches + for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e + nullable: true + type: string + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: >- + A unique ID (UUID) for Timeline templates. For Timelines, the value + is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: >- + Timeline template version number. For Timelines, the value is + `null`. + example: 12 + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true + type: string + updated: + description: >- + The last time the Timeline was updated, using a 13-digit Epoch + timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the Timeline + example: casetester + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true - type: object + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object properties: - host: - description: The host to ping. + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string - type: - description: The monitor type. - enum: - - icmp + version: + description: The version of the Timeline or Timeline template + example: WzE0LDFd type: string - wait: - default: 1 - description: The wait time in seconds. - type: number required: - - host - - type - title: ICMP monitor fields - Synthetics_monitorWarning: - title: Monitor warning - type: object - properties: - message: - description: A human-readable warning message. - type: string - monitorId: - description: The monitor ID associated with the warning. - type: string - publicLocationIds: - description: The public location IDs associated with the warning. - items: - type: string - type: array - Synthetics_parameterRequest: - title: Parameter request + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. + example: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: >- + {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} type: object properties: - description: - description: A description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - share_across_spaces: - description: Specify whether the parameter should be shared across spaces. - type: boolean - tags: - description: An array of tags to categorize the parameter. - items: - type: string + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' type: array - value: - description: The value associated with the parameter. - type: string - required: - - key - - value - Synthetics_postParameterResponse: - title: Post parameter response + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid + example: + columnId: '@timestamp' + sortDirection: desc type: object properties: - description: - description: A description of the parameter. - type: string - id: - description: The unique identifier for the parameter. + columnId: + nullable: true type: string - key: - description: The parameter key. + columnType: + nullable: true type: string - share_across_spaces: - description: Indicates whether the parameter is shared across spaces. - type: boolean - tags: - description: An array of tags associated with the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + sortDirection: + nullable: true type: string - Synthetics_tcpMonitorFields: + Security_Timeline_API_TimelineResponse: allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true - type: object + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: >- + #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId + - type: object properties: - host: - description: | - The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". - type: string - proxy_url: - description: | - The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + description: >- + A list of all the ids of notes that are associated to this + Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e + items: + type: string + nullable: true + type: array + notes: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + description: >- + A list of all the ids of pinned events that are associated to + this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + description: >- + A list of all the pinned events that are associated to this + Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: type: string - proxy_use_local_resolver: - default: false - description: | - Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. - type: boolean - ssl: - description: | - The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. - enum: - - tcp + version: type: string required: - - host - - type - title: TCP monitor fields - Task_manager_health_APIs_configuration: - description: | - This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. - type: object - Task_manager_health_APIs_health_response: - title: Task health response properties + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + Short_URL_APIs_urlResponse: type: object properties: - id: + accessCount: + type: integer + accessDate: type: string - last_update: + createDate: type: string - stats: + id: + description: The identifier for the short URL. + type: string + locator: type: object properties: - capacity_estimation: - description: | - This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. - type: object - configuration: - $ref: '#/components/schemas/Task_manager_health_APIs_configuration' - runtime: - description: | - This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. + id: + description: The identifier for the locator. + type: string + state: + description: The locator parameters. type: object - workload: - $ref: '#/components/schemas/Task_manager_health_APIs_workload' - status: - type: string - timestamp: + version: + description: The version of Kibana when the short URL was created. + type: string + slug: + description: > + A random human-readable slug is automatically generated if the + `humanReadableSlug` parameter is set to `true`. If it is set to + `false`, a random short string is generated. type: string - Task_manager_health_APIs_workload: - description: | - This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. - type: object - bedrock_config: - title: Connector request properties for an Amazon Bedrock connector - description: Defines properties for connectors when type is `.bedrock`. + SLOs_400_response: + title: Bad request type: object - required: - - apiUrl properties: - apiUrl: - type: string - description: The Amazon Bedrock request URL. - region: + error: + example: Bad Request type: string - description: | - Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). - defaultModel: + message: + example: 'Invalid value ''foo'' supplied to: [...]' type: string - description: | - The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. - default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 - crowdstrike_config: - title: Connector request config properties for a Crowdstrike connector + statusCode: + example: 400 + type: number required: - - url - description: Defines config properties for connectors when type is `.crowdstrike`. + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized type: object properties: - url: - description: | - The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + error: + example: Unauthorized type: string - d3security_config: - title: Connector request properties for a D3 Security connector - description: Defines properties for connectors when type is `.d3security`. - type: object + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number required: - - url + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden + type: object properties: - url: + error: + example: Forbidden type: string - description: | - The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - email_config: - title: Connector request properties for an email connector - description: Defines properties for connectors when type is `.email`. + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number required: - - from + - statusCode + - error + - message + SLOs_404_response: + title: Not found type: object properties: - clientId: - description: | - The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + error: + example: Not Found type: string - nullable: true - from: - description: | - The from address for all emails sent by the connector. It must be specified in `user@host-name` format. + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string - hasAuth: - description: | - Specifies whether a user and password are required inside the secrets configuration. - default: true - type: boolean - host: - description: | - The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict type: string - oauthTokenUrl: + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string - nullable: true - port: - description: | - The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. - type: integer - secure: - description: | - Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. - type: boolean - service: - description: | - The name of the email service. + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references + items: + type: object + properties: + id: + description: Dashboard saved-object id + type: string + required: + - id + type: array + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: > + The bulk delete SLO request takes a list of SLOs Definition id to + delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + required: + - list + title: Bulk delete SLO request + type: object + SLOs_bulk_delete_response: + description: > + The bulk delete SLO response returns a taskId that can be used to poll + for its status + properties: + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string - enum: - - elastic_cloud - - exchange_server - - gmail - - other - - outlook365 - - ses - tenantId: - description: | - The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + title: Bulk delete SLO response + type: object + SLOs_bulk_delete_status_response: + description: >- + Indicates if the bulk deletion is completed, with the detailed results + of the operation. + properties: + error: + description: The error message if the bulk deletion operation failed + example: Task not found type: string - nullable: true - gemini_config: - title: Connector request properties for an Google Gemini connector - description: Defines properties for connectors when type is `.gemini`. + isDone: + description: Indicates if the bulk deletion operation is completed + example: true + type: boolean + results: + description: >- + The results of the bulk deletion operation, including the success + status and any errors for each SLO + items: + type: object + properties: + error: + description: >- + The error message if the deletion operation failed for this + SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean + type: array + title: The status of the bulk deletion type: object + SLOs_bulk_purge_rollup_request: + description: > + The bulk purge rollup data request takes a list of SLO ids and a purge + policy, then deletes the rollup data according to the purge policy. This + API can be used to remove the staled data of an instance SLO that no + longer get updated. + properties: + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: >- + The duration to determine which documents to purge, + formatted as {duration}{unit}. This value should be greater + than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: >- + Specifies whether documents will be purged based on a + specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: >- + Specifies whether documents will be purged based on a + specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: >- + The timestamp to determine which documents to purge, + formatted in ISO. This value should be older than the + applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string + type: object required: - - apiUrl - - gcpRegion - - gcpProjectID + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: > + The bulk purge rollup data response returns a task id from the + elasticsearch deleteByQuery response. properties: - apiUrl: + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - description: The Google Gemini request URL. - defaultModel: + title: Bulk Purge Rollup data response + type: object + SLOs_create_slo_request: + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - description: The generative artificial intelligence model for Google Gemini to use. - default: gemini-2.5-pro - gcpRegion: + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars + example: my-super-slo-id type: string - description: The GCP region where the Vertex AI endpoint enabled. - gcpProjectID: + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. type: string - description: The Google ProjectID that has Vertex AI endpoint enabled. - resilient_config: - title: Connector request properties for a IBM Resilient connector + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' required: - - apiUrl - - orgId - description: Defines properties for connectors when type is `.resilient`. + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response type: object properties: - apiUrl: - description: The IBM Resilient instance URL. - type: string - orgId: - description: The IBM Resilient organization ID. + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - index_config: - title: Connector request properties for an index connector required: - - index - description: Defines properties for connectors when type is `.index`. + - id + SLOs_delete_slo_instances_request: + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter type: object + SLOs_filter_meta: + description: Defines properties for a filter properties: - executionTimeField: - description: A field that indicates when the document was indexed. - default: null - type: string + alias: nullable: true - index: - description: The Elasticsearch index to be written to. type: string - refresh: - description: | - The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. - default: false - type: boolean - jira_config: - title: Connector request properties for a Jira connector - required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - apiUrl: - description: The Jira instance URL. + controlledBy: type: string - projectKey: - description: The Jira project key. + disabled: + type: boolean + field: type: string - defender_config: - title: Connector request properties for a Microsoft Defender for Endpoint connector - required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. - type: object - properties: - apiUrl: + group: type: string - description: | - The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. - clientId: + index: type: string - description: The application (client) identifier for your app in the Azure portal. - oAuthScope: + isMultiIndex: + type: boolean + key: type: string - description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. - oAuthServerUrl: + negate: + type: boolean + params: + type: object + type: type: string - description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. - tenantId: - description: The tenant identifier for your app in the Azure portal. + value: type: string - genai_azure_config: - title: Connector request properties for an OpenAI connector that uses Azure OpenAI - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. + title: FilterMeta type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - Azure OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - genai_openai_config: - title: Connector request properties for an OpenAI connector + SLOs_find_slo_definitions_response: description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - defaultModel: - type: string - description: The default model to use for requests. - opsgenie_config: - title: Connector request properties for an Opsgenie connector - required: - - apiUrl - description: Defines properties for connectors when type is `.opsgenie`. + A paginated response of SLO definitions matching the query. + oneOf: + - type: object + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id + items: + type: string + type: array + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - apiUrl: - description: | - The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: type: string - pagerduty_config: - title: Connector request properties for a PagerDuty connector - description: Defines properties for connectors when type is `.pagerduty`. + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response type: object - properties: - apiUrl: - description: The PagerDuty event URL. - type: string - nullable: true - example: https://events.pagerduty.com/v2/enqueue - sentinelone_config: - title: Connector request properties for a SentinelOne connector - required: - - url - description: Defines properties for connectors when type is `.sentinelone`. + SLOs_group_by: + description: >- + optional group by field or fields to use to generate an SLO per distinct + value + example: + - - service.name + - service.name + - - service.name + - service.environment + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type type: object properties: - url: - description: | - The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - servicenow_config: - title: Connector request properties for a ServiceNow ITSM connector required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type type: object properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: | - The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. - type: string - isOAuth: - description: | - The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). - default: false - type: boolean - jwtKeyId: - description: | - The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: | - The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - usesTableApi: - description: | - Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. - default: true - type: boolean - servicenow_itom_config: - title: Connector request properties for a ServiceNow ITOM connector required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow-itom`. + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: | - The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. - type: string - isOAuth: - description: | - The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). - default: false - type: boolean - jwtKeyId: - description: | - The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: | - The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom type: string - slack_api_config: - title: Connector request properties for a Slack connector - description: Defines properties for connectors when type is `.slack_api`. - type: object - properties: - allowedChannels: - type: array - description: A list of valid Slack channels. - items: - type: object - required: - - id - - name - maxItems: 25 - properties: - id: - type: string - description: The Slack channel ID. - example: C123ABC456 - minLength: 1 - name: - type: string - description: The Slack channel name. - minLength: 1 - swimlane_config: - title: Connector request properties for a Swimlane connector required: - - apiUrl - - appId - - connectorType - description: Defines properties for connectors when type is `.swimlane`. + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type type: object properties: - apiUrl: - description: The Swimlane instance URL. - type: string - appId: - description: The Swimlane application ID. - type: string - connectorType: - description: The type of connector. Valid values are `all`, `alerts`, and `cases`. - type: string - enum: - - all - - alerts - - cases - mappings: - title: Connector mappings properties for a Swimlane connector - description: The field mapping. + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - alertIdConfig: - title: Alert identifier mapping - description: Mapping for the alert ID. + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: + equation: + description: The equation to calculate the "good" metric. + example: A type: string - description: The name of the field in Swimlane. - caseIdConfig: - title: Case identifier mapping - description: Mapping for the case ID. - type: object + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseNameConfig: - title: Case name mapping - description: Mapping for the case name. + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: + equation: + description: The equation to calculate the "total" metric. + example: A type: string - description: The name of the field in Swimlane. - commentsConfig: - title: Case comment mapping - description: Mapping for the case comments. - type: object + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - descriptionConfig: - title: Case description mapping - description: Mapping for the case description. + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count type: string - description: The identifier for the field in Swimlane. - key: + field: + description: The field use to aggregate the good events. + example: processor.latency type: string - description: The key for the field in Swimlane. - name: + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' type: string - description: The name of the field in Swimlane. - ruleNameConfig: - title: Rule name mapping - description: Mapping for the name of the alert's rule. - type: object + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - severityConfig: - title: Severity mapping - description: Mapping for the severity. + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" events type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count type: string - description: The identifier for the field in Swimlane. - key: + field: + description: The field use to aggregate the good events. + example: processor.latency type: string - description: The key for the field in Swimlane. - name: + filter: + description: The filter for total events. + example: 'processor.outcome : *' type: string - description: The name of the field in Swimlane. - thehive_config: - title: Connector request properties for a TheHive connector - description: Defines configuration properties for connectors when type is `.thehive`. - type: object - required: - - url - properties: - organisation: - type: string - description: | - The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. - url: - type: string - description: | - The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - tines_config: - title: Connector request properties for a Tines connector - description: Defines properties for connectors when type is `.tines`. - type: object - required: - - url - properties: - url: - description: | - The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom type: string - torq_config: - title: Connector request properties for a Torq connector - description: Defines properties for connectors when type is `.torq`. - type: object required: - - webhookIntegrationUrl - properties: - webhookIntegrationUrl: - description: The endpoint URL of the Elastic Security integration in Torq. - type: string - auth_type: - title: Authentication type - type: string - nullable: true - enum: - - webhook-authentication-basic - - webhook-authentication-ssl - description: | - The type of authentication to use: basic, SSL, or none. - ca: - title: Certificate authority - type: string - description: | - A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. - cert_type: - title: Certificate type - type: string - description: | - If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. - enum: - - ssl-crt-key - - ssl-pfx - has_auth: - title: Has authentication - type: boolean - description: If true, a username and password for login type authentication must be provided. - default: true - verification_mode: - title: Verification mode - type: string - enum: - - certificate - - full - - none - default: full - description: | - Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. - webhook_config: - title: Connector request properties for a Webhook connector - description: Defines properties for connectors when type is `.webhook`. + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object properties: - authType: - $ref: '#/components/schemas/auth_type' - ca: - $ref: '#/components/schemas/ca' - certType: - $ref: '#/components/schemas/cert_type' - hasAuth: - $ref: '#/components/schemas/has_auth' - headers: + params: + description: An object containing the indicator parameters. + nullable: false type: object - nullable: true - description: A set of key-value pairs sent as headers with the request. - method: - type: string - default: post - enum: - - post - - put - description: | - The HTTP request method, either `post` or `put`. - url: - type: string - description: | - The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - verificationMode: - $ref: '#/components/schemas/verification_mode' - cases_webhook_config: - title: Connector request properties for Webhook - Case Management connector - required: - - createIncidentJson - - createIncidentResponseKey - - createIncidentUrl - - getIncidentResponseExternalTitleKey - - getIncidentUrl - - updateIncidentJson - - updateIncidentUrl - - viewIncidentUrl - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - authType: - $ref: '#/components/schemas/auth_type' - ca: - $ref: '#/components/schemas/ca' - certType: - $ref: '#/components/schemas/cert_type' - createCommentJson: - type: string - description: | - A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. - example: '{"body": {{{case.comment}}}}' - createCommentMethod: - type: string - description: | - The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - createCommentUrl: - type: string - description: | - The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.id}}}/comment - createIncidentJson: - type: string - description: | - A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. - example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' - createIncidentMethod: - type: string - description: | - The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. - enum: - - patch - - post - - put - default: post - createIncidentResponseKey: - type: string - description: The JSON key in the create external case response that contains the case ID. - createIncidentUrl: - type: string - description: | - The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - getIncidentResponseExternalTitleKey: - type: string - description: The JSON key in get external case response that contains the case title. - getIncidentUrl: - type: string - description: | - The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. - example: https://example.com/issue/{{{external.system.id}}} - hasAuth: - $ref: '#/components/schemas/has_auth' - headers: - type: string - description: | - A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. - updateIncidentJson: - type: string - description: | - The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. - example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' - updateIncidentMethod: - type: string - description: | - The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - updateIncidentUrl: - type: string - description: | - The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.ID}}} - verificationMode: - $ref: '#/components/schemas/verification_mode' - viewIncidentUrl: - type: string - description: | - The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. - example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} - xmatters_config: - title: Connector request properties for an xMatters connector - description: Defines properties for connectors when type is `.xmatters`. - type: object - properties: - configUrl: - description: | - The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. - type: string - nullable: true - usesBasic: - description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). - type: boolean - default: true - bedrock_secrets: - title: Connector secrets properties for an Amazon Bedrock connector - description: Defines secrets for connectors when type is `.bedrock`. - type: object - required: - - accessKey - - secret - properties: - accessKey: - type: string - description: The AWS access key for authentication. - secret: - type: string - description: The AWS secret for authentication. - crowdstrike_secrets: - title: Connector secrets properties for a Crowdstrike connector - description: Defines secrets for connectors when type is `.crowdstrike`. - type: object - required: - - clientId - - clientSecret - properties: - clientId: - description: The CrowdStrike API client identifier. - type: string - clientSecret: - description: The CrowdStrike API client secret to authenticate the `clientId`. + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not + type: object + properties: + comparator: + description: >- + The comparator to use to compare the equation to the + threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + anyOf: + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + discriminator: + mapping: + avg: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + cardinality: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + doc_count: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + last_value: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + max: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + min: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + percentile: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + std_deviation: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + sum: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + propertyName: aggregation + type: array + threshold: + description: >- + The threshold used to determine if the metric is a good + slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - d3security_secrets: - title: Connector secrets properties for a D3 Security connector - description: Defines secrets for connectors when type is `.d3security`. required: - - token - type: object - properties: - token: - type: string - description: The D3 Security token. - email_secrets: - title: Connector secrets properties for an email connector - description: Defines secrets for connectors when type is `.email`. - type: object - properties: - clientSecret: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - description: | - The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. - password: + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - description: | - The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. - user: + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. - gemini_secrets: - title: Connector secrets properties for a Google Gemini connector - description: Defines secrets for connectors when type is `.gemini`. + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object - required: - - credentialsJson properties: - credentialsJson: + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: >- + the target objective for each slice when using a timeslices + budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} + example: 5m type: string - description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. - resilient_secrets: - title: Connector secrets properties for IBM Resilient connector required: - - apiKeyId - - apiKeySecret - description: Defines secrets for connectors when type is `.resilient`. - type: object + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. properties: - apiKeyId: - type: string - description: The authentication key ID for HTTP Basic authentication. - apiKeySecret: + frequency: + default: 1m + description: >- + The interval between checks for changes in the source data. The + minimum value is 1m and the maximum is 59m. The default value is 1 + minute. + example: 5m type: string - description: The authentication key secret for HTTP Basic authentication. - jira_secrets: - title: Connector secrets properties for a Jira connector - required: - - apiToken - - email - description: Defines secrets for connectors when type is `.jira`. - type: object - properties: - apiToken: - description: The Jira API authentication token for HTTP basic authentication. + preventInitialBackfill: + default: false + description: >- + Start aggregating data from the time the SLO is created, instead of + backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: >- + The time delay in minutes between the current time and the latest + source data time. Increasing the value will delay any alerting. The + default value is 1 minute. The minimum value is 1m and the maximum + is 359m. It should always be greater then source index refresh + interval. + example: 5m type: string - email: - description: The account email for HTTP Basic authentication. + syncField: + description: >- + The date field that is used to identify new documents in the source. + It is strongly recommended to use a field that contains the ingest + timestamp. If you use a different field, you might need to set the + delay such that it accounts for data transmission delays. When + unspecified, we use the indicator timestamp field. + example: event.ingested type: string - teams_secrets: - title: Connector secrets properties for a Microsoft Teams connector - description: Defines secrets for connectors when type is `.teams`. + title: Settings type: object - required: - - webhookUrl - properties: - webhookUrl: - type: string - description: | - The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - genai_secrets: - title: Connector secrets properties for an OpenAI connector - description: | - Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - apiKey: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - description: | - The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. - certificateData: + description: + description: The description of the SLO. + example: My SLO description type: string - description: | - Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. - minLength: 1 - privateKeyData: + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - description: | - Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. - minLength: 1 - caData: + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO type: string - description: | - Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. - minLength: 1 - opsgenie_secrets: - title: Connector secrets properties for an Opsgenie connector - required: - - apiKey - description: Defines secrets for connectors when type is `.opsgenie`. - type: object - properties: - apiKey: - description: The Opsgenie API authentication key for HTTP Basic authentication. + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - pagerduty_secrets: - title: Connector secrets properties for a PagerDuty connector - description: Defines secrets for connectors when type is `.pagerduty`. - type: object + version: + description: The internal SLO version + example: 2 + type: number required: - - routingKey - properties: - routingKey: - description: | - A 32 character PagerDuty Integration Key for an integration on a service. - type: string - sentinelone_secrets: - title: Connector secrets properties for a SentinelOne connector - description: Defines secrets for connectors when type is `.sentinelone`. + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object - required: - - token properties: - token: - description: The A SentinelOne API token. + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - servicenow_secrets: - title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors - description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. - type: object - properties: - clientSecret: + description: + description: The description of the SLO. + example: My SLO description type: string - description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. - password: + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. - privateKey: + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde type: string - description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. - privateKeyPassword: + name: + description: The name of the SLO. + example: My Service SLO type: string - description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. - username: + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. - slack_api_secrets: - title: Connector secrets properties for a Web API Slack connector - description: Defines secrets for connectors when type is `.slack`. + version: + description: The internal SLO version + example: 2 + type: number required: - - token - type: object - properties: - token: - type: string - description: Slack bot user OAuth token. - swimlane_secrets: - title: Connector secrets properties for a Swimlane connector - description: Defines secrets for connectors when type is `.swimlane`. - type: object + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data properties: - apiToken: - description: Swimlane API authentication token. - type: string - thehive_secrets: - title: Connector secrets properties for a TheHive connector - description: Defines secrets for connectors when type is `.thehive`. + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' required: - - apiKey + - status + - sliValue + - errorBudget + title: Summary type: object - properties: - apiKey: - type: string - description: The API key for authentication in TheHive. - tines_secrets: - title: Connector secrets properties for a Tines connector - description: Defines secrets for connectors when type is `.tines`. + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window type: object - required: - - email - - token properties: - email: - description: The email used to sign in to Tines. + duration: + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) + example: 30d type: string - token: - description: The Tines API token. + type: + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. + enum: + - rolling + - calendarAligned + example: rolling type: string - torq_secrets: - title: Connector secrets properties for a Torq connector - description: Defines secrets for connectors when type is `.torq`. - type: object required: - - token - properties: - token: - description: The secret of the webhook authentication header. - type: string - crt: - title: Certificate - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. - key: - title: Certificate key - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. - pfx: - title: Personal information exchange - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. - webhook_secrets: - title: Connector secrets properties for a Webhook connector - description: Defines secrets for connectors when type is `.webhook`. + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: type: object properties: - crt: - $ref: '#/components/schemas/crt' - key: - $ref: '#/components/schemas/key' - pfx: - $ref: '#/components/schemas/pfx' - password: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum type: string - description: | - The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - user: + field: + description: The field of the metric. + example: processor.processed type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - cases_webhook_secrets: - title: Connector secrets properties for Webhook - Case Management connector - type: object - properties: - crt: - $ref: '#/components/schemas/crt' - key: - $ref: '#/components/schemas/key' - pfx: - $ref: '#/components/schemas/pfx' - password: + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' type: string - description: | - The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. - user: + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - xmatters_secrets: - title: Connector secrets properties for an xMatters connector - description: Defines secrets for connectors when type is `.xmatters`. + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object properties: - password: - description: | - A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count type: string - secretsUrl: - description: | - The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' type: string - user: - description: | - A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - genai_openai_other_config: - title: Connector request properties for an OpenAI connector with Other provider - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. - type: object required: - - apiProvider - - apiUrl - - defaultModel + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object properties: - apiProvider: - type: string - description: The OpenAI API provider. + aggregation: + description: >- + The aggregation type of the metric. Only valid option is + "percentile" enum: - - Other - apiUrl: - type: string - description: The OpenAI-compatible API endpoint. - defaultModel: - type: string - description: The default model to use for requests. - certificateData: - type: string - description: PEM-encoded certificate content. - minLength: 1 - privateKeyData: + - percentile + example: percentile type: string - description: PEM-encoded private key content. - minLength: 1 - caData: + field: + description: The field of the metric. + example: processor.processed type: string - description: PEM-encoded CA certificate content. - minLength: 1 - verificationMode: + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' type: string - description: SSL verification mode for PKI authentication. - enum: - - full - - certificate - - none - default: full - headers: - type: object - description: Custom headers to include in requests. - additionalProperties: - type: string - defender_secrets: - title: Connector secrets properties for a Microsoft Defender for Endpoint connector - required: - - clientSecret - description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. - type: object - properties: - clientSecret: - description: The client secret for your app in the Azure portal. + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - run_acknowledge_resolve_pagerduty: - title: PagerDuty connector parameters - description: Test an action that acknowledges or resolves a PagerDuty alert. - type: object + percentile: + description: The percentile value. + example: 95 + type: number required: - - dedupKey - - eventAction + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. properties: - dedupKey: - description: The deduplication key for the PagerDuty alert. + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - maxLength: 255 - eventAction: - description: The type of event. + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. type: string - enum: - - acknowledge - - resolve - run_documents: - title: Index connector parameters - description: Test an action that indexes a document into Elasticsearch. - type: object - required: - - documents - properties: - documents: - type: array - description: The documents in JSON format for index connectors. + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - type: object - additionalProperties: true - run_message_email: - title: Email connector parameters - description: | - Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + Synthetics_browserMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + ignore_https_errors: + default: false + description: Ignore HTTPS errors. + type: boolean + inline_script: + description: The inline script. + type: string + playwright_options: + description: Playwright options. + type: object + screenshots: + default: 'on' + description: The screenshot option. + enum: + - 'on' + - 'off' + - only-on-failure + type: string + synthetics_args: + description: Synthetics agent CLI arguments. + items: + type: string + type: array + type: + description: The monitor type. + enum: + - browser + type: string + required: + - inline_script + - type + title: Browser monitor fields + Synthetics_commonMonitorFields: + title: Common monitor fields type: object - required: - - message - - subject properties: - bcc: - type: array - items: + alert: + description: > + The alert configuration. The default is `{ status: { enabled: true + }, tls: { enabled: true } }`. + type: object + enabled: + default: true + description: Specify whether the monitor is enabled. + type: boolean + labels: + additionalProperties: type: string - description: | - A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format - cc: - type: array + description: > + Key-value pairs of labels to associate with the monitor. Labels can + be used for filtering and grouping monitors. + type: object + locations: + description: > + The location to deploy the monitor. + + Monitors can be deployed in multiple locations so that you can + detect differences in availability and response times across those + locations. + + To list available locations you can: + + + - Run the `elastic-synthetics locations` command with the + deployment's Kibana URL. + + - Go to *Synthetics > Management* and click *Create monitor*. + Locations will be listed in *Locations*. + externalDocs: + url: >- + https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts items: type: string - description: | - A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format - message: + type: array + name: + description: The monitor name. + type: string + namespace: + default: default + description: > + The namespace field should be lowercase and not contain spaces. The + namespace must not include any of the following characters: `*`, + `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or + `-`. type: string - description: The email message text. Markdown format is supported. - subject: + params: + description: The monitor parameters. type: string - description: The subject line of the email. - to: - type: array - description: | - A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + private_locations: + description: > + The private locations to which the monitors will be deployed. + + These private locations refer to locations hosted and managed by + you, whereas `locations` are hosted by Elastic. + + You can specify a private location using the location's name. + + To list available private locations you can: + + + - Run the `elastic-synthetics locations` command with the + deployment's Kibana URL. + + - Go to *Synthetics > Settings* and click *Private locationsr*. + Private locations will be listed in the table. + + + > info + + > You can provide `locations` or `private_locations` or both. At + least one is required. items: type: string - run_message_serverlog: - title: Server log connector parameters - description: Test an action that writes an entry to the Kibana server log. - type: object - required: - - message - properties: - level: - type: string - description: The log level of the message for server log connectors. - enum: - - debug - - error - - fatal - - info - - trace - - warn - default: info - message: + type: array + retest_on_failure: + default: true + description: > + Turn retesting for when a monitor fails on or off. By default, + monitors are automatically retested if the monitor goes from "up" to + "down". If the result of the retest is also "down", an error will be + created and if configured, an alert sent. The monitor will then + resume running according to the defined schedule. Using + `retest_on_failure` can reduce noise related to transient problems. + type: boolean + schedule: + description: > + The monitor's schedule in minutes. Supported values are `1`, `3`, + `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is + `3` minutes for HTTP, TCP, and ICMP monitors. The default value is + `10` minutes for Browser monitors. + type: number + service.name: + description: The APM service name. type: string - description: The message for server log connectors. - run_message_slack: - title: Slack connector parameters - description: | - Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. - type: object + tags: + description: An array of tags. + items: + type: string + type: array + timeout: + default: 16 + description: > + The monitor timeout in seconds. The monitor will fail if it doesn't + complete within this time. + + + For browser monitors, the minimum timeout is 30 seconds. Browser + monitor timeouts are only applied when the monitor runs on private + locations. If a browser monitor specifies a timeout but has no + private locations configured, the timeout will have no effect and a + warning will be returned in the response. + type: number required: - - message - properties: - message: - type: string - description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. - run_trigger_pagerduty: - title: PagerDuty connector parameters - description: Test an action that triggers a PagerDuty alert. + - name + Synthetics_getParameterResponse: + title: Get parameter response type: object - required: - - eventAction properties: - class: - description: The class or type of the event. - type: string - example: cpu load - component: - description: The component of the source machine that is responsible for the event. - type: string - example: eth0 - customDetails: - description: Additional details to add to the event. - type: object - dedupKey: - description: | - All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. + description: + description: > + The description of the parameter. It is included in the response if + the user has read-only permissions to the Synthetics app. type: string - maxLength: 255 - eventAction: - description: The type of event. + id: + description: The unique identifier of the parameter. type: string - enum: - - trigger - group: - description: The logical grouping of components of a service. + key: + description: The key of the parameter. type: string - example: app-stack - links: - description: A list of links to add to the event. + namespaces: + description: > + The namespaces associated with the parameter. It is included in the + response if the user has read-only permissions to the Synthetics + app. + items: + type: string type: array + tags: + description: > + An array of tags associated with the parameter. It is included in + the response if the user has read-only permissions to the Synthetics + app. items: - type: object - properties: - href: - description: The URL for the link. - type: string - text: - description: A plain text description of the purpose of the link. - type: string - severity: - description: The severity of the event on the affected system. - type: string - enum: - - critical - - error - - info - - warning - default: info - source: - description: | - The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. - type: string - summary: - description: A summery of the event. - type: string - maxLength: 1024 - timestamp: - description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + type: array + value: + description: > + The value associated with the parameter. It will be included in the + response if the user has write permissions. type: string - format: date-time - run_addevent: - title: The addEvent subaction - type: object - required: - - subAction - description: The `addEvent` subaction for ServiceNow ITOM connectors. + Synthetics_getPrivateLocation: + additionalProperties: true properties: - subAction: + agentPolicyId: + description: The ID of the agent policy associated with the private location. type: string - description: The action to test. - enum: - - addEvent - subActionParams: + geo: + description: Geographic coordinates (WGS84) for the location. type: object - description: The set of configuration properties for the action. properties: - additional_info: - type: string - description: Additional information about the event. - description: - type: string - description: The details about the event. - event_class: - type: string - description: A specific instance of the source. - message_key: - type: string - description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. - metric_name: - type: string - description: The name of the metric. - node: - type: string - description: The host that the event was triggered for. - resource: - type: string - description: The name of the resource. - severity: - type: string - description: The severity of the event. - source: - type: string - description: The name of the event source type. - time_of_event: - type: string - description: The time of the event. - type: - type: string - description: The type of event. - run_closealert: - title: The closeAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `closeAlert` subaction for Opsgenie connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - closeAlert - subActionParams: - type: object + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number required: - - alias - properties: - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. - note: - type: string - description: Additional information for the alert. - source: - type: string - description: The display name for the source of the alert. - user: - type: string - description: The display name for the owner. - run_closeincident: - title: The closeIncident subaction - type: object - required: - - subAction - - subActionParams - description: The `closeIncident` subaction for ServiceNow ITSM connectors. - properties: - subAction: + - lat + - lon + id: + description: The unique identifier of the private location. type: string - description: The action to test. - enum: - - closeIncident - subActionParams: - type: object - required: - - incident - properties: - incident: - type: object - anyOf: - - required: - - correlation_id - - required: - - externalId - properties: - correlation_id: - type: string - nullable: true - description: | - An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. - maxLength: 100 - default: '{{rule.id}}:{{alert.id}}' - externalId: - type: string - nullable: true - description: The unique identifier (`incidentId`) for the incident in ServiceNow. - run_createalert: - title: The createAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `createAlert` subaction for Opsgenie and TheHive connectors. - properties: - subAction: + isInvalid: + description: > + Indicates whether the location is invalid. If `true`, the location + is invalid, which means the agent policy associated with the + location is deleted. + type: boolean + label: + description: A label for the private location. type: string - description: The action to test. - enum: - - createAlert - subActionParams: + namespace: + description: >- + The namespace of the location, which is the same as the namespace of + the agent policy associated with the location. + type: string + title: Post a private location + type: object + Synthetics_httpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - actions: - type: array - description: The custom actions available to the alert in Opsgenie connectors. - items: - type: string - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. - description: - type: string - description: A description that provides detailed information about the alert. - details: + check: + description: The check request settings. type: object - description: The custom properties of the alert in Opsgenie connectors. - additionalProperties: true - example: - key1: value1 - key2: value2 - entity: - type: string - description: The domain of the alert in Opsgenie connectors. For example, the application or server name. - message: - type: string - description: The alert message in Opsgenie connectors. - note: - type: string - description: Additional information for the alert in Opsgenie connectors. - priority: - type: string - description: The priority level for the alert in Opsgenie connectors. - enum: - - P1 - - P2 - - P3 - - P4 - - P5 - responders: - type: array - description: | - The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. - items: - type: object - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: The type of responders, in this case `escalation`. - enum: - - escalation - - schedule - - team - - user - username: - type: string - description: A valid email address for the user. - severity: - type: integer - minimum: 1 - maximum: 4 - description: | - The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). - source: + properties: + request: + description: An optional request to send to the remote host. + type: object + properties: + body: + description: Optional request body content. + type: string + headers: + description: > + A dictionary of additional HTTP headers to send. By + default, Synthetics will set the User-Agent header to + identify itself. + type: object + method: + description: The HTTP method to use. + enum: + - HEAD + - GET + - POST + - OPTIONS + type: string + response: + additionalProperties: true + description: The expected response. + type: object + properties: + body: + type: object + headers: + description: >- + A dictionary of expected HTTP headers. If the header is + not found, the check fails. + type: object + ipv4: + default: true + description: If `true`, ping using the ipv4 protocol. + type: boolean + ipv6: + default: true + description: If `true`, ping using the ipv6 protocol. + type: boolean + max_redirects: + default: 0 + description: The maximum number of redirects to follow. + type: number + mode: + default: any + description: > + The mode of the monitor. If it is `all`, the monitor pings all + resolvable IPs for a hostname. If it is `any`, the monitor pings + only one IP address for a hostname. If you're using a DNS-load + balancer and want to ping every IP address for the specified + hostname, you should use `all`. + enum: + - all + - any type: string - description: The display name for the source of the alert in Opsgenie and TheHive connectors. - sourceRef: + password: + description: > + The password for authenticating with the server. The credentials + are passed with the request. type: string - description: A source reference for the alert in TheHive connectors. - tags: - type: array - description: The tags for the alert in Opsgenie and TheHive connectors. - items: - type: string - title: + proxy_headers: + description: Additional headers to send to proxies during CONNECT requests. + type: object + proxy_url: + description: The URL of the proxy to use for this monitor. type: string - description: | - A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. - tlp: - type: integer - minimum: 0 - maximum: 4 - default: 2 - description: | - The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + response: + description: >- + Controls the indexing of the HTTP response body contents to the + `http.response.body.contents field`. + type: object + ssl: + description: > + The TLS/SSL connection settings for use with the HTTPS endpoint. + If you don't specify settings, the system defaults are used. + type: object type: + description: The monitor type. + enum: + - http type: string - description: The type of alert in TheHive connectors. - user: + url: + description: The URL to monitor. + type: string + username: + description: > + The username for authenticating with the server. The credentials + are passed with the request. type: string - description: The display name for the owner. - visibleTo: - type: array - description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. - items: - type: object - required: - - type - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: Valid values are `team` and `user`. - enum: - - team - - user - username: - type: string - description: The user name. This property is required only when the `type` is `user`. - run_fieldsbyissuetype: - title: The fieldsByIssueType subaction - type: object - required: - - subAction - - subActionParams - description: The `fieldsByIssueType` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - fieldsByIssueType - subActionParams: - type: object required: - - id + - type + - url + title: HTTP monitor fields + Synthetics_icmpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object properties: - id: + host: + description: The host to ping. type: string - description: The Jira issue type identifier. - example: 10024 - run_getagentdetails: - title: The getAgentDetails subaction - type: object - required: - - subAction - - subActionParams - description: The `getAgentDetails` subaction for CrowdStrike connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getAgentDetails - subActionParams: - type: object - description: The set of configuration properties for the action. + type: + description: The monitor type. + enum: + - icmp + type: string + wait: + default: 1 + description: The wait time in seconds. + type: number required: - - ids - properties: - ids: - type: array - description: An array of CrowdStrike agent identifiers. - items: - type: string - run_getagents: - title: The getAgents subaction + - host + - type + title: ICMP monitor fields + Synthetics_monitorWarning: + title: Monitor warning type: object - required: - - subAction - description: The `getAgents` subaction for SentinelOne connectors. properties: - subAction: + message: + description: A human-readable warning message. type: string - description: The action to test. - enum: - - getAgents - run_getchoices: - title: The getChoices subaction - type: object - required: - - subAction - - subActionParams - description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. - properties: - subAction: + monitorId: + description: The monitor ID associated with the warning. type: string - description: The action to test. - enum: - - getChoices - subActionParams: - type: object - description: The set of configuration properties for the action. - required: - - fields - properties: - fields: - type: array - description: An array of fields. - items: - type: string - run_getfields: - title: The getFields subaction + publicLocationIds: + description: The public location IDs associated with the warning. + items: + type: string + type: array + Synthetics_parameterRequest: + title: Parameter request type: object - required: - - subAction - description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - subAction: + description: + description: A description of the parameter. type: string - description: The action to test. - enum: - - getFields - run_getincident: - title: The getIncident subaction - type: object - description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. - required: - - subAction - - subActionParams - properties: - subAction: + key: + description: The key of the parameter. type: string - description: The action to test. - enum: - - getIncident - subActionParams: - type: object - required: - - externalId - properties: - externalId: - type: string - description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. - example: 71778 - run_issue: - title: The issue subaction - type: object - required: - - subAction - description: The `issue` subaction for Jira connectors. - properties: - subAction: + share_across_spaces: + description: Specify whether the parameter should be shared across spaces. + type: boolean + tags: + description: An array of tags to categorize the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. type: string - description: The action to test. - enum: - - issue - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue identifier. - example: 71778 - run_issues: - title: The issues subaction - type: object required: - - subAction - - subActionParams - description: The `issues` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issues - subActionParams: - type: object - required: - - title - properties: - title: - type: string - description: The title of the Jira issue. - run_issuetypes: - title: The issueTypes subaction + - key + - value + Synthetics_postParameterResponse: + title: Post parameter response type: object - required: - - subAction - description: The `issueTypes` subaction for Jira connectors. properties: - subAction: + description: + description: A description of the parameter. type: string - description: The action to test. - enum: - - issueTypes - run_postmessage: - title: The postMessage subaction - type: object - description: | - Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. - required: - - subAction - - subActionParams - properties: - subAction: + id: + description: The unique identifier for the parameter. type: string - description: The action to test. - enum: - - postMessage - subActionParams: + key: + description: The parameter key. + type: string + share_across_spaces: + description: Indicates whether the parameter is shared across spaces. + type: boolean + tags: + description: An array of tags associated with the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. + type: string + Synthetics_tcpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object - description: The set of configuration properties for the action. properties: - channelIds: - type: array - maxItems: 1 - description: | - The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. - items: - type: string - channels: - type: array - deprecated: true - description: | - The name of a channel that your Slack app has access to. - maxItems: 1 - items: - type: string - text: + host: + description: > + The host to monitor; it can be an IP address or a hostname. The + host can include the port using a colon, for example + "example.com:9200". type: string - description: | - The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. - minLength: 1 - run_pushtoservice: - title: The pushToService subaction + proxy_url: + description: > + The URL of the SOCKS5 proxy to use when connecting to the + server. The value must be a URL with a scheme of `socks5://`. If + the SOCKS5 proxy server requires client authentication, then a + username and password can be embedded in the URL. When using a + proxy, hostnames are resolved on the proxy server instead of on + the client. You can change this behavior by setting the + `proxy_use_local_resolver` option. + type: string + proxy_use_local_resolver: + default: false + description: > + Specify that hostnames are resolved locally instead of being + resolved on the proxy server. If `false`, name resolution occurs + on the proxy server. + type: boolean + ssl: + description: > + The TLS/SSL connection settings for use with the HTTPS endpoint. + If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - tcp + type: string + required: + - host + - type + title: TCP monitor fields + Task_manager_health_APIs_configuration: + description: > + This object summarizes the current configuration of Task Manager. This + includes dynamic configurations that change over time, such as + `poll_interval` and `max_workers`, which can adjust in reaction to + changing load on the system. + type: object + Task_manager_health_APIs_health_response: + title: Task health response properties type: object - required: - - subAction - - subActionParams - description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. properties: - subAction: + id: type: string - description: The action to test. - enum: - - pushToService - subActionParams: + last_update: + type: string + stats: type: object - description: The set of configuration properties for the action. properties: - comments: - type: array - description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. - items: - type: object - properties: - comment: - type: string - description: A comment related to the incident. For example, describe how to troubleshoot the issue. - commentId: - type: integer - description: A unique identifier for the comment. - incident: + capacity_estimation: + description: > + This object provides a rough estimate about the sufficiency of + its capacity. These are estimates based on historical data and + should not be used as predictions. type: object - description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. - properties: - additional_fields: - type: string - nullable: true - maxLength: 20 - description: | - Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. - alertId: - type: string - description: The alert identifier for Swimlane connectors. - caseId: - type: string - description: The case identifier for the incident for Swimlane connectors. - caseName: - type: string - description: The case name for the incident for Swimlane connectors. - category: - type: string - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_display: - type: string - description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_id: - type: string - description: | - The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. - description: - type: string - description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. - dest_ip: - description: | - A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - externalId: - type: string - description: | - The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. - id: - type: string - description: The external case identifier for Webhook - Case Management connectors. - impact: - type: string - description: The impact of the incident for ServiceNow ITSM connectors. - issueType: - type: integer - description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. - labels: - type: array - items: - type: string - description: | - The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. - malware_hash: - description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - malware_url: - type: string - description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - otherFields: - type: object - additionalProperties: true - maxProperties: 20 - description: | - Custom field identifiers and their values for Jira connectors. - parent: - type: string - description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. - priority: - type: string - description: The priority of the incident in Jira and ServiceNow SecOps connectors. - ruleName: - type: string - description: The rule name for Swimlane connectors. - severity: - type: integer - description: | - The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). - short_description: - type: string - description: | - A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. - source_ip: - description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - status: - type: string - description: The status of the incident for Webhook - Case Management connectors. - subcategory: - type: string - description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - summary: - type: string - description: A summary of the incident for Jira connectors. - tags: - type: array - items: - type: string - description: A list of tags for TheHive and Webhook - Case Management connectors. - title: - type: string - description: | - A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. - tlp: - type: integer - minimum: 0 - maximum: 4 - default: 2 - description: | - The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). - urgency: - type: string - description: The urgency of the incident for ServiceNow ITSM connectors. - run_validchannelid: - title: The validChannelId subaction - type: object - description: | - Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. - required: - - subAction - - subActionParams - properties: - subAction: + configuration: + $ref: '#/components/schemas/Task_manager_health_APIs_configuration' + runtime: + description: > + This object tracks runtime performance of Task Manager, tracking + task drift, worker load, and stats broken down by type, + including duration and run results. + type: object + workload: + $ref: '#/components/schemas/Task_manager_health_APIs_workload' + status: type: string - description: The action to test. - enum: - - validChannelId - subActionParams: - type: object - required: - - channelId - properties: - channelId: - type: string - description: The Slack channel identifier. - example: C123ABC456 + timestamp: + type: string + Task_manager_health_APIs_workload: + description: > + This object summarizes the work load across the cluster, including the + tasks in the system, their types, and current status. + type: object securitySchemes: apiKeyAuth: - description: | - These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` + description: > + These APIs use key-based authentication. You must create an API key and + use the encoded value in the request header. For example: + `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http -x-topics: - - title: Kibana spaces - content: | - Spaces enable you to organize your dashboards and other saved objects into meaningful categories. - You can use the default space or create your own spaces. +security: + - apiKeyAuth: [] + - basicAuth: [] +tags: + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: > + Configure APM source maps. A source map allows minified files to be mapped + back to original source code--allowing you to maintain the speed advantage + of minified code, without losing the ability to quickly and easily debug + your application. + + For best results, uploading source maps should become a part of your + deployment procedure, and not something you only do when you see unhelpful + errors. That's because uploading source maps after errors happen won't + make old errors magically readable--errors must occur again for source + mapping to occur. + name: APM sourcemaps + - description: Case APIs enable you to open and track issues. + name: cases + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - description: > + Programmatically integrate with Logstash configuration management. + + > warn + + > Do not directly access the `.logstash` index. The structure of the + `.logstash` index is subject to change, which could cause your integration + to break. Instead, use the Logstash configuration management APIs. + externalDocs: + description: Centralized pipeline management + url: >- + https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management + name: logstash + x-displayName: Logstash configuration management + - description: Machine learning + name: ml + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: >- + https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: >- + Use the Attack discovery APIs to generate and manage Attack discoveries. + Attack Discovery leverages large language models (LLMs) to analyze alerts + in your environment and identify threats. Each "discovery" represents a + potential attack and describes relationships among multiple alerts to tell + you which users and hosts are involved, how alerts correspond to the MITRE + ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: > + Use the detections APIs to create and manage detection rules. Detection + rules search events and external alerts sent to Elastic Security and + generate detection alerts from any hits. Alerts are displayed on the + **Alerts** page and can be assigned and triaged, using the alert status to + mark them as open, closed, or acknowledged. + + + This API supports both key-based authentication and basic authentication. + + + To use key-based authentication, create an API key, then specify the key + in the header of your API calls. + + + To use basic authentication, provide a username and password; this + automatically creates an API key that matches the current user’s + privileges. + + + In both cases, the API key is subsequently used for authorization when the + rule runs. + + > warn + + > If the API key used for authorization has different privileges than the + key that created or most recently updated a rule, the rule behavior might + change. + + + > If the API key that created a rule is deleted, or the user that created + the rule becomes inactive, the rule will stop running. + + + To create and run rules, the user must meet specific requirements for the + Kibana space. Refer to the [Detections + requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) + for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: '' + name: Security Entity Analytics API + x-displayName: Security entity analytics + - description: > + Exceptions are associated with detection and endpoint rules, and are used + to prevent a rule from generating an alert from incoming events, even when + the rule's other criteria are met. They can help reduce the number of + false positives and prevent trusted processes and network activity from + generating unnecessary alerts. + + + Exceptions are made up of: + + + * **Exception containers**: A container for related exceptions. Generally, + a single exception container contains all the exception items relevant for + a subset of rules. For example, a container can be used to group together + network-related exceptions that are relevant for a large number of network + rules. The container can then be associated with all the relevant rules. + + * **Exception items**: The query (fields, values, and logic) used to + prevent rules from generating alerts. When an exception item's query + evaluates to `true`, the rule does not generate an alert. + + + For detection rules, you can also use lists to define rule exceptions. A + list holds multiple values of the same Elasticsearch data type, such as IP + addresses. These values are used to determine when an exception prevents + an alert from being generated. + + > info + + > You cannot use lists with endpoint rule exceptions. + + + > info + + > Only exception containers can be associated with rules. You cannot + directly associate an exception item or a list container with a rule. To + use list exceptions, create an exception item that references the relevant + list container. + + + ## Exceptions requirements + + + Before you can start working with exceptions that use value lists, you + must create the `.lists` and `.items` data streams for the relevant Kibana + space. To do this, use the [Create list data + streams](../operation/operation-createlistindex) endpoint. Once these data + streams are created, your role needs privileges to manage rules. For a + complete list of requirements, refer to [Enable and access + detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: > + Lists can be used with detection rule exceptions to define values that + prevent a rule from generating alerts. + + + Lists are made up of: + + + * **List containers**: A container for values of the same Elasticsearch + data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception + prevents an alert from being generated. + + + All list items in the same list container must be of the same data type, + and each item defines a single value. For example, an IP list container + named `internal-ip-addresses-southport` contains five items, where each + item defines one internal IP address: + + 1. `192.168.1.1` + + 2. `192.168.1.3` + + 3. `192.168.1.18` + + 4. `192.168.1.12` + + 5. `192.168.1.7` + + + To use these IP addresses as values for defining rule exceptions, use the + Security exceptions API to [create an exception list + item](../operation/operation-createexceptionlistitem) that references the + `internal-ip-addresses-southport` list. + + > info + + > Lists cannot be added directly to rules, nor do they define the + operators used to determine when exceptions are applied (`is in list`, `is + not in list`). Use an exception item to define the operator and associate + it with an [exception + container](../operation/operation-createexceptionlist). You can then add + the exception container to a rule's `exceptions_list` object. + + + ## Lists requirements + + + Before you can start using lists, you must create the `.lists` and + `.items` data streams for the relevant Kibana space. To do this, use the + [Create list data streams](../operation/operation-createlistindex) + endpoint. Once these data streams are created, your role needs privileges + to manage rules. Refer to [Enable and access + detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) + for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: Manage Kibana short URLs. + name: short url + x-displayName: Short URLs + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + - name: synthetics + - description: System + name: system + - description: >- + Task manager APIs enable you to check the health of the Kibana task + manager, which is used by features such as alerting, actions, and + reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: >- + https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - description: > + The Kibana Upgrade Assistant API helps you prepare for the next major + Elasticsearch release. - To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. - For example: + > warn - ```bash - curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ - -H "Authorization: ApiKey ${API_KEY}" - ``` + > This is a Kibana REST API (not an Elasticsearch API) and requests must + target your Kibana URL: - If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. + > * Self-managed URL pattern: `https://localhost:5601` - To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). + > * Elastic Cloud URL pattern: + `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` + name: upgrade + x-displayName: Upgrade assistant + - description: Uptime APIs enable you to view and update uptime monitoring settings. + externalDocs: + description: Uptime monitoring + url: https://www.elastic.co/docs/solutions/observability/uptime + name: uptime + x-displayName: Uptime + - name: user session + x-displayName: User session management diff --git a/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts b/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts index 5857a5f920965..a8fda0c6a0356 100644 --- a/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts +++ b/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts @@ -15,7 +15,7 @@ import { createBlankOpenApiDocument } from './bundler/merge_documents/create_bla import type { ResolvedDocument } from './bundler/ref_resolver/resolved_document'; import { writeDocuments } from './utils/write_documents'; import { resolveGlobs } from './utils/resolve_globs'; -import { bundleDocument } from './bundler/bundle_document'; +import { bundleDocument, SkipException } from './bundler/bundle_document'; import { withNamespaceComponentsProcessor } from './bundler/processor_sets'; import type { PrototypeDocument } from './prototype_document'; import { validatePrototypeDocument } from './validate_prototype_document'; @@ -92,11 +92,36 @@ function logSchemas(schemaFilePaths: string[]): void { } async function bundleDocuments(schemaFilePaths: string[]): Promise { - return await Promise.all( - schemaFilePaths.map(async (schemaFilePath) => - bundleDocument(schemaFilePath, withNamespaceComponentsProcessor([], '/info/title')) - ) + const resolvedDocuments = await Promise.all( + schemaFilePaths.map(async (schemaFilePath) => { + try { + return await bundleDocument( + schemaFilePath, + withNamespaceComponentsProcessor([], '/info/title') + ); + } catch (e) { + if (e instanceof SkipException) { + logger.info(`Skipped ${chalk.bold(e.documentPath)}: ${e.message}`); + return; + } + throw e; + } + }) ); + + return filterOutSkippedDocuments(resolvedDocuments); +} + +function filterOutSkippedDocuments( + documents: Array +): ResolvedDocument[] { + const out: ResolvedDocument[] = []; + for (const document of documents) { + if (document) { + out.push(document); + } + } + return out; } const DEFAULT_INFO = { diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list/create_exception_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list/create_exception_list.schema.yaml index 1826d94495dcb..57b0f412dd1ac 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list/create_exception_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list/create_exception_list.schema.yaml @@ -54,6 +54,16 @@ paths: - name - description - type + examples: + createDetection: + value: + list_id: simple_list + type: detection + name: Sample Detection Exception List + description: This is a sample detection type exception list. + namespace_type: single + tags: [malware] + os_types: [linux] responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list_item/create_exception_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list_item/create_exception_list_item.schema.yaml index aed28c154748f..3a2662c5c3faf 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list_item/create_exception_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list_item/create_exception_list_item.schema.yaml @@ -33,6 +33,21 @@ paths: - $ref: '#/components/schemas/CreateExceptionListItemBlocklistWindows' - $ref: '#/components/schemas/CreateExceptionListItemBlocklistLinux' - $ref: '#/components/schemas/CreateExceptionListItemBlocklistMac' + examples: + simpleItem: + value: + list_id: simple_list + item_id: simple_list_item + name: Sample Exception List Item + type: simple + description: This is a sample detection type exception item. + namespace_type: single + entries: + - type: exists + field: actingProcess.file.signer + operator: excluded + os_types: [linux] + tags: [malware] responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_rule_exceptions/create_rule_exceptions.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_rule_exceptions/create_rule_exceptions.schema.yaml index f466f50839ead..fd9f82c15e3a1 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_rule_exceptions/create_rule_exceptions.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_rule_exceptions/create_rule_exceptions.schema.yaml @@ -51,6 +51,26 @@ paths: namespace_type: single os_types: [linux] tags: [malware] + examples: + addItems: + value: + items: + - item_id: simple_list_item + list_id: simple_list + type: simple + name: Sample Exception List Item + description: This is a sample detection type exception item. + entries: + - type: exists + field: actingProcess.file.signer + operator: excluded + - type: match_any + field: host.name + value: [saturn, jupiter] + operator: included + namespace_type: single + os_types: [linux] + tags: [malware] responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.schema.yaml index 0135f0fa86557..36741eb2432ea 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.schema.yaml @@ -31,6 +31,9 @@ paths: - name: namespace_type in: query required: false + description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' default: single diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.schema.yaml index 47853cade34f8..2c7d70cdcb9c2 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.schema.yaml @@ -26,6 +26,8 @@ paths: - name: namespace_type in: query required: false + description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' default: single @@ -76,10 +78,12 @@ paths: oneOf: - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' - example: - statusCode: 400 - error: Bad Request - message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'" + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'" 401: description: Unsuccessful authentication response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.schema.yaml index 6d3ab96bb122f..a449557fb17f8 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.schema.yaml @@ -14,11 +14,13 @@ paths: - name: list_id in: query required: true + description: The `list_id` of the existing exception list to copy (source list). schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId' - name: namespace_type in: query required: true + description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' examples: @@ -108,14 +110,19 @@ paths: examples: notFound: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + message: 'exception list id: "foo" does not exist' + status_code: 404 405: description: Exception list to duplicate not found response content: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 500: description: Internal server error response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.schema.yaml index fe15640bf2cc3..68306353eae7d 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.schema.yaml @@ -14,16 +14,20 @@ paths: - name: id in: query required: true + description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListId' - name: list_id in: query required: true + description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId' - name: namespace_type in: query required: true + description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' examples: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.schema.yaml index 640ec9b69efad..943fa1729030c 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.schema.yaml @@ -50,6 +50,8 @@ paths: - name: search in: query required: false + description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). schema: type: string example: host.name diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/import_exceptions/import_exceptions.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/import_exceptions/import_exceptions.schema.yaml index c3bd0eb853e0c..a0bfb0544e1a7 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/import_exceptions/import_exceptions.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/import_exceptions/import_exceptions.schema.yaml @@ -24,6 +24,10 @@ paths: example: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson parameters: - name: overwrite in: query @@ -115,6 +119,12 @@ paths: oneOf: - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: "Multipart part `file` is required and must contain a valid .ndjson exception list export" 401: description: Unsuccessful authentication response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.schema.yaml index 5d5e414dfad0e..149d8dcbd6d79 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.schema.yaml @@ -26,6 +26,9 @@ paths: - name: namespace_type in: query required: false + description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' default: single diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.schema.yaml index 3b451d5de9e33..e22feb735aee4 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.schema.yaml @@ -26,6 +26,9 @@ paths: - name: namespace_type in: query required: false + description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' default: single diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.schema.yaml index 8037c18a14026..40bc5679398d0 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.schema.yaml @@ -26,6 +26,9 @@ paths: - name: namespace_type in: query required: false + description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. schema: $ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType' default: single diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list/update_exception_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list/update_exception_list.schema.yaml index d62845f48f17d..626fa85863433 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list/update_exception_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list/update_exception_list.schema.yaml @@ -54,6 +54,15 @@ paths: os_types: [linux] description: Different description name: Updated exception list name + examples: + fullReplace: + value: + list_id: simple_list + tags: [draft, malware] + type: detection + os_types: [linux] + description: Different description + name: Updated exception list name responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list_item/update_exception_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list_item/update_exception_list_item.schema.yaml index a74eac06c0932..07863c04ee7e6 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list_item/update_exception_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list_item/update_exception_list_item.schema.yaml @@ -30,6 +30,14 @@ paths: - $ref: '#/components/schemas/UpdateExceptionListItemBlocklistWindows' - $ref: '#/components/schemas/UpdateExceptionListItemBlocklistLinux' - $ref: '#/components/schemas/UpdateExceptionListItemBlocklistMac' + examples: + updateItem: + value: + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + type: simple + description: Updated description + namespace_type: single responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml index 2ba1fd372abdd..469674d758aa1 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml @@ -31,6 +31,30 @@ paths: requestBody: content: application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: example: items: @@ -192,7 +216,12 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + `single` deletes the list in the current Kibana space; `agnostic` + deletes a global list. Must match the + + list you are removing when using `list_id` or `id`. + examples: agnostic: value: agnostic single: @@ -326,7 +355,13 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + When `single`, the list is resolved in the current Kibana space. + When `agnostic`, the list is a global + + (space-agnostic) container. Required for looking up the correct list + when `list_id` is not unique. + examples: agnostic: value: agnostic single: @@ -457,6 +492,18 @@ paths: requestBody: content: application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection schema: example: description: This is a sample detection type exception list. @@ -658,6 +705,18 @@ paths: requestBody: content: application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: example: description: Different description @@ -807,12 +866,16 @@ paths: description: Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - - in: query + - description: The `list_id` of the existing exception list to copy (source list). + in: query name: list_id required: true schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: >- + Scope in which the source list is defined (`single` = current space, + `agnostic` = all spaces). + examples: agnostic: value: agnostic single: @@ -916,14 +979,21 @@ paths: examples: notFound: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + message: 'exception list id: "foo" does not exist' + status_code: 404 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Exception list not found '405': content: application/json: + examples: + notAllowed: + value: + message: >- + Cannot duplicate: list is immutable or the operation is + not allowed in this state + status_code: 405 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Exception list to duplicate not found response @@ -946,17 +1016,26 @@ paths: description: Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - - in: query + - description: >- + Exception list's internal `id` (UUID) returned on create; use with + `list_id` and `namespace_type` for an unambiguous target. + in: query name: id required: true schema: $ref: '#/components/schemas/ExceptionListId' - - in: query + - description: >- + Human-readable `list_id` of the exception list to export, as shown + in the UI and API responses. + in: query name: list_id required: true schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + `single` exports a list in the current Kibana space; `agnostic` + exports a global (space-agnostic) list. + examples: agnostic: value: agnostic single: @@ -1308,6 +1387,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson schema: type: object properties: @@ -1404,6 +1487,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Multipart part `file` is required and must contain a valid + .ndjson exception list export + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -1477,7 +1568,11 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListItemHumanId' - - examples: + - description: > + `single` deletes the item in the current Kibana space; `agnostic` + deletes an item in a space-agnostic list. Must match the list that + owns the item. + examples: agnostic: value: agnostic single: @@ -1529,13 +1624,15 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 schema: - example: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' - $ref: '#/components/schemas/SiemErrorResponse' @@ -1621,7 +1718,12 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListItemHumanId' - - examples: + - description: > + `single` fetches the item in the current space; `agnostic` fetches a + global (space-agnostic) item. Must + + match how the list was created. + examples: agnostic: value: agnostic single: @@ -1756,6 +1858,23 @@ paths: requestBody: content: application/json: + examples: + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: oneOf: - $ref: '#/components/schemas/CreateExceptionListItemGeneric' @@ -2049,6 +2168,14 @@ paths: requestBody: content: application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple schema: oneOf: - $ref: '#/components/schemas/UpdateExceptionListItemGeneric' @@ -2220,7 +2347,10 @@ paths: items: $ref: '#/components/schemas/ExceptionNamespaceType' type: array - - in: query + - description: > + Free-text search term applied to exception list item fields (for + example a hostname or file path fragment). + in: query name: search required: false schema: @@ -2413,7 +2543,12 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + `single` returns summary for a list in the current space; `agnostic` + for a space-agnostic list. Must + + line up with `id` / `list_id` used to look up the list. + examples: agnostic: value: agnostic single: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml index 0395595065c88..d940d53121223 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml @@ -31,6 +31,30 @@ paths: requestBody: content: application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: example: items: @@ -192,7 +216,12 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + `single` deletes the list in the current Kibana space; `agnostic` + deletes a global list. Must match the + + list you are removing when using `list_id` or `id`. + examples: agnostic: value: agnostic single: @@ -326,7 +355,13 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + When `single`, the list is resolved in the current Kibana space. + When `agnostic`, the list is a global + + (space-agnostic) container. Required for looking up the correct list + when `list_id` is not unique. + examples: agnostic: value: agnostic single: @@ -457,6 +492,18 @@ paths: requestBody: content: application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection schema: example: description: This is a sample detection type exception list. @@ -658,6 +705,18 @@ paths: requestBody: content: application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: example: description: Different description @@ -807,12 +866,16 @@ paths: description: Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - - in: query + - description: The `list_id` of the existing exception list to copy (source list). + in: query name: list_id required: true schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: >- + Scope in which the source list is defined (`single` = current space, + `agnostic` = all spaces). + examples: agnostic: value: agnostic single: @@ -916,14 +979,21 @@ paths: examples: notFound: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + message: 'exception list id: "foo" does not exist' + status_code: 404 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Exception list not found '405': content: application/json: + examples: + notAllowed: + value: + message: >- + Cannot duplicate: list is immutable or the operation is + not allowed in this state + status_code: 405 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Exception list to duplicate not found response @@ -946,17 +1016,26 @@ paths: description: Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - - in: query + - description: >- + Exception list's internal `id` (UUID) returned on create; use with + `list_id` and `namespace_type` for an unambiguous target. + in: query name: id required: true schema: $ref: '#/components/schemas/ExceptionListId' - - in: query + - description: >- + Human-readable `list_id` of the exception list to export, as shown + in the UI and API responses. + in: query name: list_id required: true schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + `single` exports a list in the current Kibana space; `agnostic` + exports a global (space-agnostic) list. + examples: agnostic: value: agnostic single: @@ -1308,6 +1387,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson schema: type: object properties: @@ -1404,6 +1487,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Multipart part `file` is required and must contain a valid + .ndjson exception list export + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -1477,7 +1568,11 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListItemHumanId' - - examples: + - description: > + `single` deletes the item in the current Kibana space; `agnostic` + deletes an item in a space-agnostic list. Must match the list that + owns the item. + examples: agnostic: value: agnostic single: @@ -1529,13 +1624,15 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request query]: namespace_type.0: Invalid enum value. + Expected 'agnostic' | 'single', received 'blob' + statusCode: 400 schema: - example: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' - $ref: '#/components/schemas/SiemErrorResponse' @@ -1621,7 +1718,12 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListItemHumanId' - - examples: + - description: > + `single` fetches the item in the current space; `agnostic` fetches a + global (space-agnostic) item. Must + + match how the list was created. + examples: agnostic: value: agnostic single: @@ -1756,6 +1858,23 @@ paths: requestBody: content: application/json: + examples: + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: oneOf: - $ref: '#/components/schemas/CreateExceptionListItemGeneric' @@ -2049,6 +2168,14 @@ paths: requestBody: content: application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple schema: oneOf: - $ref: '#/components/schemas/UpdateExceptionListItemGeneric' @@ -2220,7 +2347,10 @@ paths: items: $ref: '#/components/schemas/ExceptionNamespaceType' type: array - - in: query + - description: > + Free-text search term applied to exception list item fields (for + example a hostname or file path fragment). + in: query name: search required: false schema: @@ -2413,7 +2543,12 @@ paths: required: false schema: $ref: '#/components/schemas/ExceptionListHumanId' - - examples: + - description: > + `single` returns summary for a list in the current space; `agnostic` + for a space-agnostic list. Must + + line up with `id` / `list_id` used to look up the list. + examples: agnostic: value: agnostic single: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/create_list_index/create_list_index.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/create_list_index/create_list_index.schema.yaml index bb1713f79b619..7cb3bc42ca53d 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/create_list_index/create_list_index.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/create_list_index/create_list_index.schema.yaml @@ -10,7 +10,13 @@ paths: operationId: CreateListIndex x-codegen-enabled: true summary: Create list data streams - description: Create `.lists` and `.items` data streams in the relevant space. + description: | + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. responses: 200: description: Successful response @@ -22,6 +28,10 @@ paths: acknowledged: type: boolean required: [acknowledged] + examples: + acknowledged: + value: + acknowledged: true 400: description: Invalid input data response content: @@ -30,6 +40,11 @@ paths: oneOf: - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + message: "Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists." + status_code: 400 401: description: Unsuccessful authentication response content: @@ -49,6 +64,12 @@ paths: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + forbidden: + value: + statusCode: 403 + error: Forbidden + message: 'API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]' 409: description: List data stream exists response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.schema.yaml index 7328710896ab7..9c0c20d9b66c5 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.schema.yaml @@ -17,6 +17,7 @@ paths: - name: id in: query required: true + description: Value list identifier to delete, including all of its list items. schema: $ref: '../model/list_common.schema.yaml#/components/schemas/ListId' - name: deleteReferences diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list_index/delete_list_index.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list_index/delete_list_index.schema.yaml index c695245938927..3c61dbf843913 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list_index/delete_list_index.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list_index/delete_list_index.schema.yaml @@ -21,6 +21,10 @@ paths: acknowledged: type: boolean required: [acknowledged] + examples: + acknowledged: + value: + acknowledged: true 400: description: Invalid input data response content: @@ -29,6 +33,11 @@ paths: oneOf: - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + message: "Unable to delete value list data streams: invalid or missing index metadata" + status_code: 400 401: description: Unsuccessful authentication response content: @@ -47,12 +56,23 @@ paths: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + forbidden: + value: + statusCode: 403 + error: Forbidden + message: "API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams" 404: description: List data stream not found response content: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: "The value list data stream was not found in this space" + status_code: 404 500: description: Internal server error response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/export_list_items/export_list_items.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/export_list_items/export_list_items.schema.yaml index f5e13d627fe76..da8e9e3b5181b 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/export_list_items/export_list_items.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/export_list_items/export_list_items.schema.yaml @@ -36,6 +36,12 @@ paths: 127.0.0.7 127.0.0.8 127.0.0.9 + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 400: description: Invalid input data response content: @@ -79,6 +85,11 @@ paths: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 500: description: Internal server error response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.schema.yaml index 25ec88a78cd46..cb83fb9df7c5c 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.schema.yaml @@ -14,6 +14,7 @@ paths: - name: list_id in: query required: true + description: Parent value list's `id` to page through items for. schema: $ref: '../model/list_common.schema.yaml#/components/schemas/ListId' - name: page @@ -50,6 +51,8 @@ paths: - name: cursor in: query required: false + description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. schema: $ref: '#/components/schemas/FindListItemsCursor' - name: filter diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml index ea58da22bfafd..ea76299da2690 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml @@ -34,6 +34,10 @@ paths: 127.0.0.7 127.0.0.8 127.0.0.9 + examples: + ipLinesFile: + value: + file: list_values.txt parameters: - name: list_id in: query @@ -130,6 +134,11 @@ paths: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: 'List with the specified list_id does not exist, create the list or fix list_id to import to an existing one' + status_code: 409 500: description: Internal server error response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list/patch_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list/patch_list.schema.yaml index c0b39a662262d..81df596c29a12 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list/patch_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list/patch_list.schema.yaml @@ -35,6 +35,11 @@ paths: example: id: ip_list name: Bad ips list - UPDATED + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml index ada1d17e6ef6a..373ddf4284802 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml @@ -38,6 +38,11 @@ paths: example: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.schema.yaml index 4cf25bd80be38..60453912182b9 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.schema.yaml @@ -14,6 +14,7 @@ paths: - name: id in: query required: true + description: Value list identifier (`id`) returned when the list was created. schema: $ref: '../model/list_common.schema.yaml#/components/schemas/ListId' responses: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_index/read_list_index.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_index/read_list_index.schema.yaml index ddd5d347d4750..e7d637b2bcad9 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_index/read_list_index.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_index/read_list_index.schema.yaml @@ -23,6 +23,11 @@ paths: list_item_index: type: boolean required: [list_index, list_item_index] + examples: + bothExist: + value: + list_index: true + list_item_index: true 400: description: Invalid input data response content: @@ -31,6 +36,11 @@ paths: oneOf: - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + message: "Unable to read value list data stream status for this space" + status_code: 400 401: description: Unsuccessful authentication response content: @@ -49,12 +59,23 @@ paths: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + forbidden: + value: + statusCode: 403 + error: Forbidden + message: "API [GET /api/lists/index] is not authorized; list read permissions are required" 404: description: List data stream(s) not found response content: application/json: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: "Value list backing indices were not found for this space" + status_code: 404 500: description: Internal server error response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_privileges/read_list_privileges.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_privileges/read_list_privileges.schema.yaml index d83d5d837647b..e2f486a6792f0 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_privileges/read_list_privileges.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list_privileges/read_list_privileges.schema.yaml @@ -9,6 +9,10 @@ paths: operationId: ReadListPrivileges x-codegen-enabled: true summary: Get value list privileges + description: | + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. responses: 200: description: Successful response @@ -103,6 +107,12 @@ paths: oneOf: - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: 'Unable to resolve list privileges: invalid or missing space context for this request' 401: description: Unsuccessful authentication response content: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list/update_list.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list/update_list.schema.yaml index e20081f5f4b59..47d1d99d2735d 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list/update_list.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list/update_list.schema.yaml @@ -41,6 +41,12 @@ paths: id: ip_list name: Bad ips - updated description: Latest list of bad ips + examples: + replaceList: + value: + id: ip_list + name: Bad ips - updated + description: Latest list of bad ips responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list_item/update_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list_item/update_list_item.schema.yaml index ef17a470f6595..cdb0e8eff376b 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list_item/update_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/update_list_item/update_list_item.schema.yaml @@ -32,9 +32,14 @@ paths: required: - id - value - example: - id: ip_item - value: 255.255.255.255 + example: + id: ip_item + value: 255.255.255.255 + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 responses: 200: description: Successful response diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml index 3d50bc00fda93..6657918a88935 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml @@ -19,7 +19,8 @@ paths: > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - - in: query + - description: Value list identifier to delete, including all of its list items. + in: query name: id required: true schema: @@ -142,7 +143,8 @@ paths: description: Get the details of a value list using the list ID. operationId: ReadList parameters: - - in: query + - description: Value list identifier (`id`) returned when the list was created. + in: query name: id required: true schema: @@ -242,6 +244,11 @@ paths: requestBody: content: application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED schema: example: id: ip_list @@ -562,6 +569,12 @@ paths: requestBody: content: application/json: + examples: + replaceList: + value: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: example: description: Latest list of bad ips @@ -862,6 +875,10 @@ paths: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -873,6 +890,13 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: >- + Unable to delete value list data streams: invalid or + missing index metadata + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -898,12 +922,25 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists/index] is not authorized; lists-all + (or equivalent) is required to delete data streams + statusCode: 403 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List data stream not found response @@ -928,6 +965,11 @@ paths: '200': content: application/json: + examples: + bothExist: + value: + list_index: true + list_item_index: true schema: type: object properties: @@ -942,6 +984,13 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: >- + Unable to read value list data stream status for this + space + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -967,12 +1016,25 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/index] is not authorized; list read + permissions are required + statusCode: 403 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List data stream(s) not found response @@ -992,12 +1054,30 @@ paths: - Security Lists API post: deprecated: true - description: Create `.lists` and `.items` data streams in the relevant space. + description: > + **DEPRECATED.** `deprecated: true` is set on this operation. Value list + backing data streams for the space + + are now created as part of supported workflows; calling this explicitly + is rarely required. + + **WARNING:** Do not use for new integrations. Prefer the UI or the list + and list-item APIs after confirming + + indices exist with `GET /api/lists/index`. + + + Creates the `.lists` and `.items` data streams in the current Kibana + space. operationId: CreateListIndex responses: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -1009,6 +1089,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: >- + Indices exist but the request could not be completed for + the current space. Check that Elasticsearch and Kibana + privileges allow index creation for lists. + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -1034,6 +1122,14 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/index] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Not enough privileges response @@ -1339,6 +1435,11 @@ paths: requestBody: content: application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 schema: example: id: pd1WRJQBs4HAK3VQeHFI @@ -1659,10 +1760,15 @@ paths: requestBody: content: application/json: - example: - id: ip_item - value: 255.255.255.255 + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 schema: + example: + id: ip_item + value: 255.255.255.255 type: object properties: _version: @@ -1785,6 +1891,12 @@ paths: '200': content: application/ndjson: + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: description: A `.txt` file containing list items from the specified list example: | @@ -1848,6 +1960,11 @@ paths: '404': content: application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List not found response @@ -1870,7 +1987,8 @@ paths: description: Get all value list items in the specified list. operationId: FindListItems parameters: - - in: query + - description: Parent value list's `id` to page through items for. + in: query name: list_id required: true schema: @@ -1908,7 +2026,10 @@ paths: - asc example: asc type: string - - in: query + - description: > + Opaque cursor returned in a previous response; pass it to continue + listing from the next page. Omit on the first request. + in: query name: cursor required: false schema: @@ -2080,6 +2201,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt schema: type: object properties: @@ -2171,6 +2296,13 @@ paths: '409': content: application/json: + examples: + notFound: + value: + message: >- + List with the specified list_id does not exist, create the + list or fix list_id to import to an existing one + status_code: 409 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List with specified list_id does not exist response @@ -2190,6 +2322,15 @@ paths: - Security Lists API /api/lists/privileges: get: + description: > + Returns the caller's authentication state and the Elasticsearch + `cluster`, `index`, and `application` + + privileges for `.lists` and `.items` data streams in the current Kibana + space. Use this to decide which list + + APIs (`read` vs `all` operations) are available before you create or + import lists. operationId: ReadListPrivileges responses: '200': @@ -2280,6 +2421,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Unable to resolve list privileges: invalid or missing + space context for this request + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml index 4d5f832d860b7..c2dc24f87e75b 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml @@ -19,7 +19,8 @@ paths: > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - - in: query + - description: Value list identifier to delete, including all of its list items. + in: query name: id required: true schema: @@ -142,7 +143,8 @@ paths: description: Get the details of a value list using the list ID. operationId: ReadList parameters: - - in: query + - description: Value list identifier (`id`) returned when the list was created. + in: query name: id required: true schema: @@ -242,6 +244,11 @@ paths: requestBody: content: application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED schema: example: id: ip_list @@ -562,6 +569,12 @@ paths: requestBody: content: application/json: + examples: + replaceList: + value: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: example: description: Latest list of bad ips @@ -862,6 +875,10 @@ paths: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -873,6 +890,13 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: >- + Unable to delete value list data streams: invalid or + missing index metadata + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -898,12 +922,25 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [DELETE /api/lists/index] is not authorized; lists-all + (or equivalent) is required to delete data streams + statusCode: 403 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List data stream not found response @@ -928,6 +965,11 @@ paths: '200': content: application/json: + examples: + bothExist: + value: + list_index: true + list_item_index: true schema: type: object properties: @@ -942,6 +984,13 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: >- + Unable to read value list data stream status for this + space + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -967,12 +1016,25 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [GET /api/lists/index] is not authorized; list read + permissions are required + statusCode: 403 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List data stream(s) not found response @@ -992,12 +1054,30 @@ paths: - Security Lists API post: deprecated: true - description: Create `.lists` and `.items` data streams in the relevant space. + description: > + **DEPRECATED.** `deprecated: true` is set on this operation. Value list + backing data streams for the space + + are now created as part of supported workflows; calling this explicitly + is rarely required. + + **WARNING:** Do not use for new integrations. Prefer the UI or the list + and list-item APIs after confirming + + indices exist with `GET /api/lists/index`. + + + Creates the `.lists` and `.items` data streams in the current Kibana + space. operationId: CreateListIndex responses: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -1009,6 +1089,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: >- + Indices exist but the request could not be completed for + the current space. Check that Elasticsearch and Kibana + privileges allow index creation for lists. + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -1034,6 +1122,14 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/lists/index] is unauthorized for user, this + action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Not enough privileges response @@ -1339,6 +1435,11 @@ paths: requestBody: content: application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 schema: example: id: pd1WRJQBs4HAK3VQeHFI @@ -1659,10 +1760,15 @@ paths: requestBody: content: application/json: - example: - id: ip_item - value: 255.255.255.255 + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 schema: + example: + id: ip_item + value: 255.255.255.255 type: object properties: _version: @@ -1785,6 +1891,12 @@ paths: '200': content: application/ndjson: + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: description: A `.txt` file containing list items from the specified list example: | @@ -1848,6 +1960,11 @@ paths: '404': content: application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List not found response @@ -1870,7 +1987,8 @@ paths: description: Get all value list items in the specified list. operationId: FindListItems parameters: - - in: query + - description: Parent value list's `id` to page through items for. + in: query name: list_id required: true schema: @@ -1908,7 +2026,10 @@ paths: - asc example: asc type: string - - in: query + - description: > + Opaque cursor returned in a previous response; pass it to continue + listing from the next page. Omit on the first request. + in: query name: cursor required: false schema: @@ -2080,6 +2201,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt schema: type: object properties: @@ -2171,6 +2296,13 @@ paths: '409': content: application/json: + examples: + notFound: + value: + message: >- + List with the specified list_id does not exist, create the + list or fix list_id to import to an existing one + status_code: 409 schema: $ref: '#/components/schemas/SiemErrorResponse' description: List with specified list_id does not exist response @@ -2190,6 +2322,15 @@ paths: - Security Lists API /api/lists/privileges: get: + description: > + Returns the caller's authentication state and the Elasticsearch + `cluster`, `index`, and `application` + + privileges for `.lists` and `.items` data streams in the current Kibana + space. Use this to decide which list + + APIs (`read` vs `all` operations) are available before you create or + import lists. operationId: ReadListPrivileges responses: '200': @@ -2280,6 +2421,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Unable to resolve list privileges: invalid or missing + space context for this request + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml index 78a2098155c48..f8b54ffb15455 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml @@ -13,7 +13,10 @@ paths: Assign users to detection alerts, and unassign them from alerts. > info > You cannot add and remove the same assignee in the same request. + tags: + - Alerts API requestBody: + description: User profile IDs to add or remove on each listed alert document ID. required: true content: application/json: @@ -28,24 +31,75 @@ paths: 200: description: Indicates a successful call. content: - application/ndjson: + application/json: + schema: + type: object + additionalProperties: true + description: Elasticsearch update by query or update by IDs response examples: add: value: - took: 76, - timed_out: false, - total: 1, - updated: 1, - deleted: 0, - batches: 1, - version_conflicts: 0, - noops: 0, + took: 76 + timed_out: false + total: 1 + updated: 1 + deleted: 0 + batches: 1 + version_conflicts: 0 + noops: 0 retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - requests_per_second: -1, - throttled_until_millis: 0, + bulk: 0 + search: 0 + throttled_millis: 0 + requests_per_second: -1 + throttled_until_millis: 0 failures: [] 400: - description: Invalid request. + description: Invalid input data response + content: + application/json: + schema: + oneOf: + - $ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + - $ref: '../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + 401: + description: Unsuccessful authentication response + content: + application/json: + schema: + $ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + 403: + description: Not enough privileges response + content: + application/json: + schema: + $ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + forbidden: + value: + statusCode: 403 + error: Forbidden + message: 'API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections' + 500: + description: Internal server error response + content: + application/json: + schema: + $ref: '../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml index df7324451ee21..329134f15ab9d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml @@ -10,7 +10,7 @@ paths: x-codegen-enabled: true summary: Add and remove detection alert tags description: | - And tags to detection alerts, and remove them from alerts. + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. > info > You cannot add and remove the same alert tag in the same request. tags: @@ -62,15 +62,32 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/create_index/create_index.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/create_index/create_index.schema.yaml index c66e44baf8256..f8e9fcba3dcd7 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/create_index/create_index.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/create_index/create_index.schema.yaml @@ -26,27 +26,52 @@ paths: acknowledged: type: boolean required: [acknowledged] + examples: + acknowledged: + value: + acknowledged: true 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 403: description: Not enough permissions response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + forbidden: + value: + message: "API [POST /api/detection_engine/index] is unauthorized for the current user. The user must be able to create indices for the Elastic Security solution." + status_code: 403 404: description: Not found content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: A prerequisite resource required to create the alerts index was not found. + status_code: 404 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/delete_index/delete_index.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/delete_index/delete_index.schema.yaml index 7cdb02632535e..b832e5f5ae188 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/delete_index/delete_index.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/delete_index/delete_index.schema.yaml @@ -9,6 +9,10 @@ paths: operationId: DeleteAlertsIndex x-codegen-enabled: true summary: Delete an alerts index + description: | + Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts + stored in it. Use with caution; prefer lifecycle policies or the UI when available. + Call `GET /api/detection_engine/index` first to confirm the index that will be removed. tags: - Alert index API responses: @@ -22,27 +26,52 @@ paths: acknowledged: type: boolean required: [acknowledged] + examples: + acknowledged: + value: + acknowledged: true 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 403: description: Not enough permissions response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + forbidden: + value: + message: "API [DELETE /api/detection_engine/index] is unauthorized for the current user. The user needs alerts management permissions for the space." + status_code: 403 404: description: Index does not exist response content: application/json: schema: - type: string + $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: "The Elastic Security alerts index to delete was not found." + status_code: 404 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_index/read_index.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_index/read_index.schema.yaml index f9a854689c490..b8374b2e37e3f 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_index/read_index.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_index/read_index.schema.yaml @@ -9,6 +9,10 @@ paths: operationId: ReadAlertsIndex x-codegen-enabled: true summary: Reads the alert index name if it exists + description: | + Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and + whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating + or running rules that write alerts to it. tags: - Alert index API responses: @@ -36,21 +40,42 @@ paths: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 403: description: Not enough permissions response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + forbidden: + value: + message: "API [GET /api/detection_engine/index] is unauthorized for the current user. Check Security and Kibana feature privileges (detection engine / alerts) for the space." + status_code: 403 404: description: Not found content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + notFound: + value: + message: "Elastic Security alert index is not found for the current space." + status_code: 404 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_privileges/read_privileges.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_privileges/read_privileges.schema.yaml index 02239060325dc..4a4b3c7f9a546 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_privileges/read_privileges.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/index_management/read_privileges/read_privileges.schema.yaml @@ -71,9 +71,20 @@ paths: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml index 0aecb59d1772d..82d5186ddf1c3 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml @@ -46,3 +46,32 @@ paths: application/json: schema: $ref: '../../../model/rule_schema/rule_schemas.schema.yaml#/components/schemas/RuleResponse' + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + name: 'MS Office child process' + rule_id: process_started_by_ms_office_user_folder + description: 'Process started by MS Office program in user folder' + enabled: false + immutable: false + version: 3 + tags: [tag] + type: query + language: kuery + query: 'event.action:Process*' + risk_score: 50 + severity: low + from: 'now-4200s' + to: 'now' + max_signals: 100 + references: [] + false_positives: [] + interval: 1h + actions: [] + throttle: null + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml index b8b8c869f520c..2305513f30d4e 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml @@ -73,6 +73,13 @@ paths: rule_id: $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleSignatureId' description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d responses: 200: description: Indicates a successful call. @@ -85,3 +92,9 @@ paths: An `.ndjson` file containing the returned rules. Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml index 171d2cd64e08e..e4c979a699121 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml @@ -16,6 +16,10 @@ paths: - name: 'fields' in: query required: false + description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. schema: type: array items: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml index cb93acf2359ff..e7b0391234f20 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml @@ -46,6 +46,11 @@ paths: type: string format: binary description: The `.ndjson` file containing the rules. + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson parameters: - name: overwrite in: query diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_preview/rule_preview.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_preview/rule_preview.schema.yaml index c680fc6b89459..56ea6d2074c24 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_preview/rule_preview.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_preview/rule_preview.schema.yaml @@ -9,6 +9,10 @@ paths: operationId: RulePreview x-codegen-enabled: true summary: Preview rule alerts generated on specified time range + description: | + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. tags: - Rule preview API parameters: @@ -19,7 +23,10 @@ paths: schema: type: boolean requestBody: - description: An object containing tags to add or remove and alert ids the changes will be applied + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. required: true content: application/json: @@ -51,6 +58,22 @@ paths: - allOf: - $ref: '../model/rule_schema/rule_schemas.schema.yaml#/components/schemas/EsqlRuleCreateProps' - $ref: '#/components/schemas/RulePreviewParams' + examples: + queryRule: + value: + type: query + name: Rule preview + description: Find matching events + index: ['logs-*'] + query: "process.name : *" + language: kuery + risk_score: 25 + severity: low + from: 'now-24h' + to: now + max_signals: 20 + invocationCount: 1 + timeframeEnd: '2025-01-20T12:00:00.000Z' responses: 200: description: Successful response @@ -68,6 +91,17 @@ paths: isAborted: type: boolean required: [logs] + examples: + success: + value: + isAborted: false + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + logs: + - errors: [] + warnings: [] + duration: 45 + startedAt: 2025-01-20T10:00:00.000Z + requests: [] 400: description: Invalid input data response content: @@ -76,18 +110,35 @@ paths: oneOf: - $ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml index 7b403ba89153b..86002668be076 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml @@ -91,18 +91,35 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml index 9157175d2dafe..0e1086fb166db 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml @@ -109,18 +109,35 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml index 0196e031f8724..e467da961cc75 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml @@ -11,8 +11,12 @@ paths: summary: Initiate a detection alert migration deprecated: true description: | - Initiate a migration of detection alerts. - Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + **DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new + integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. + **WARNING:** Migrations can be resource intensive and should be planned during a maintenance window. + + Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive + and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly. tags: - Alerts migration API requestBody: @@ -69,18 +73,35 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].index: at least one index name is required to start a migration' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml index 458f594091ddd..8b79c349368d4 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml @@ -11,13 +11,13 @@ paths: summary: Clean up detection alert migrations deprecated: true description: | - Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of - the migration process. A successful migration will result in both the old and new indices being present. - As such, the old, orphaned index can (and likely should) be deleted. + **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites. + **WARNING:** This schedules deletions; ensure no production reads still point at the source index. - While you can delete these indices manually, - the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted - after 30 days. It also deletes other artifacts specific to the migration implementation. + Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of + the migration process. A successful migration can leave both the old and new indices present, so the old + index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy + to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts. tags: - Alerts migration API requestBody: @@ -37,6 +37,10 @@ paths: required: [migration_ids] example: migration_ids: [924f7c50-505f-11eb-ae0a-3fa2e626a51d] + examples: + cleanupMigrations: + value: + migration_ids: [924f7c50-505f-11eb-ae0a-3fa2e626a51d] responses: 200: description: Successful response @@ -64,18 +68,35 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to run cleanup' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml index 03ec7e4813227..b45f0f847304b 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml @@ -11,9 +11,12 @@ paths: summary: Finalize detection alert migrations deprecated: true description: | - Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. - The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, - finalize it. + **DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code. + **WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling. + + Finalize successful migrations of detection alerts. This replaces the original index's alias with the + successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration + finishes and then call this operation once. tags: - Alerts migration API requestBody: @@ -33,6 +36,10 @@ paths: required: [migration_ids] example: migration_ids: ['924f7c50-505f-11eb-ae0a-3fa2e626a51d'] + examples: + oneMigration: + value: + migration_ids: ['924f7c50-505f-11eb-ae0a-3fa2e626a51d'] responses: 200: description: Successful response @@ -61,18 +68,35 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to finalize' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/read_signals_migration_status/read_signals_migration_status.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/read_signals_migration_status/read_signals_migration_status.schema.yaml index 27688f9867f4b..8ad56a55f5969 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/read_signals_migration_status/read_signals_migration_status.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/signals_migration/read_signals_migration_status/read_signals_migration_status.schema.yaml @@ -10,7 +10,13 @@ paths: x-codegen-enabled: true summary: Retrieve the status of detection alert migrations deprecated: true - description: Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. + description: | + **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use + for new automations; there is no supported replacement in this public API. + **WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations. + + Retrieves indices that contain detection alerts of a particular age, along with migration information for + each of those indices. tags: - Alerts migration API parameters: @@ -70,18 +76,35 @@ paths: oneOf: - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' - $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + badRequest: + value: + statusCode: 400 + error: Bad Request + message: '[request query].from: expected date-math, received null' 401: description: Unsuccessful authentication response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse' + examples: + unauthorized: + value: + statusCode: 401 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" 500: description: Internal server error response content: application/json: schema: $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 components: schemas: diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index a53f0d9f25a0b..da18a8150dcd8 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -18,11 +18,24 @@ servers: paths: /api/detection_engine/index: delete: + description: > + Permanently deletes the Elastic Security alerts backing index in the + current space, including the alerts + + stored in it. Use with caution; prefer lifecycle policies or the UI when + available. + + Call `GET /api/detection_engine/index` first to confirm the index that + will be removed. operationId: DeleteAlertsIndex responses: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -34,24 +47,48 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: + examples: + forbidden: + value: + message: >- + API [DELETE /api/detection_engine/index] is unauthorized + for the current user. The user needs alerts management + permissions for the space. + status_code: 403 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Not enough permissions response '404': content: application/json: + examples: + notFound: + value: + message: The Elastic Security alerts index to delete was not found. + status_code: 404 schema: - type: string + $ref: '#/components/schemas/SiemErrorResponse' description: Index does not exist response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -60,6 +97,14 @@ paths: - Security Detections API - Alert index API get: + description: > + Returns the backing Elasticsearch index for Elastic Security detection + alerts in the current space, and + + whether its mapping is outdated. Use this to verify that an alert index + is provisioned before creating + + or running rules that write alerts to it. operationId: ReadAlertsIndex responses: '200': @@ -85,24 +130,50 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: + examples: + forbidden: + value: + message: >- + API [GET /api/detection_engine/index] is unauthorized for + the current user. Check Security and Kibana feature + privileges (detection engine / alerts) for the space. + status_code: 403 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Not enough permissions response '404': content: application/json: + examples: + notFound: + value: + message: >- + Elastic Security alert index is not found for the current + space. + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Not found '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -120,6 +191,10 @@ paths: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -131,24 +206,50 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: + examples: + forbidden: + value: + message: >- + API [POST /api/detection_engine/index] is unauthorized for + the current user. The user must be able to create indices + for the Elastic Security solution. + status_code: 403 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Not enough permissions response '404': content: application/json: + examples: + notFound: + value: + message: >- + A prerequisite resource required to create the alerts + index was not found. + status_code: 404 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Not found '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -222,12 +323,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -271,6 +383,36 @@ paths: '200': content: application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. @@ -2899,6 +3041,13 @@ paths: requestBody: content: application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d schema: nullable: true type: object @@ -2922,6 +3071,15 @@ paths: '200': content: application/ndjson: + examples: + sampleNdjson: + value: > + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example + rule","type":"query","enabled":true} + + {"exception_list":true} + + {"export_summary":{"total_rules":1,"exceptions_count":0}} schema: description: > An `.ndjson` file containing the returned rules. @@ -2961,7 +3119,15 @@ paths: is returned, with 20 results per page. operationId: FindRules parameters: - - in: query + - description: > + List of `alert.attributes` field names to return for each rule (for + example `name`, `enabled`). + + If omitted, the default field set is returned. Repeat the parameter + to pass multiple field names, or + + use comma-separated values when supported by your client. + in: query name: fields required: false schema: @@ -3270,6 +3436,11 @@ paths: requestBody: content: multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson schema: type: object properties: @@ -3504,6 +3675,15 @@ paths: - Prebuilt Rules API /api/detection_engine/rules/preview: post: + description: > + Simulates a detection rule using the same rule type and query logic as a + persisted rule, over a short + + time window, without persisting a rule or writing alerts. Use the + response to validate queries, see sample + + matching documents, and inspect execution logs. Pair `invocationCount` + and `timeframeEnd` to cap run time. operationId: RulePreview parameters: - description: >- @@ -3517,6 +3697,23 @@ paths: requestBody: content: application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query schema: anyOf: - allOf: @@ -3545,14 +3742,31 @@ paths: - $ref: '#/components/schemas/RulePreviewParams' discriminator: propertyName: type - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied + description: > + Rule create payload (same shape as `POST /api/detection_engine/rules` + for a given `type`) plus + + `invocationCount` and `timeframeEnd` to control how the preview is + executed. Optional + + `enable_logged_requests` surfaces Elasticsearch request logging for + debugging. required: true responses: '200': content: application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: 2025-01-20T10:00:00.000Z + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 schema: type: object properties: @@ -3570,6 +3784,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].timeframeEnd: expected string, received + null + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3578,12 +3800,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3608,50 +3841,121 @@ paths: $ref: '#/components/examples/SetAlertAssigneesBodyRemove' schema: $ref: '#/components/schemas/SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. required: true responses: '200': content: - application/ndjson: + application/json: examples: add: value: - batches: 1, - deleted: 0, + batches: 1 + deleted: 0 failures: [] - noops: 0, - requests_per_second: '-1,' + noops: 0 + requests_per_second: -1 retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 76, - total: 1, - updated: 1, - version_conflicts: 0, + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query or update by IDs response + type: object description: Indicates a successful call. '400': - description: Invalid request. + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].ids: at least one alert id is required to + update assignees + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/PlatformErrorResponse' + - $ref: '#/components/schemas/SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/detection_engine/signals/assignees] is + unauthorized for the current user, this action is granted + by the Kibana Security Solution privileges for cases and + detections + statusCode: 403 + schema: + $ref: '#/components/schemas/PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/SiemErrorResponse' + description: Internal server error response summary: Assign and unassign users from detection alerts tags: - Security Detections API + - Alerts API /api/detection_engine/signals/finalize_migration: post: deprecated: true description: > + **DEPRECATED.** Completes a legacy alert index migration. Do not + automate against this in new code. + + **WARNING:** Finalizing swaps read aliases; confirm the migration has + finished successfully before calling. + + Finalize successful migrations of detection alerts. This replaces the - original index's alias with the successfully migrated index's alias. + original index's alias with the - The endpoint is idempotent; therefore, it can safely be used to poll a - given migration and, upon completion, + successfully migrated index's alias. The endpoint is idempotent, so you + can poll until a migration - finalize it. + finishes and then call this operation once. operationId: FinalizeAlertsMigration requestBody: content: application/json: + examples: + oneMigration: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d schema: example: migration_ids: @@ -3691,6 +3995,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].migration_ids: at least one migration id is + required to finalize + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3699,12 +4011,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3716,26 +4039,33 @@ paths: delete: deprecated: true description: > - Migrations favor data integrity over shard size. Consequently, unused or - orphaned indices are artifacts of + **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new + call sites. - the migration process. A successful migration will result in both the - old and new indices being present. + **WARNING:** This schedules deletions; ensure no production reads still + point at the source index. - As such, the old, orphaned index can (and likely should) be deleted. + Migrations favor data integrity over shard size. Consequently, unused or + orphaned indices are artifacts of - While you can delete these indices manually, + the migration process. A successful migration can leave both the old and + new indices present, so the old - the endpoint accomplishes this task by applying a deletion policy to the - relevant index, causing it to be deleted + index may be deleted. While you can delete these indices manually, the + endpoint applies a deletion policy - after 30 days. It also deletes other artifacts specific to the migration - implementation. + to the relevant index, causing it to be deleted after 30 days, and + removes other migration-specific artifacts. operationId: AlertsMigrationCleanup requestBody: content: application/json: + examples: + cleanupMigrations: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d schema: example: migration_ids: @@ -3774,6 +4104,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].migration_ids: at least one migration id is + required to run cleanup + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3782,12 +4120,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3798,12 +4147,21 @@ paths: post: deprecated: true description: > - Initiate a migration of detection alerts. + **DEPRECATED.** Legacy API for on-demand reindexing of old + `.siem-signals-*` alert indices. Do not build new + + integrations; upgrade the Elastic Stack and rely on product-managed data + lifecycle instead. + + **WARNING:** Migrations can be resource intensive and should be planned + during a maintenance window. - Migrations are initiated per index. While the process is neither - destructive nor interferes with existing data, it may be - resource-intensive. As such, it is recommended that you plan your - migrations accordingly. + + Initiate a migration of detection alerts. Migrations are initiated per + index. The process is not destructive + + and should not remove existing data, but it can consume significant + cluster resources. Plan capacity accordingly. operationId: CreateAlertsMigration requestBody: content: @@ -3857,6 +4215,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].index: at least one index name is required + to start a migration + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3865,12 +4231,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3881,9 +4258,21 @@ paths: /api/detection_engine/signals/migration_status: get: deprecated: true - description: >- - Retrieve indices that contain detection alerts of a particular age, - along with migration information for each of those indices. + description: > + **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` + index migration workflows. Do not use + + for new automations; there is no supported replacement in this public + API. + + **WARNING:** Prefer upgrading through supported Elastic stack upgrades + rather than ad-hoc index migrations. + + + Retrieves indices that contain detection alerts of a particular age, + along with migration information for + + each of those indices. operationId: ReadAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts @@ -3941,6 +4330,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query].from: expected date-math, received null' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3949,12 +4344,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -4040,6 +4446,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Failed to parse search request: unknown query clause in + bool filter + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -4048,12 +4462,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -4161,6 +4586,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].signal_ids: at least one alert id is + required to update status + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -4169,12 +4602,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -4184,9 +4628,12 @@ paths: - Alerts API /api/detection_engine/signals/tags: post: - description: | - And tags to detection alerts, and remove them from alerts. + description: > + Add tags to detection alerts, and remove them from alerts, by alert IDs + or a query, in a single request. + > info + > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags requestBody: @@ -4233,6 +4680,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].tags: cannot add and remove the same tag in + a single request + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -4241,12 +4696,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 181feb555dff9..44d6eb40cfe2c 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -82,12 +82,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -131,6 +142,36 @@ paths: '200': content: application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. @@ -2759,6 +2800,13 @@ paths: requestBody: content: application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d schema: nullable: true type: object @@ -2782,6 +2830,15 @@ paths: '200': content: application/ndjson: + examples: + sampleNdjson: + value: > + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example + rule","type":"query","enabled":true} + + {"exception_list":true} + + {"export_summary":{"total_rules":1,"exceptions_count":0}} schema: description: > An `.ndjson` file containing the returned rules. @@ -2821,7 +2878,15 @@ paths: is returned, with 20 results per page. operationId: FindRules parameters: - - in: query + - description: > + List of `alert.attributes` field names to return for each rule (for + example `name`, `enabled`). + + If omitted, the default field set is returned. Repeat the parameter + to pass multiple field names, or + + use comma-separated values when supported by your client. + in: query name: fields required: false schema: @@ -3130,6 +3195,11 @@ paths: requestBody: content: multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson schema: type: object properties: @@ -3217,6 +3287,15 @@ paths: --form "file=@" /api/detection_engine/rules/preview: post: + description: > + Simulates a detection rule using the same rule type and query logic as a + persisted rule, over a short + + time window, without persisting a rule or writing alerts. Use the + response to validate queries, see sample + + matching documents, and inspect execution logs. Pair `invocationCount` + and `timeframeEnd` to cap run time. operationId: RulePreview parameters: - description: >- @@ -3230,6 +3309,23 @@ paths: requestBody: content: application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query schema: anyOf: - allOf: @@ -3258,14 +3354,31 @@ paths: - $ref: '#/components/schemas/RulePreviewParams' discriminator: propertyName: type - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied + description: > + Rule create payload (same shape as `POST /api/detection_engine/rules` + for a given `type`) plus + + `invocationCount` and `timeframeEnd` to control how the preview is + executed. Optional + + `enable_logged_requests` surfaces Elasticsearch request logging for + debugging. required: true responses: '200': content: application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: 2025-01-20T10:00:00.000Z + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 schema: type: object properties: @@ -3283,6 +3396,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].timeframeEnd: expected string, received + null + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3291,12 +3412,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3321,35 +3453,94 @@ paths: $ref: '#/components/examples/SetAlertAssigneesBodyRemove' schema: $ref: '#/components/schemas/SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. required: true responses: '200': content: - application/ndjson: + application/json: examples: add: value: - batches: 1, - deleted: 0, + batches: 1 + deleted: 0 failures: [] - noops: 0, - requests_per_second: '-1,' + noops: 0 + requests_per_second: -1 retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 76, - total: 1, - updated: 1, - version_conflicts: 0, + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query or update by IDs response + type: object description: Indicates a successful call. '400': - description: Invalid request. + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].ids: at least one alert id is required to + update assignees + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/PlatformErrorResponse' + - $ref: '#/components/schemas/SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: >- + API [POST /api/detection_engine/signals/assignees] is + unauthorized for the current user, this action is granted + by the Kibana Security Solution privileges for cases and + detections + statusCode: 403 + schema: + $ref: '#/components/schemas/PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/SiemErrorResponse' + description: Internal server error response summary: Assign and unassign users from detection alerts tags: - Security Detections API + - Alerts API /api/detection_engine/signals/search: post: description: Find and/or aggregate detection alerts that match the given query. @@ -3428,6 +3619,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + Failed to parse search request: unknown query clause in + bool filter + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3436,12 +3635,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3549,6 +3759,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].signal_ids: at least one alert id is + required to update status + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3557,12 +3775,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response @@ -3572,9 +3801,12 @@ paths: - Alerts API /api/detection_engine/signals/tags: post: - description: | - And tags to detection alerts, and remove them from alerts. + description: > + Add tags to detection alerts, and remove them from alerts, by alert IDs + or a query, in a single request. + > info + > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags requestBody: @@ -3621,6 +3853,14 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: >- + [request body].tags: cannot add and remove the same tag in + a single request + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/PlatformErrorResponse' @@ -3629,12 +3869,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response From 07b6e97b5d461f79b4a3147606c7caad803c20f8 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Wed, 22 Apr 2026 13:33:15 -0700 Subject: [PATCH 02/14] undoing temp changes made --- .../kbn-openapi-bundler/src/openapi_merger.ts | 35 +++---------------- 1 file changed, 5 insertions(+), 30 deletions(-) diff --git a/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts b/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts index a8fda0c6a0356..5857a5f920965 100644 --- a/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts +++ b/src/platform/packages/shared/kbn-openapi-bundler/src/openapi_merger.ts @@ -15,7 +15,7 @@ import { createBlankOpenApiDocument } from './bundler/merge_documents/create_bla import type { ResolvedDocument } from './bundler/ref_resolver/resolved_document'; import { writeDocuments } from './utils/write_documents'; import { resolveGlobs } from './utils/resolve_globs'; -import { bundleDocument, SkipException } from './bundler/bundle_document'; +import { bundleDocument } from './bundler/bundle_document'; import { withNamespaceComponentsProcessor } from './bundler/processor_sets'; import type { PrototypeDocument } from './prototype_document'; import { validatePrototypeDocument } from './validate_prototype_document'; @@ -92,36 +92,11 @@ function logSchemas(schemaFilePaths: string[]): void { } async function bundleDocuments(schemaFilePaths: string[]): Promise { - const resolvedDocuments = await Promise.all( - schemaFilePaths.map(async (schemaFilePath) => { - try { - return await bundleDocument( - schemaFilePath, - withNamespaceComponentsProcessor([], '/info/title') - ); - } catch (e) { - if (e instanceof SkipException) { - logger.info(`Skipped ${chalk.bold(e.documentPath)}: ${e.message}`); - return; - } - throw e; - } - }) + return await Promise.all( + schemaFilePaths.map(async (schemaFilePath) => + bundleDocument(schemaFilePath, withNamespaceComponentsProcessor([], '/info/title')) + ) ); - - return filterOutSkippedDocuments(resolvedDocuments); -} - -function filterOutSkippedDocuments( - documents: Array -): ResolvedDocument[] { - const out: ResolvedDocument[] = []; - for (const document of documents) { - if (document) { - out.push(document); - } - } - return out; } const DEFAULT_INFO = { From a51a353f10d27f40bf154976c53c60c1a712d83f Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Wed, 22 Apr 2026 13:39:36 -0700 Subject: [PATCH 03/14] undoing temp changes --- oas_docs/output/kibana.serverless.yaml | 151896 ++++++++++++++++------ oas_docs/output/kibana.yaml | 144658 +++++++++++++++----- 2 files changed, 220329 insertions(+), 76225 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 064000d04e557..e4696e257d931 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -2,52 +2,32 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: > + description: | The Kibana REST APIs for Elastic serverless enable you to manage resources - such as connectors, data views, and saved objects. The API calls are - stateless. Each request that you make happens in isolation from other calls - and must include all of the necessary information for Kibana to fulfill the - request. API requests return JSON output, which is a format that is - machine-readable and works well for automation. - To interact with Kibana APIs, use the following operations: - - GET: Fetches the information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. For example: - ``` - GET kbn:/api/data_views - ``` - ## Documentation source and versions - - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana Serverless APIs version: '' x-doc-license: @@ -55,463 +35,1207 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' - url: https://{kibana_url} variables: kibana_url: - default: localhost:5601 - - url: / + default: +security: + - apiKeyAuth: [] +tags: + - name: agent builder + description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + externalDocs: + description: Agent Builder docs + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + x-displayName: Agent Builder + - name: alerting + description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: | + Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. + For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. + name: APM sourcemaps + - name: connectors + description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + x-displayName: Connectors + - name: Data streams + description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - name: Elastic Agent actions + description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + x-displayName: Elastic Agent actions + - name: Elastic Agent binary download sources + description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + x-displayName: Elastic Agent binary download sources + - name: Elastic Agent policies + description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + x-displayName: Elastic Agent policies + - name: Elastic Agent status + description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + x-displayName: Elastic Agent status + - name: Elastic Agents + description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + x-displayName: Elastic Agents + - name: Elastic Package Manager (EPM) + description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - name: Fleet cloud connectors + description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + x-displayName: Fleet cloud connectors + - name: Fleet enrollment API keys + description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + x-displayName: Fleet enrollment API keys + - name: Fleet internals + description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + x-displayName: Fleet internals + - name: Fleet outputs + description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + x-displayName: Fleet outputs + - name: Fleet package policies + description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + x-displayName: Fleet package policies + - name: Fleet proxies + description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + x-displayName: Fleet proxies + - name: Fleet Server hosts + description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + x-displayName: Fleet Server hosts + - name: Fleet service tokens + - name: Fleet uninstall tokens + description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + x-displayName: Fleet uninstall tokens + - name: maintenance-window + description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + x-displayName: Maintenance windows + - name: Message Signing Service + description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - name: roles + x-displayName: Roles + description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/serverless-custom-roles + - name: saved objects + x-displayName: Saved objects + description: | + Export or import sets of saved objects. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + [Data views](../group/endpoint-data-views). + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - name: Security entity store + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - name: spaces + x-displayName: Spaces + description: Manage your Kibana spaces. + externalDocs: + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + description: Space overview + - name: streams + description: | + Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: + * **Wired** streams are managed by Kibana. They route documents to child streams based on + field conditions and support custom field mappings and processing steps. + + * **Classic** streams map to existing Elasticsearch data streams. You can add processing + steps to classic streams without changing their underlying index template. + + * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate + data from multiple streams into a single logical view without duplicating documents. + x-displayName: Streams + externalDocs: + description: Streams documentation + url: https://www.elastic.co/docs/solutions/observability/streams + - name: system + x-displayName: System + description: | + Get information about the system status, resource usage, features, and installed plugins. + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - name: workflows + description: | + Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. + + Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. + externalDocs: + description: Workflows documentation + url: https://www.elastic.co/docs/explore-analyze/workflows + x-displayName: Workflows paths: - /api/apm/agent_keys: - post: - description: > - Create a new agent key for APM. + /api/actions/connector_types: + get: + description: |- + **Spaces method and path for this operation:** - The user creating an APM agent API key must have at least the - `manage_own_api_key` cluster privilege and the APM application-level - privileges that it wishes to grant. +
get /s/{space_id}/api/actions/connector_types
- After it is created, you can copy the API key (Base64 encoded) and use - it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string responses: '200': - content: - application/json: - examples: - createAgentKeyResponse1: - $ref: >- - #/components/examples/APM_UI_agent_keys_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response + items: + additionalProperties: false + type: object + properties: + allow_multiple_system_actions: + description: Indicates whether multiple instances of the same system action connector can be used in a single rule. + type: boolean + enabled: + description: Indicates whether the connector is enabled. + type: boolean + enabled_in_config: + description: Indicates whether the connector is enabled in the Kibana configuration. + type: boolean + enabled_in_license: + description: Indicates whether the connector is enabled through the license. + type: boolean + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_system_action_type: + description: Indicates whether the action is a system action. + type: boolean + minimum_license_required: + description: The minimum license required to enable the connector. + enum: + - basic + - standard + - gold + - platinum + - enterprise + - trial + type: string + name: + description: The name of the connector type. + type: string + source: + description: The source of the connector type definition. + enum: + - yml + - spec + - stack + type: string + sub_feature: + description: Indicates the sub-feature type the connector is grouped under. + enum: + - endpointSecurity + type: string + supported_feature_ids: + description: The list of supported features + items: + type: string + type: array + required: + - id + - name + - enabled + - enabled_in_config + - enabled_in_license + - minimum_license_required + - supported_feature_ids + - is_system_action_type + - is_deprecated + - source + type: array + examples: + getConnectorTypesServerlessResponse: + $ref: '#/components/examples/get_connector_types_generativeai_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector types + tags: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/_oauth_callback: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. + operationId: get-actions-connector-oauth-callback + parameters: + - description: The authorization code returned by the OAuth provider. + in: query + name: code + required: false + schema: + type: string + - description: The state parameter for CSRF protection. + in: query + name: state + required: false + schema: + type: string + - description: Error code if the authorization failed. + in: query + name: error + required: false + schema: + type: string + - description: Human-readable error description. + in: query + name: error_description + required: false + schema: + type: string + - description: Session state from the OAuth provider (e.g., Microsoft). + in: query + name: session_state + required: false + schema: + type: string + responses: + '200': + description: Returns an HTML callback page. + '302': + description: Redirects to the return URL with authorization result query parameters. '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + description: User is not authenticated. + summary: Handle OAuth callback + tags: + - connectors + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/_oauth_callback_script: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the OAuth callback script + operationId: get-actions-connector-oauth-callback-script + parameters: [] + responses: + '200': + description: Returns the OAuth callback script + summary: '' + tags: [] + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + getConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector information tags: - - APM agent keys - /api/apm/fleet/apm_server_schema: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by Fleet - integrations to push the APM Server configuration schema. Do not use for - new integrations. It stores the provided schema object as a Kibana saved - object. If Fleet migration is not available on the current deployment, - the API returns a 404. - operationId: saveApmServerSchema + operationId: post-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + maxLength: 36 + minLength: 1 + type: string requestBody: content: application/json: schema: + additionalProperties: false type: object properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + - connector_type_id + examples: + createEmailConnectorRequest: + $ref: '#/components/examples/create_email_connector_request' + createIndexConnectorRequest: + $ref: '#/components/examples/create_index_connector_request' + createWebhookConnectorRequest: + $ref: '#/components/examples/create_webhook_connector_request' + createXmattersConnectorRequest: + $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: >- - #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false - description: The response body is intentionally empty for this endpoint. type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + createEmailConnectorResponse: + $ref: '#/components/examples/create_email_connector_response' + createIndexConnectorResponse: + $ref: '#/components/examples/create_index_connector_response' + createWebhookConnectorResponse: + $ref: '#/components/examples/create_webhook_connector_response' + createXmattersConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema + description: Indicates that this call is forbidden. + summary: Create a connector tags: - - APM server schema - /api/apm/services/{serviceName}/annotation: - post: - description: Create a new annotation for a specific service. - operationId: createAnnotation + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. in: path - name: serviceName + name: id required: true schema: type: string requestBody: content: application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true + additionalProperties: false + type: object + properties: + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + examples: + updateIndexConnectorRequest: + $ref: '#/components/examples/update_index_connector_request' responses: '200': - content: - application/json: - examples: - createAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + description: Indicates a successful call. '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation + description: Indicates that this call is forbidden. + summary: Update a connector tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - /api/apm/services/{serviceName}/annotation/search: - get: - description: Search for annotations related to a specific service. - operationId: getAnnotation + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/actions/connector/{id}/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - in: path - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false + - description: An identifier for the connector. + in: path + name: id + required: true schema: - format: date-time type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + examples: + runIndexConnectorRequest: + $ref: '#/components/examples/run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/run_jira_connector_request' + runServerLogConnectorRequest: + $ref: '#/components/examples/run_servicenow_itom_connector_request' + runSlackConnectorRequest: + $ref: '#/components/examples/run_slack_api_connector_request' + runSwimlaneConnectorRequest: + $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations - tags: - - APM annotations - /api/apm/settings/agent-configuration: - delete: - description: > - Delete an existing agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When successful, the - configuration is removed and, if Fleet is enabled, APM package policies - are synchronized accordingly. - operationId: deleteAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - deleteAgentConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 - schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true - responses: - '200': - content: - application/json: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated examples: - deleteAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_delete_agent_configurations_response - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + runIndexConnectorResponse: + $ref: '#/components/examples/run_index_connector_response' + runJiraConnectorResponse: + $ref: '#/components/examples/run_jira_connector_response' + runServerLogConnectorResponse: + $ref: '#/components/examples/run_server_log_connector_response' + runServiceNowITOMConnectorResponse: + $ref: '#/components/examples/run_servicenow_itom_connector_response' + runSlackConnectorResponse: + $ref: '#/components/examples/run_slack_api_connector_response' + runSwimlaneConnectorResponse: + $ref: '#/components/examples/run_swimlane_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration + description: Indicates that this call is forbidden. + summary: Run a connector tags: - - APM agent configuration + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connectors: get: - description: > - Retrieve all agent configurations. You must have `read` privileges for - the APM and User Experience feature in Kibana. If agent configuration is - not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' + operationId: get-actions-connectors + parameters: [] responses: '200': - content: - application/json: - examples: - getAgentConfigurationsResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations + items: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + referenced_by_count: + description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. + type: number + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + - referenced_by_count + type: array + examples: + getConnectorsResponse: + $ref: '#/components/examples/get_connectors_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get all connectors tags: - - APM agent configuration - put: - description: > - Create or update an agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When updating an - existing configuration, the `?overwrite=true` query parameter is - required. If the configuration already exists and `overwrite` is not set - to `true`, the API returns a 400 error. When successful and Fleet is - enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-a2a-agentid parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true schema: - type: boolean + type: string requestBody: content: application/json: examples: - createUpdateAgentConfigurationRequestExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true + a2aTaskRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' + value: + id: task-123 + jsonrpc: '2.0' + method: complete + params: + messages: + - content: Hello from A2A protocol + role: user + schema: {} responses: '200': content: application/json: examples: - createUpdateAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration + a2aTaskResponseExample: + description: Example response from A2A Task Endpoint with results of task execution + value: + id: task-123 + jsonrpc: '2.0' + result: + conversation_id: conv-456 + response: + message: Hello! How can I help you today? + type: response + description: Indicates a successful response + summary: Send A2A task tags: - - APM agent configuration - /api/apm/settings/agent-configuration/agent_name: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/a2a/{agentId}.json: get: - description: Retrieve `agentName` for a service. - operationId: getAgentNameForService + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-a2a-agentid.json parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName + - description: The unique identifier of the agent to get A2A metadata for. + in: path + name: agentId required: true schema: type: string @@ -519,156 +1243,522 @@ paths: '200': content: application/json: - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': + examples: + a2aAgentCardResponseExample: + description: Example response card of Elastic AI Agent + value: + capabilities: + pushNotifications: false + stateTransitionHistory: false + streaming: false + defaultInputModes: + - text/plain + defaultOutputModes: + - text/plain + description: Elastic AI Agent + name: Elastic AI Agent + protocolVersion: 0.3.0 + provider: + organization: Elastic + url: https://elastic.co + securitySchemes: + authorization: + description: Authentication token + in: header + name: Authorization + type: apiKey + skills: + - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. + examples: [] + id: platform.core.search + inputModes: + - text/plain + - application/json + name: platform.core.search + outputModes: + - text/plain + - application/json + tags: + - tool + supportsAuthenticatedExtendedCard: false + url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent + version: 0.1.0 + description: Indicates a successful response + summary: Get A2A agent card + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/a2a/{agentId}.json + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents + parameters: [] + responses: + '200': content: application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service + examples: + listAgentsResponseExample: + description: Example response that returns one built-in Elastic agent and one created by the user + value: + results: + - configuration: + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Elastic AI Agent + id: elastic-ai-agent + name: Elastic AI Agent + type: chat + - avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: List agents tags: - - APM agent configuration - /api/apm/settings/agent-configuration/environments: - get: - description: > - Retrieve the available environments for a given service, to be used in - agent configuration. You must have `read` privileges for the APM and - User Experience feature in Kibana. If `serviceName` is omitted, - environments across all services are returned. - operationId: getEnvironmentsForService + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: >- - The name of the service. If omitted, environments across all - services are returned. - example: opbeans-node - in: query - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + createAgentRequestExample: + description: Example request for creating a custom agent with special prompt and tools + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + schema: + additionalProperties: false + type: object + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + type: object + properties: + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Optional system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. + type: string + maxItems: 100 + type: array + required: + - tools + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + required: + - id + - name + - description + - configuration responses: '200': content: application/json: examples: - getEnvironmentsForServiceResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_environments_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service + createAgentResponseExample: + description: Example response returning the definition of an agent created as a result of the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Create an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/search: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + }' + - lang: Console + source: | + POST kbn://api/agent_builder/agents + { + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{agent_id}/consumption: post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by APM agents to - fetch their configuration and mark it as applied. Do not use for new - integrations. It searches for a single agent configuration matching the - given service, and optionally updates the `applied_by_agent` field when - the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents-agent-id-consumption parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent. + in: path + name: agent_id + required: true + schema: + type: string requestBody: content: application/json: examples: - searchSingleConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 + consumptionDefaultExample: + description: Get consumption data for an agent with default pagination + value: + size: 25 + sort_field: updated_at + sort_order: desc + consumptionFilteredExample: + description: Get consumption data filtered by username with warnings + value: + has_warnings: true + size: 10 + sort_field: total_tokens + sort_order: desc + usernames: + - elastic + - admin schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true + additionalProperties: false + type: object + properties: + has_warnings: + description: Filter to conversations with or without high-token warnings. + type: boolean + search: + description: Free-text search filter on conversation title. + type: string + search_after: + description: Cursor for pagination. Pass the search_after value from the previous response. + items: + nullable: true + maxItems: 10000 + type: array + size: + default: 25 + description: Number of results per page. + maximum: 100 + minimum: 1 + type: number + sort_field: + default: updated_at + description: Field to sort results by. + enum: + - updated_at + - total_tokens + - round_count + type: string + sort_order: + default: desc + description: Sort direction. + enum: + - asc + - desc + type: string + usernames: + description: Filter results to conversations by these usernames. + items: + type: string + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - searchSingleConfigurationResponse1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_search_agent_configuration_response - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration + consumptionResponseExample: + description: Example response with per-conversation token usage data + value: + aggregations: + total_with_warnings: 0 + usernames: + - elastic + - admin + results: + - conversation_id: conv-abc123 + created_at: '2025-03-01T10:00:00Z' + llm_calls: 8 + round_count: 5 + title: Help me search my data + token_usage: + input_tokens: 15000 + output_tokens: 3000 + total_tokens: 18000 + updated_at: '2025-03-01T10:15:00Z' + user: + id: uid-1 + username: elastic + warnings: [] + - conversation_id: conv-def456 + created_at: '2025-03-02T14:00:00Z' + llm_calls: 20 + round_count: 12 + title: Analyze server logs + token_usage: + input_tokens: 250000 + output_tokens: 8000 + total_tokens: 258000 + updated_at: '2025-03-02T14:30:00Z' + user: + id: uid-2 + username: admin + warnings: + - input_tokens: 250000 + round_id: round-7 + type: high_input_tokens + search_after: + - 1709391000000 + - '2025-03-02T14:30:00Z' + total: 2 + description: Indicates a successful response + summary: Get agent consumption data tags: - - APM agent configuration - /api/apm/settings/agent-configuration/view: - get: - description: > - Retrieve a single agent configuration matching the given service name - and environment. You must have `read` privileges for the APM and User - Experience feature in Kibana. If no matching configuration is found, the - API returns a 404. - operationId: getSingleAgentConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -H "elastic-api-version: 2023-10-31" \ + -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' + - lang: Console + source: | + POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption + {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: delete-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Service environment - example: prod - in: query - name: environment + - description: The unique identifier of the agent to delete. + in: path + name: id + required: true schema: type: string responses: @@ -676,191 +1766,364 @@ paths: content: application/json: examples: - getSingleAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_single_agent_configuration_response - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration + deleteAgentResponseExample: + description: Example response showing that deletion of the agent has been successful + value: + success: true + description: Indicates a successful response + summary: Delete an agent tags: - - APM agent configuration - /api/apm/sourcemaps: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/agents/{id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Get an array of Fleet artifacts, including source map uploads. You must - have `read` or `all` Kibana privileges for the APM and User Experience - feature. - operationId: getSourceMaps + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page - schema: - type: number - - description: Number of records per page - in: query - name: perPage + - description: The unique identifier of the agent to retrieve. + in: path + name: id + required: true schema: - type: number + type: string responses: '200': content: application/json: examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps + getAgentByIdResponseExample: + description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Get an agent by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl + - lang: curl source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - post: - description: > - Upload a source map for a specific service and version. You must have - `all` Kibana privileges for the APM and User Experience feature. - - The maximum payload size is `1mb`. If you attempt to upload a source map - that exceeds the maximum payload size, you will get a 413 error. Before - uploading source maps that exceed this default, change the maximum - payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to update. + in: path + name: id + required: true + schema: + type: string requestBody: content: - multipart/form-data: + application/json: + examples: + createAgentRequestExample: + description: Example request for updating custom agent + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true + additionalProperties: false + type: object + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + type: object + properties: + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Updated system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. + type: string + maxItems: 100 + type: array + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string responses: '200': content: application/json: examples: - uploadSourceMapResponse1: - $ref: >- - #/components/examples/APM_UI_source_maps_upload_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map + updateAgentResponseExample: + description: Example response returning the agent definition with the changes applied from the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Update an agent tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - - -H 'Content-Type: multipart/form-data' \ + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id} + { + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations: + get: + description: |- + **Spaces method and path for this operation:** - -H 'kbn-xsrf: true' \ +
get /s/{space_id}/api/agent_builder/conversations
- -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F 'service_name="foo"' \ + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations + parameters: + - description: Optional agent ID to filter conversations by a specific agent. + in: query + name: agent_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + listConversationsResponseExample: + description: Example response containing the list of conversations with all agents + value: + results: + - agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: List conversations + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}: + delete: + description: |- + **Spaces method and path for this operation:** - -F 'service_version="1.0.0"' \ +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
- -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F - 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - /api/apm/sourcemaps/{id}: - delete: - description: > - Delete a previously uploaded source map. You must have `all` Kibana - privileges for the APM and User Experience feature. - operationId: deleteSourceMap + Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation to delete. in: path - name: id + name: conversation_id required: true schema: type: string @@ -869,1386 +2132,10785 @@ paths: content: application/json: examples: - deleteSourceMapResponseExample1: - $ref: >- - #/components/examples/APM_UI_source_maps_delete_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map + deleteConversationResponseExample: + description: Example response showing that deletion of conversation has been successful + value: + success: true + description: Indicates a successful response + summary: Delete conversation by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X DELETE - "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/conversations/{conversation_id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - -H 'Content-Type: application/json' \ +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
- -H 'kbn-xsrf: true' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation to retrieve. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. - in: query - name: refresh - required: false - schema: - enum: - - wait_for type: string responses: '200': content: application/json: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record + examples: + getConversationByIdResponseExample: + description: Example response containing the contents of a convesation with the chat agent + value: + agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + rounds: + - id: 170ec3b2-0f5a-4538-8b60-549572386d2a + input: + message: Hello, how are you? + response: + message: |- + Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. + + Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? + steps: [] + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: Get conversation by ID tags: - - Security Entity Analytics API + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations/{conversation_id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments: get: - description: Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: type: string - - description: The field representing the ID. - example: host.name + - description: Whether to include deleted attachments in the list. in: query - name: id_field - required: true + name: include_deleted + required: false schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + type: boolean responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record + examples: + listAttachmentsResponseExample: + description: Example response containing active attachments for a conversation + value: + results: + - active: true + current_version: 2 + description: My text file + id: attachment-1 + type: text + versions: + - content_hash: abc123 + created_at: '2025-01-01T10:00:00.000Z' + data: Initial content + estimated_tokens: 3 + version: 1 + - content_hash: def456 + created_at: '2025-01-01T11:00:00.000Z' + data: Updated content + estimated_tokens: 3 + version: 2 + - active: true + current_version: 1 + description: Configuration data + id: attachment-2 + type: json + versions: + - content_hash: ghi789 + created_at: '2025-01-01T12:00:00.000Z' + data: + key: value + nested: + field: 123 + estimated_tokens: 15 + version: 1 + total_token_estimate: 21 + description: Indicates a successful response + summary: List conversation attachments tags: - - Security Entity Analytics API + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Create or update an asset criticality record for a specific entity. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- If a record already exists for the specified entity, that record is - overwritten with the specified value. If a record doesn't exist for the - specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string requestBody: content: application/json: + examples: + createHiddenAttachmentExample: + description: Example request for creating a hidden attachment + value: + data: Internal system data + description: System context + hidden: true + type: text + createJsonAttachmentExample: + description: Example request for creating a JSON attachment with custom ID + value: + data: + configuration: + enabled: true + threshold: 50 + metadata: + source: user_input + description: Application settings + id: custom-attachment-id + type: json + createTextAttachmentExample: + description: Example request for creating a text attachment + value: + data: This is the content of my text attachment + description: Meeting notes + type: text schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true + additionalProperties: false + type: object + properties: + data: + description: The attachment data/content. Required unless origin is provided. + nullable: true + description: + description: Human-readable description of the attachment. + type: string + hidden: + description: Whether the attachment should be hidden from the user. + type: boolean + id: + description: Optional custom ID for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. + type: string + type: + description: The type of the attachment (e.g., text, esql, visualization). + type: string + required: + - type + - data responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record + examples: + createAttachmentResponseExample: + description: Example response returning the created attachment + value: + attachment: + active: true + current_version: 1 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: This is the content of my text attachment + estimated_tokens: 12 + version: 1 + description: Indicates a successful response + summary: Create conversation attachment tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: - post: - description: > - Bulk upsert up to 1000 asset criticality records. + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: + delete: + description: |- + **Spaces method and path for this operation:** +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- If asset criticality records already exist for the specified entities, - those records are overwritten with the specified values. If asset - criticality records don't exist for the specified entities, new records - are created. - operationId: BulkUpsertAssetCriticalityRecords + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to delete. + in: path + name: attachment_id + required: true + schema: + type: string + - description: If true, permanently removes the attachment (only for unreferenced attachments). + in: query + name: permanent + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + permanentDeleteAttachmentResponseExample: + description: Example response for permanent delete (cannot be restored) + value: + permanent: true + success: true + softDeleteAttachmentResponseExample: + description: Example response for soft delete (can be restored) + value: + permanent: false + success: true + description: Indicates a successful response + summary: Delete conversation attachment + tags: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to rename. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: + examples: + renameAttachmentExample: + description: Example request for renaming an attachment + value: + description: Updated attachment name schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 + additionalProperties: false type: object properties: - records: - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array + description: + description: The new description/name for the attachment. + type: string required: - - records + - description responses: '200': content: application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records + examples: + renameAttachmentResponseExample: + description: Example response returning the renamed attachment (version unchanged) + value: + attachment: + active: true + current_version: 1 + description: Updated attachment name + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Content remains the same + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Rename attachment tags: - - Security Entity Analytics API - /api/asset_criticality/list: - get: - description: List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' + example: 'true' type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - enum: - - asc - - desc type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true schema: type: string + requestBody: + content: + application/json: + examples: + updateAttachmentContentExample: + description: Example request for updating attachment content + value: + data: This is the updated content + updateAttachmentWithDescriptionExample: + description: Example request for updating both content and description + value: + data: New content version + description: Updated meeting notes - v2 + schema: + additionalProperties: false + type: object + properties: + data: + description: The new attachment data/content. + nullable: true + description: + description: Optional new description for the attachment. + type: string + required: + - data responses: '200': content: application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records + examples: + updateAttachmentResponseExample: + description: Example response returning the updated attachment with new version + value: + attachment: + active: true + current_version: 2 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-abc + created_at: '2025-01-06T10:00:00.000Z' + data: Original content + estimated_tokens: 10 + version: 1 + - content_hash: sha256-def + created_at: '2025-01-06T11:00:00.000Z' + data: This is the updated content + estimated_tokens: 12 + version: 2 + new_version: 2 + description: Indicates a successful response + summary: Update conversation attachment tags: - - Security Entity Analytics API - /api/attack_discovery/_bulk: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: post: - description: >- - Performs bulk updates on multiple Attack discoveries, including workflow - status changes and visibility settings. This endpoint allows efficient - batch processing of alert modifications without requiring individual API - calls for each alert. - operationId: PostAttackDiscoveryBulk + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to restore. + in: path + name: attachment_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + restoreAttachmentResponseExample: + description: Example response returning the restored attachment + value: + attachment: + active: true + current_version: 1 + description: Restored attachment + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Restored content + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Restore deleted attachment + tags: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: - example: - update: - enable_field_rendering: false - ids: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true + examples: + updateOriginExample: + description: Example request for linking an attachment to a saved visualization + value: + origin: abc123 schema: + additionalProperties: false type: object properties: - update: - description: >- - Configuration object containing all parameters for the bulk - update operation - type: object - properties: - enable_field_rendering: - default: false - description: >- - Enables a markdown syntax used to render pivot fields, - for example `{{ user.name james }}`. When disabled, the - same example would be rendered as `james`. This is - primarily used for Attack Discovery views within Kibana. - Defaults to `false`. - example: false - type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - items: - type: string - type: array - kibana_alert_workflow_status: - description: >- - When provided, update the kibana.alert.workflow_status - of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: >- - When provided, update the visibility of the alert, as - determined by the kibana.alert.attack_discovery.users - field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: >- - When true, returns the updated Attack discoveries with - text replacements applied to the detailsMarkdown, - entitySummaryMarkdown, summaryMarkdown, and title - fields. This substitutes anonymized values with - human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids + origin: + description: The origin string (e.g., saved object ID for visualizations and dashboards). + type: string required: - - update - description: Bulk update parameters for Attack discoveries - required: true + - origin responses: '200': content: application/json: - example: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - workflow_status: acknowledged - schema: - type: object - properties: - data: - description: >- - Array of updated Attack Discovery alert objects. Each item - includes the applied modifications from the bulk update - request. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries + examples: + updateOriginResponseExample: + description: Example response returning the attachment with updated origin + value: + attachment: + active: true + current_version: 1 + description: Sales chart + id: att-123 + origin: abc123 + type: visualization + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: + chart_type: bar + esql: FROM sales | STATS count=COUNT(*) BY month + query: Show monthly sales + visualization: {} + estimated_tokens: 50 + version: 1 + success: true + description: Indicates a successful response + summary: Update attachment origin tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - /api/attack_discovery/_find: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/stale: get: - description: >- - Find Attack discoveries that match the search criteria. Supports free - text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments-stale parameters: - - description: >- - Filter results to Attack discoveries that include any of the - provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: >- - Filter results to Attack discoveries created by any of the provided - human readable connector names. Note that values must match the - human readable `connector_name` property of an Attack discovery, - e.g. "GPT-5 Chat", which are distinct from `connector_id` values - used to generate Attack discoveries. - in: query - name: connector_names - required: false - schema: - items: - type: string - type: array - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - End of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: >- - If `true`, the response will include `unique_alert_ids` and - `unique_alert_ids_count` aggregated across the matched Attack - discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: >- - Number of Attack discoveries to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: >- - Free-text search query applied to relevant text fields of Attack - discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false - schema: - type: string - - description: >- - Whether to filter by shared visibility. If omitted, both shared and - privately visible Attack discoveries are returned. Use `true` to - return only shared discoveries, `false` to return only those visible - to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: >- - Whether to filter by scheduled or ad-hoc attack discoveries. If - omitted, both types of attack discoveries are returned. Use `true` - to return only scheduled discoveries or `false` to return only - ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: >- - Field used to sort results. See `AttackDiscoveryFindSortField` for - allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField - default: '@timestamp' - - description: >- - Sort order direction `asc` for ascending or `desc` for descending. - Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: >- - Start of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: type: string - - description: >- - Filter by alert workflow status. Provide one or more of the allowed - workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false - schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean responses: '200': content: application/json: - example: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: >- - List of human readable connector names that are present in - the matched Attack discoveries. Useful for building client - filters or summaries. - items: - type: string - type: array - data: - description: >- - Array of matched Attack discovery objects. Each item - follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: >- - Total number of Attack discoveries matching the query - (across all pages). - type: integer - unique_alert_ids: - description: >- - List of unique alert IDs aggregated from the matched - Attack discoveries. Only present if - `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: >- - Number of unique alert IDs across all matched Attack - discoveries. Only present if - `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria + examples: + checkStaleAttachmentsResponseExample: + description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' + value: + attachments: + - id: att-text-meeting-notes + is_stale: false + - id: att-lens-active-users + is_stale: false + - error: Origin could not be resolved + id: att-query-attachment + is_stale: false + - data: This is the content of my text attachment + hidden: false + id: att-text-runbook + is_stale: true + origin: document:hr-onboarding-v2 + type: text + description: Indicates a successful response + summary: Check attachment staleness tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/_generate: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/converse: post: - description: >- - Initiates the generation of attack discoveries by analyzing security - alerts using AI. Returns an execution UUID that can be used to track the - generation progress and retrieve results. Results may also be retrieved - via the find endpoint. - operationId: PostAttackDiscoveryGenerate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - example: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI + examples: + converseRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + connector_id: my-connector-id + input: What is Elasticsearch? + converseRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: What is Elasticsearch? schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig - required: true + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object responses: '200': content: application/json: - example: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier for the attack discovery generation - process. Use this UUID to track the generation progress - and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts + examples: + converseResponseExample: + description: Example response containing the chain of events representing a conversation with the agent + value: + conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 + response: + message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. + steps: + - reasoning: Searching for official documentation or content that explains what Elasticsearch is + type: reasoning + - params: + query: what is elasticsearch definition overview introduction + progression: + - message: Selecting the best target for this query + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ + tool_id: platform.core.search + type: tool_call + description: Indicates a successful response + summary: Send chat message tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl + - agent builder + x-codeSamples: + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.dataset", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "caiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.module", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.outcome", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "c6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.Ext.original.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "daiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "d6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "e6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "faiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "f6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.original_time", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.risk_score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.description", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "g6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.references", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "haiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "h6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "i6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.severity", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "j6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.workflow_status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "message", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "network.protocol", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.bytes_compressed_present", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.all_names", + -X POST "${KIBANA_URL}/api/agent_builder/converse" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent"}' + - lang: Console + source: | + POST kbn://api/agent_builder/converse + { + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent" + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/converse/async: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete` + +

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse-async + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + converseAsyncRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + input: Hello + converseAsyncRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: Hello + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': + content: + text/event-stream: + examples: + converseAsyncResponseExample: + description: Example stream containing the chain of events representing a conversation with the agent + value: + - data: + data: + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + event: conversation_id_set + - data: + data: + reasoning: Starting with a general search to understand what content is available. + event: reasoning + - data: + data: + params: + query: latest documents + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + tool_id: platform.core.search + event: tool_call + - data: + data: + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + event: tool_result + - data: + data: + round: + id: a5692d54-bc06-4a6e-aea1-412779c73f66 + input: + message: Hello + response: + message: Hello! How can I help you today? + event: round_complete + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "Hello again let us have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/converse/async + { + "input": "Hello again let's have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. + To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-mcp + parameters: + - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. + in: query + name: namespace + required: false + schema: + type: string + requestBody: + content: + application/json: + examples: + mcpInitializeRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' + value: + id: 1 + jsonrpc: '2.0' + method: initialize + params: + capabilities: {} + clientInfo: + name: test-client + version: 1.0.0 + protocolVersion: '2024-11-05' + schema: {} + responses: + '200': + content: + application/json: + examples: + mcpInitializeResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + id: 1 + jsonrpc: '2.0' + result: + capabilities: + tools: + listChanged: true + protocolVersion: '2024-11-05' + serverInfo: + name: elastic-mcp-server + version: 0.0.1 + description: Indicates a successful response + summary: MCP server + tags: + - agent builder + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins + parameters: [] + responses: + '200': + content: + application/json: + examples: + listPluginsResponseExample: + description: Example response that returns one installed plugin + value: + results: + - created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: List plugins + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins/{pluginId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an installed plugin by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:write. + operationId: delete-agent-builder-plugins-pluginid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePluginResponseExample: + description: Example response showing that deletion of the plugin has been successful + value: + success: true + description: Indicates a successful response + summary: Delete a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/plugins/{id} + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific plugin by ID.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins-pluginid + parameters: + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPluginByIdResponseExample: + description: Example response returning a single installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Get a plugin by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins/{id} + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/plugins/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.

[Required authorization] Route required privileges: agentBuilder:write. + operationId: post-agent-builder-plugins-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installPluginFromGithubExample: + description: Example request for installing a plugin from a GitHub URL + value: + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + installPluginFromZipExample: + description: Example request for installing a plugin from a direct zip URL + value: + url: https://my-server.example.com/my-plugin.zip + installPluginWithNameOverrideExample: + description: Example request for installing a plugin with a custom name + value: + plugin_name: my-custom-plugin-name + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + schema: + additionalProperties: false + type: object + properties: + plugin_name: + description: Optional name override for the plugin. Defaults to the manifest name. + type: string + url: + description: URL to install the plugin from (GitHub URL or direct zip URL). + type: string + required: + - url + responses: + '200': + content: + application/json: + examples: + installPluginResponseExample: + description: Example response returning the definition of the installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Install a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/plugins/install + { + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + } + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/skills: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available skills (built-in and user-created).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills + parameters: + - description: Set to true to include skills from plugins. + in: query + name: include_plugins + required: false + schema: + default: false + type: boolean + responses: {} + summary: List skills + tags: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new user-defined skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: post-agent-builder-skills + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + content: + description: Skill instructions content (markdown). + type: string + description: + description: Description of what the skill does. + type: string + id: + description: Unique identifier for the skill. + type: string + name: + description: Human-readable name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + default: [] + description: Tool IDs from the tool registry that this skill references. + items: + description: Tool ID from the tool registry. + type: string + maxItems: 100 + type: array + required: + - id + - name + - description + - content + responses: {} + summary: Create a skill + tags: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/skills/{skillId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: delete-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteSkillResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/skills/{skillId} + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific skill by ID.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills-skillid + parameters: + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + responses: {} + summary: Get a skill by id + tags: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing user-created skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: put-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + content: + description: Updated skill instructions content. + type: string + description: + description: Updated description. + type: string + name: + description: Updated name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + description: Updated tool IDs from the tool registry. + items: + description: Updated tool ID. + type: string + maxItems: 100 + type: array + responses: {} + summary: Update a skill + tags: + - agent builder + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools + parameters: [] + responses: + '200': + content: + application/json: + examples: + listToolsResponseExample: + description: Example response returning a list of existing tools + value: + results: + - configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + - configuration: {} + description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. + id: platform.core.get_document_by_id + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + id: + description: ID of the document to retrieve + type: string + index: + description: Name of the index to retrieve the document from + type: string + required: + - id + - index + tags: [] + type: builtin + - configuration: {} + description: |- + Execute an ES|QL query and return the results in a tabular format. + + **IMPORTANT**: This tool only **runs** queries; it does not write them. + Think of this as the final step after a query has been prepared. + + You **must** get the query from one of two sources before calling this tool: + 1. The output of the `platform.core.generate_esql` tool (if the tool is available). + 2. A verbatim query provided directly by the user. + + Under no circumstances should you invent, guess, or modify a query yourself for this tool. + If you need a query, use the `platform.core.generate_esql` tool first. + id: platform.core.execute_esql + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + query: + description: The ES|QL query to execute + type: string + required: + - query + tags: [] + type: builtin + - configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + - configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: List tools + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: post-agent-builder-tools + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createEsqlToolRequest: + description: Example request to create an ESQL query tool with a pre-defined query + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + tags: + - analytics + - finance + type: esql + createIndexSearchToolRequest: + description: Example request to create an index_search tool with a pre-defined index pattern + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + tags: + - search + - finance + type: index_search + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: '' + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. + type: string + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + - mcp + type: string + required: + - id + - type + - configuration + responses: + '200': + content: + application/json: + examples: + createEsqlToolExample: + description: Example response returning a definition of ESQL tool created + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + createIndexSearchToolExample: + description: Example response returning a definition of search tool tool created + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Create a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "example-esql-tool", + "type": "esql", + "description": "Example ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools + { + "id": "example-esql-tool", + "type": "esql", + "description": "An ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-tools-execute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + executeBuiltinEsqlToolRequest: + description: Example request executing platform.core.execute_esql tool + value: + tool_id: platform.core.execute_esql + tool_params: + query: FROM financial_trades | LIMIT 3 + executeBuiltinToolRequest: + description: Example request executing platform.core.get_document_by_id tool + value: + tool_id: platform.core.get_document_by_id + tool_params: + id: TRD-20250805-0820a89f + index: financial_trades + executeCustomEsqlToolRequest: + description: Example request executing custom example-esql-tool tool + value: + tool_id: example-esql-tool + tool_params: + limit: 3 + startTime: '2024-01-01T00:00:00Z' + executeIndexSearchToolRequest: + description: Example request executing custom example-index-search-tool tool + value: + tool_id: example-index-search-tool + tool_params: + nlQuery: find trades with high execution prices above 100 + schema: + additionalProperties: false + type: object + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: + nullable: true + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params + responses: + '200': + content: + application/json: + examples: + executeBuiltinEsqlToolExample: + description: Example response calling built-in platform.core.execute_esql tool + value: + results: + - data: + esql: FROM financial_trades | LIMIT 3 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: FROM financial_trades | LIMIT 3 + source: esql + values: + - - ACC00179-1f91 + - 43.77000045776367 + - CVX + - sell + - - ACC00407-0bbb + - 660.4199829101562 + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - KO + - buy + tool_result_id: xTpT + type: esql_results + executeBuiltinToolExample: + description: Example response calling built-in platform.core.get_document_by_id tool + value: + results: + - data: + content: + account_id: ACC00271-fb5c + execution_price: 488.54 + execution_timestamp: '2025-08-05T08:04:11.649855' + last_updated: '2025-09-15T13:23:36' + order_status: executed + order_type: market + quantity: 131 + status_reason: fully_filled + symbol: EWL + trade_cost: 63998.74 + trade_id: TRD-20250805-0820a89f + trade_type: sell + partial: false + reference: + id: TRD-20250805-0820a89f + index: financial_trades + type: resource + executeCustomEsqlToolExample: + description: Example response calling custom example-esql-tool tool + value: + results: + - data: + columns: + - name: trade_count + type: long + - name: avg_price + type: double + - name: symbol + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + source: esql + values: + - - 2115 + - 89.33911587329621 + - US_T_BOND_20YR + - - 2112 + - 104.20854155945055 + - INTL_CORP_ASIA_D + - - 2105 + - 89.93244177666526 + - INTL_CORP_EU_B + tool_result_id: Voy8 + type: esql_results + executeIndexSearchToolExample: + description: Example response calling custom example-index-search-tool tool + value: + results: + - data: + esql: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: execution_timestamp + type: date + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + source: esql + values: + - - ACC00407-0bbb + - 660.4199829101562 + - '2020-09-25T11:06:08.687Z' + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - '2025-08-07T21:56:45.377Z' + - KO + - buy + - - ACC00407-0bbb + - 132.8800048828125 + - '2020-11-19T04:39:13.655Z' + - JAP_JGB_10YR + - sell + tool_result_id: uE8y + type: esql_results + description: Indicates a successful response + summary: Run a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?"} + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools/_execute + { + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?" + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools/{toolId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: delete-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to delete. + in: path + name: toolId + required: true + schema: + type: string + - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteAgentResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/tools/{toolId} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools-toolid + parameters: + - description: The unique identifier of the tool to retrieve. + in: path + name: toolId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBuiltinToolExample: + description: Example response returning built-in platform.core.search tool + value: + configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + getEsqlToolExample: + description: Example response returning custom example-esql-tool tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + getIndexSearchToolExample: + description: Example response returning custom example-index-search-tool tool + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Get a tool by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools/{toolId} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: put-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to update. + in: path + name: toolId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateEsqlToolRequest: + description: Example request to update the custom ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + tags: + - analytics + - finance + - reporting + updateIndexSearchToolRequest: + description: Example request to update the custom Search tool + value: + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + tags: + - search + - finance + - compliance + - reporting + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateEsqlToolExample: + description: Example response showing the updated ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the enhanced query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: string + required: + - startTime + - symbolPattern + - limit + tags: + - analytics + - finance + - reporting + type: esql + updateIndexSearchToolExample: + description: Example response showing the updated Search tool + value: + configuration: + pattern: financial_* + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + - compliance + - reporting + type: index_search + description: Indicates a successful response + summary: Update a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/tools/{toolId} + { + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{id}: + delete: + operationId: delete-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRuleResponse: + description: A response that contains information about an index threshold rule. + summary: Get an index threshold rule + value: + actions: [] + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + mute_all: false + muted_alert_ids: [] + name: my alert + notify_when: onActionGroupChange + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: post-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createEsQueryEsqlRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - frequency: + notify_when: onActiveAlert + summary: false + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + consumer: stackAlerts + name: my Elasticsearch query ESQL rule + params: + esqlQuery: + esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createEsQueryKqlRuleRequest: + description: Create an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query + schedule: + interval: 1m + createEsQueryRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (DSL) + value: + actions: + - frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + - frequency: + notify_when: onActionGroupChange + summary: false + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + consumer: alerts + name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createIndexThresholdRuleRequest: + description: | + Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 48de3460-f401-11ed-9f8e-399c75a2deeb + params: + level: info + message: |- + Rule '{{rule.name}}' is active for group '{{context.group}}': + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + alert_delay: + active: 3 + consumer: alerts + name: my rule + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + createTrackingContainmentRuleRequest: + description: | + Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. + summary: Tracking containment rule + value: + consumer: alerts + name: my tracking rule + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField": '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + rule_type_id: .geo-containment + schedule: + interval: 1h + schema: + anyOf: + - discriminator: + propertyName: rule_type_id + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + - additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + responses: + '200': + content: + application/json: + examples: + createEsQueryEsqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActiveAlert + summary: false + throttle: null + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + uuid: bfe370a3-531b-4855-bbe6-ad739f578844 + api_key_created_by_user: false + api_key_owner: elastic + consumer: stackAlerts + created_at: '2023-11-01T19:00:10.453Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-11-01T19:00:10.453Z' + status: pending + id: e0d62360-78e8-11ee-9177-f7d404c8c945 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query ESQL rule + notify_when: null + params: + aggType: count + esqlQuery: + esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 + excludeHitsFromPreviousRun": true, + groupBy: all + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 + tags: [] + throttle: null + updated_at: '2023-11-01T19:00:10.453Z' + updated_by: elastic", + createEsQueryKqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-07-14T20:24:50.729Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-07-14T20:24:50.729Z' + status: pending + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query KQL rule" + notify_when: null + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1m + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + tags: [] + throttle: null + updated_at: '2023-07-14T20:24:50.729Z' + updated_by: elastic + createEsQueryRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). + summary: Elasticsearch query rule (DSL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-08-22T00:03:38.263Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-08-22T00:03:38.263Z' + status: pending + id: 58148c70-407f-11ee-850e-c71febc4ca7f + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query rule + notify_when: null + params: + aggType: count + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + groupBy: all + index: + - kibana_sample_data_logs + searchType: esQuery + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + tags: [] + throttle: null + updated_at: '2023-08-22T00:03:38.263Z' + updated_by: elastic + createIndexThresholdRuleResponse: + description: The response for successfully creating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group} : + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + alert_delay: + active: 3 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-06-08T17:20:31.632Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2022-06-08T17:20:31.632Z' + status: pending + id: 41893910-6bca-11eb-9e0d-85d233e3ee35 + mute_all: false + muted_alert_ids: [] + name: my rule + notify_when: null + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 + tags: + - cpu + throttle: null + updated_at: '2022-06-08T17:20:31.632Z' + updated_by: elastic + createTrackingContainmentRuleResponse: + description: The response for successfully creating a tracking containment rule. + summary: Tracking containment rule + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-02-14T19:52:55.920Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 74 + last_execution_date: '2024-02-15T03:25:38.125Z' + status: ok + id: b6883f9d-5f70-4758-a66e-369d7c26012f + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: my tracking rule + next_run: '2024-02-15T03:26:38.033Z' + notify_when: null + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField: '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + revision: 1 + rule_type_id: .geo-containment + running: false + schedule: + interval: 1h + scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f + tags: [] + throttle: null + updated_at: '2024-02-15T03:24:32.574Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuleRequest: + description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + name: new name + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + schedule: + interval: 1m + tags: [] + schema: + additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + items: + description: The tags for the rule. + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - schedule + responses: + '200': + content: + application/json: + examples: + updateRuleResponse: + description: The response for successfully updating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-03-26T23:13:20.985Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 52 + last_execution_date: '2024-03-26T23:22:51.390Z' + status: ok + id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: new name + next_run: '2024-03-26T23:23:51.316Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea + tags: [] + throttle: null + updated_at: '2024-03-26T23:22:59.949Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_disable: + post: + operationId: post-alerting-rule-id-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + disableRuleRequest: + description: A request that disables a rule and untracks all alerts that were generated by the rule. + summary: Disable a rule and untrack its alerts + value: + untrack: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + x-oas-optional: true + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_enable: + post: + operationId: post-alerting-rule-id-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_mute_all: + post: + operationId: post-alerting-rule-id-mute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: post-alerting-rule-id-unmute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: post-alerting-rule-id-update-api-key + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/snooze_schedule: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Identifier of the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + snoozeRuleRecurringRequest: + description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. + summary: Snooze a rule on a recurring weekly schedule + value: + schedule: + custom: + duration: 8h + recurring: + every: 1w + occurrences: 4 + onWeekDay: + - MO + start: '2025-03-17T09:00:00.000Z' + timezone: UTC + snoozeRuleRequest: + description: A request that snoozes a rule for 24 hours starting now. + summary: Snooze a rule for 24 hours + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + schema: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - schedule + responses: + '200': + content: + application/json: + examples: + snoozeRuleResponse: + description: A response that contains the created snooze schedule. + summary: Snooze schedule response + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 + schema: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + required: + - schedule + required: + - body + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule + tags: + - alerting + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-mute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + - description: Whether to validate the existence of the alert. + in: query + name: validate_alerts_existence + required: false + schema: + type: boolean + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: + delete: + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule + tags: + - alerting + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/_find: + get: + operationId: get-alerting-rules-find + parameters: + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + items: + type: string + type: array + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + findConditionalActionRulesResponse: + description: A response that contains information about an index threshold rule. + summary: Index threshold rule + value: + data: + - actions: + - frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 9dca3e00-74f5-11ed-9801-35303b735aef + params: + connector_type_id: .server-log + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 48 + last_execution_date: '2022-12-06T01:44:23.983Z' + status: ok + id: 3583a470-74f6-11ed-9801-35303b735aef + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: my alert + next_run: '2022-12-06T01:45:23.912Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + schedule: + interval: 1m + scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + findRulesResponse: + description: A response that contains information about a security rule that has conditional actions. + summary: Security rule + value: + data: + - actions: + - alerts_filter: + query: + filters: + - $state: + store: appState + meta: + alias: null + disabled: false + field: client.geo.region_iso_code + index: c4bdca79-e69e-4d80-82a1-e5192c621bea + key: client.geo.region_iso_code + negate: false + params: + query: CA-QC + type: phrase + query: + match_phrase: + client.geo.region_iso_code: CA-QC + kql: '' + timeframe: + days: + - 7 + hours: + end: '17:00' + start: '08:00' + timezone: UTC + connector_type_id: .index + frequency: + notify_when: onActiveAlert + summary: true + throttle: null + group: default + id: 49eae970-f401-11ed-9f8e-399c75a2deeb + params: + documents: + - alert_id: + '[object Object]': null + context_message: + '[object Object]': null + rule_id: + '[object Object]': null + rule_name: + '[object Object]': null + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: siem + created_at: '2023-05-16T15:50:28.358Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 166 + last_execution_date: '2023-05-16T20:26:49.590Z' + status: ok + id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: + - Rule execution completed successfully + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: security_rule + next_run: '2023-05-16T20:27:49.507Z' + notify_when: null + params: + author: [] + description: A security threshold rule. + exceptionsList: [] + falsePositives: [] + filters: [] + from: now-3660s + immutable: false + index: + - kibana_sample_data_logs + language: kuery + license: '' + maxSignals: 100 + meta: + from: 1h + kibana_siem_app_url: https://localhost:5601/app/security + outputIndex: '' + query: '*' + references: [] + riskScore: 21 + riskScoreMapping: [] + ruleId: an_internal_rule_id + severity: low + severityMapping: [] + threat: [] + threshold: + cardinality: [] + field: + - bytes + value: 1 + to: now + type: threshold + version: 1 + revision: 1 + rule_type_id: siem.thresholdRule + running: false + schedule: + interval: 1m + scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + tags: [] + throttle: null + updated_at: '2023-05-16T20:25:42.559Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_find: + post: + operationId: post-alerting-rules-backfill-find + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The end date for filtering backfills. + in: query + name: end + required: false + schema: + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: The number of backfills to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: A comma-separated list of rule identifiers. + in: query + name: rule_ids + required: false + schema: + type: string + - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. + in: query + name: initiator + required: false + schema: + enum: + - user + - system + type: string + - description: The start date for filtering backfills. + in: query + name: start + required: false + schema: + type: string + - description: The field to sort backfills by. + in: query + name: sort_field + required: false + schema: + enum: + - createdAt + - start + type: string + - description: The sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + findBackfillResponse: + summary: Find backfills response + value: + data: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + page: 1 + per_page: 10 + total: 1 + schema: + additionalProperties: false + type: object + properties: + data: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Find backfills for rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_schedule: + post: + operationId: post-alerting-rules-backfill-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + scheduleBackfillRequest: + summary: Schedule a backfill for an index threshold rule + value: + - ranges: + - end: '2024-01-02T00:00:00.000Z' + start: '2024-01-01T00:00:00.000Z' + rule_id: 3583a470-74f6-11ed-9801-35303b735aef + schema: + items: + additionalProperties: false + type: object + properties: + ranges: + items: + additionalProperties: false + type: object + properties: + end: + type: string + start: + type: string + required: + - start + - end + type: array + rule_id: + type: string + run_actions: + type: boolean + required: + - rule_id + - ranges + maxItems: 100 + minItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + scheduleBackfillResponse: + summary: Schedule backfill response + value: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + items: + anyOf: + - additionalProperties: false + type: object + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + - additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + rule: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + status: + type: number + required: + - message + - rule + required: + - error + type: array + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Schedule a backfill for rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/{id}: + delete: + operationId: delete-alerting-rules-backfill-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Delete a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rules-backfill-id + parameters: + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBackfillResponse: + summary: Get a backfill for an index threshold rule + value: + created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + additionalProperties: false + type: object + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Get a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAgentKeyResponse1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key + tags: + - APM agent keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/fleet/apm_server_schema: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. + operationId: saveApmServerSchema + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + schema: + type: object + properties: + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true + responses: + '200': + content: + application/json: + examples: + saveApmServerSchemaResponseExample1: + $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema + tags: + - APM server schema + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/services/{serviceName}/annotation: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation + tags: + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/services/{serviceName}/annotation/search: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations + tags: + - APM annotations + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + deleteAgentConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true + responses: + '200': + content: + application/json: + examples: + deleteAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + responses: + '200': + content: + application/json: + examples: + getAgentConfigurationsResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + examples: + createUpdateAgentConfigurationRequestExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/environments: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. + operationId: getEnvironmentsForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service. If omitted, environments across all services are returned. + example: opbeans-node + in: query + name: serviceName + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnvironmentsForServiceResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/search: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + searchSingleConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true + responses: + '200': + content: + application/json: + examples: + searchSingleConfigurationResponse1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. + operationId: getSingleAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name + schema: + type: string + - description: Service environment + example: prod + in: query + name: environment + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getSingleAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/sourcemaps: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. + operationId: getSourceMaps + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page + schema: + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getSourceMapsResponse1: + $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_source_maps_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. + The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/APM_UI_upload_source_map_object' + required: true + responses: + '200': + content: + application/json: + examples: + uploadSourceMapResponse1: + $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: multipart/form-data' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ + -F 'service_name="foo"' \ + -F 'service_version="1.0.0"' \ + -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/sourcemaps/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/sourcemaps/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. + operationId: deleteSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: Source map identifier + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteSourceMapResponseExample1: + $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an asset criticality record for a specific entity. + + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - type: object + properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality/bulk: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upsert up to 1000 asset criticality records. + + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object + properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. + operationId: PostAttackDiscoveryBulk + requestBody: + content: + application/json: + example: + update: + enable_field_rendering: false + ids: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true + schema: + type: object + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + type: object + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + type: boolean + ids: + description: Array of Attack Discovery IDs to update + example: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries + required: true + responses: + '200': + content: + application/json: + example: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + workflow_status: acknowledged + schema: + type: object + properties: + data: + description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind + parameters: + - description: Filter results to Attack discoveries that include any of the provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + example: false + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. + in: query + name: scheduled + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + example: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. + operationId: PostAttackDiscoveryGenerate + requestBody: + content: + application/json: + example: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true + responses: + '200': + content: + application/json: + example: + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "h6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "i6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.severity", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "j6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.workflow_status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "message", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "network.protocol", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.bytes_compressed_present", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.all_names", "allowed": true, "anonymized": false, "namespace": "default", @@ -2669,59 +13331,35643 @@ paths: "id": "y6iJW5gB4U27o8XO8oLg" }, { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.target.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "zKiJW5gB4U27o8XO8oLg" - } - ], - "replacements": {}, - "size": 100, - "subAction": "invokeAI", - "apiConfig": { - "connectorId": "12345678-1234-1234-1234-123456789012", - "actionTypeId": ".gen-ai" + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" + } + ], + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "12345678-1234-1234-1234-123456789012", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + example: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Get the latest Attack Discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + example: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + example: 75 + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + example: 2 + type: number + discoveries: + description: The number of attack discoveries that were generated during this execution. + example: 3 + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + example: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + example: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack Discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack Discovery schedule and all associated configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-code-samples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + example: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view/{viewId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update fields presentation metadata such as count, customLabel, customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_get_default_data_view_response' + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the impact of swapping saved object references from one data view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: | + FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + summary: Threshold rule + value: + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: | + Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: Checks for bad IP addresses listed in the ip-threat-list index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: New terms rule that creates alerts a new IP address is detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: esql rule that creates alerts from events that match an Excel parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Checks for bad IP addresses listed in the ip-threat-list index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: | + FROM logs* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: The following request set alert suppression to the rules with the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: The following request set alert suppression to threshold rules with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: The following request triggers the filling of gaps for the specified rule ids and time range + summary: Fill Gaps - Manually trigger the filling of gaps for specified rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: | + event.kind:alert and not event.module:(endgame or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + schema: + nullable: true + type: object + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - /api/attack_discovery/generations: + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: Gap auto fill scheduler ID used to determine gap fill status for rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + required: + - page + - perPage + - total + - data + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + requestBody: + content: + application/json: + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/preview: + post: + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + discriminator: + propertyName: type + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + required: true + responses: + '200': + content: + application/ndjson: + examples: + add: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + - bulk: 0, + - search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 76, + total: 1, + updated: 1, + version_conflicts: 0, + description: Indicates a successful call. + '400': + description: Invalid request. + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: '2025-01-17T08:00:00.000Z' + lte: '2025-01-18T07:59:59.999Z' + runtime_mappings: {} + size: 0 + schema: + $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '409': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + > info + > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: Cancel a response action on a Microsoft Defender for Endpoint host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/memory_dump: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/memory_dump
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: The package policy ID to create or update the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + example: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new privileged user to be monitored by the Privilege Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 1 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the details of an existing monitored privileged user by their document ID. + operationId: UpdatePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + - type: object + properties: + entitySources: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves the details of an entity analytics watchlist by its unique identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row + with a "type" column (user, host, service, or generic) and one or more ECS identity + fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. + + Matched entities are added to the watchlist and their `entity.attributes.watchlists` + field is updated in the entity store. + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assigns the provided entities to the specified watchlist using a "manual" source label. + The entities must already exist in the entity store. + + If an entity is already on the watchlist, no new document is created — the "manual" label + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' + type: array + not_found: + description: Number of entities not found in the manual watchlist assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize the entire Entity Store, creating engines for all or specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: The Entity Store was successfully initialized, creating host and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: The entity type of the engine ('user', 'host', 'service', 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: Returns a list with one running host engine and one stopped user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the engine descriptor for a specific entity type, including its configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: Returns the engine descriptor for a host engine that is currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: A host engine was successfully initialized and is now in the installing state. + summary: Host engine initialized + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start a previously stopped entity engine, resuming transform processing for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: The engine was successfully started and is now processing data. + summary: Engine started successfully + value: + started: true + schema: + type: object + properties: + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop a running entity engine, pausing transform processing for the given entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: The engine was successfully stopped and is no longer processing data. + summary: Engine stopped successfully + value: + stopped: true + schema: + type: object + properties: + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: All running engines were successfully updated with the current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': + content: + application/json: + examples: + partialSuccessExample: + description: The host engine was updated but the user engine failed due to insufficient privileges. + summary: One engine failed + value: + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false + schema: + type: object + properties: + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: An unexpected error occurred while applying data view indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. + type: string + statusCode: + description: HTTP status code. + type: number + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/{entityType}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity in Entity Store. + The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. + operationId: DeleteSingleEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: Conflict. The entity was updated while another update was happening in ElasticSearch + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: If true, returns a detailed status of each engine including all its components. + example: true + in: query + name: include_components + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + entityStoreRunning: + description: The Entity Store is running with both host and user engines started and using default settings. + summary: Entity Store running with two engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running + schema: + type: object + properties: + engines: + description: Per-engine status information. + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - type: object + properties: + components: + description: Detailed component-level status. Only included when include_components is true. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: array + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + description: The overall status of the Entity Store. + required: + - status + - engines + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionType: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedListId: + value: + _version: WzMsMV0= + created_at: '2025-01-09T01:05:23.019Z' + created_by: elastic + description: This is a sample detection type exception with an autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: '2025-01-09T01:05:23.020Z' + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: '2025-01-09T01:10:36.369Z' + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: '2025-01-09T01:10:36.369Z' + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: '2025-01-09T01:07:49.658Z' + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: '2025-01-09T01:07:49.658Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json: + schema: + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection + type: object + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleList: + value: + _version: WzExLDFd + created_at: '2025-01-07T20:43:55.264Z' + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: '2025-01-07T21:32:03.726Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_duplicate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_duplicate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true + type: string + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzExNDY1LDFd + created_at: '2025-01-09T16:19:50.280Z' + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: '2025-01-09T16:19:50.280Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + '405': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson: + examples: + exportSavedObjectsResponse: + value: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + schema: + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: list_id: Required, namespace_type: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: | + Filters the returned results according to the value of the specified field. + + Uses the `so type.field name:field` value syntax, where `so type` can be: + + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleLists: + value: + data: + - _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + withErrors: + value: + errors: + - error: + message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' + status_code: 400 + list_id: (unknown list_id) + - error: + message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, + schema: + type: object + properties: + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: Exception item's identifier. Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + simpleExceptionItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + example: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem + parameters: + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an exception item and associate it with the specified exception list. + > info + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedItemId: + value: + _version: WzYsMV0= + comments: [] + created_at: '2025-01-09T01:16:23.322Z' + created_by: elastic + description: This is a sample exception that has no item_id so it is autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: '2025-01-09T01:16:23.322Z' + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: '2025-01-09T01:31:12.614Z' + created_by: elastic + description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: '2025-01-09T01:31:12.614Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: \"simple_list_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzEyLDFd + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:34:50.233Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: item_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - in: query + name: search + required: false + schema: + example: host.name + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:12:25.512Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/summary: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/summary
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" + type: string + responses: + '200': + content: + application/json: + examples: + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exceptions/shared: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exceptions/shared
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json: + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + required: + - name + - description + required: true + responses: + '200': + content: + application/json: + examples: + sharedList: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] + responses: + '200': + content: + application/json: + examples: + getDownloadSourcesExample: + description: List of agent binary download sources + value: + items: + - host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent binary download sources + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDownloadSourceRequestExample: + description: Create a new agent binary download source + value: + host: https://my-custom-host.example.com/downloads/ + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host + responses: + '200': + content: + application/json: + examples: + postDownloadSourceExample: + description: The created agent binary download source + value: + item: + host: https://my-custom-host.example.com/downloads/ + id: download-source-id-2 + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteDownloadSourceExample: + description: The download source was successfully deleted + value: + id: download-source-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getDownloadSourceExample: + description: An agent binary download source + value: + item: + host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: sourceId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putDownloadSourceRequestExample: + description: Update an agent binary download source + value: + host: https://updated-host.example.com/downloads/ + is_default: false + name: Updated download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host + responses: + '200': + content: + application/json: + examples: + putDownloadSourceExample: + description: The updated agent binary download source + value: + item: + host: https://updated-host.example.com/downloads/ + id: download-source-id-1 + is_default: false + name: Updated download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Download source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + type: number + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - in: query + name: showUpgradeable + required: false + schema: + type: boolean + - in: query + name: kuery + required: false + schema: + type: string + - description: use withAgentCount instead + in: query + name: noAgentCount + required: false + schema: + deprecated: true + type: boolean + - description: get policies with agent count + in: query + name: withAgentCount + required: false + schema: + type: boolean + - description: get full policies with package policies populated + in: query + name: full + required: false + schema: + type: boolean + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPoliciesExample: + description: List of agent policies + value: + items: + - description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: sys_monitoring + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postAgentPolicyRequestExample: + description: Create a new agent policy + value: + description: A sample agent policy + monitoring_enabled: + - logs + - metrics + name: My agent policy + namespace: default + schema: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + responses: + '200': + content: + application/json: + examples: + postAgentPolicyExample: + description: The created agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json: + examples: + postBulkGetAgentPoliciesExample: + description: The requested agent policies + value: + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more agent policies were not found + value: + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyExample: + description: An agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putAgentPolicyRequestExample: + description: Update an agent policy + value: + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default + schema: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + responses: + '200': + content: + application/json: + examples: + putAgentPolicyExample: + description: The updated agent policy + value: + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy + value: + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 + schema: + additionalProperties: false + type: object + properties: + currentVersions: + items: + additionalProperties: false + type: object + properties: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades + items: + type: string + maxItems: 1000 + type: array + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version + type: number + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades + items: + type: string + maxItems: 1000 + type: array + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version + type: number + version: + description: Agent version + type: string + required: + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents + maxItems: 10000 + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get auto upgrade agent status + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name + value: + description: A copy of the original agent policy + name: Copy of my agent policy + schema: + additionalProperties: false + type: object + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + responses: + '200': + content: + application/json: + examples: + postCopyAgentPolicyExample: + description: The copied agent policy + value: + item: + description: A copy of the original agent policy + id: agent-policy-id-copy-1 + is_managed: false + is_protected: false + name: Copy of my agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getDownloadAgentPolicyExample: + description: The agent policy download response + value: + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' + schema: + type: string + description: Successful response — returns the agent policy as a YAML file download + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getFullAgentPolicyExample: + description: The full agent policy configuration + value: + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy + value: + item: + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID + value: + agentPolicyId: agent-policy-id-1 + schema: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + responses: + '200': + content: + application/json: + examples: + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted + value: + id: agent-policy-id-1 + name: My agent policy + schema: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/outputs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + responses: + '200': + content: + application/json: + examples: + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies + value: + items: + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs for agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status + parameters: + - in: query + name: policyId + required: false + schema: + type: string + - in: query + name: policyIds + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentStatusExample: + description: Agent status summary for an agent policy + value: + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 + schema: + additionalProperties: false + type: object + properties: + results: + additionalProperties: false + type: object + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + required: + - results + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent status summary + tags: + - Elastic Agent status + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_status/data: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data + parameters: + - in: query + name: agentsIds + required: true + schema: + items: + type: string + maxItems: 10000 + type: array + - in: query + name: pkgName + required: false + schema: + type: string + - in: query + name: pkgVersion + required: false + schema: + type: string + - in: query + name: previewData + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentDataExample: + description: Data streams the agent is actively sending data to + value: + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 + schema: + additionalProperties: false + type: object + properties: + dataPreview: + items: + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get incoming agent data + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agentless_policies: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The format of the response package policy. + in: query + name: format + required: false + schema: + default: simplified + enum: + - legacy + - simplified + type: string + requestBody: + content: + application/json: + examples: + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies + value: + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector + value: + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm + schema: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + responses: + '200': + content: + application/json: + examples: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration + value: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration + value: + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Indicates a successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': + content: + application/json: + examples: + conflictErrorResponseExample: + description: Example of a conflict error response + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create an agentless policy + tags: + - Fleet agentless policies + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agentless_policies/{policyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the policy to delete. + in: path + name: policyId + required: true + schema: + type: string + - description: Force delete the policy even if the policy is managed. + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + schema: + additionalProperties: false + description: Response for deleting an agentless package policy. + type: object + properties: + id: + description: The ID of the deleted agentless package policy. + type: string + required: + - id + description: Indicates a successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': + content: + application/json: + examples: + conflictErrorResponseExample: + description: Example of a conflict error response + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Delete an agentless policy + tags: + - Fleet agentless policies + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: searchAfter + required: false + schema: + type: string + - in: query + name: openPit + required: false + schema: + type: boolean + - in: query + name: pitId + required: false + schema: + type: string + - in: query + name: pitKeepAlive + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentsExample: + description: List of agents + value: + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs + value: + actionIds: + - action-id-1 + - action-id-2 + schema: + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 1000 + type: array + required: + - actionIds + responses: + '200': + content: + application/json: + examples: + postGetAgentsByActionsExample: + description: Agents associated with the given actions + value: + items: + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents by action ids + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteAgentExample: + description: Agent successfully deleted + value: + id: agent-id-1 + success: true + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - in: path + name: agentId + required: true + schema: + type: string + - in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentExample: + description: Agent details + value: + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putAgentRequestExample: + description: Update agent tags + value: + tags: + - production + - linux + schema: + additionalProperties: false + type: object + properties: + tags: + items: + type: string + maxItems: 10 + type: array + user_provided_metadata: + additionalProperties: + nullable: true + type: object + responses: + '200': + content: + application/json: + examples: + putAgentExample: + description: Updated agent details + value: + item: + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/actions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent + value: + action: + type: UNENROLL + schema: + additionalProperties: false + type: object + properties: + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data + required: + - action + responses: + '200': + content: + application/json: + examples: + postAgentActionExample: + description: Created agent action + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/effective_config: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config + parameters: + - description: The agent ID to get effective config of + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + effective_config: {} + schema: + additionalProperties: false + type: object + properties: + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get an agent's effective config + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token + responses: + '200': + content: + application/json: + examples: + postMigrateAgentExample: + description: Agent migration initiated + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to change privilege level for + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + changeAgentPrivilegeLevelRequest: + value: + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + anyOf: + - additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + - additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level + tags: + - Elastic Agents + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postReassignAgentRequestExample: + description: Reassign an agent to a different policy + value: + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id + responses: + '200': + content: + application/json: + examples: + postReassignAgentExample: + description: Agent successfully reassigned + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent + value: + additional_metrics: + - CPU + schema: + additionalProperties: false + nullable: true + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + postRequestDiagnosticsExample: + description: Diagnostics action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Agent agent-id-1 does not support request diagnostics action. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Request agent diagnostics + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to rollback + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + anyOf: + - additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + - additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback an agent + tags: + - Elastic Agent actions + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean + responses: + '200': + content: + application/json: + examples: + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Unenroll an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + responses: + '200': + content: + application/json: + examples: + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/uploads: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads + parameters: + - in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentUploadsExample: + description: List of files uploaded by the agent + value: + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent uploads + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status + parameters: + - in: query + name: page + required: false + schema: + default: 0 + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: date + required: false + schema: + type: string + - in: query + name: latest + required: false + schema: + type: number + - in: query + name: errorSize + required: false + schema: + default: 5 + type: number + responses: + '200': + content: + application/json: + examples: + getActionStatusExample: + description: Status of recent agent actions + value: + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: actionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postCancelActionRequestExample: + description: Cancel an agent action + value: {} + responses: + '200': + content: + application/json: + examples: + postCancelActionExample: + description: Cancellation action created + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Cancel an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] + responses: + '200': + content: + application/json: + examples: + getAvailableVersionsExample: + description: List of available agent versions for upgrade + value: + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get available agent versions + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster + value: + agents: + - agent-id-1 + - agent-id-2 + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - agents + - uri + - enrollment_token + responses: + '200': + content: + application/json: + examples: + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate multiple agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkChangeAgentPrivilegeLevelRequest: + value: + agents: agent + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + required: + - agents + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk change agent privilege level + tags: + - Elastic Agents + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy + value: + agents: + - agent-id-1 + - agent-id-2 + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + policy_id: + type: string + required: + - policy_id + - agents + responses: + '200': + content: + application/json: + examples: + postBulkReassignAgentsExample: + description: Bulk reassign action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk reassign agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents + value: + additional_metrics: + - CPU + agents: + - agent-id-1 + - agent-id-2 + schema: + additionalProperties: false + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents + responses: + '200': + content: + application/json: + examples: + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk request diagnostics from agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackAgentsRequest: + value: + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + required: + - agents + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionIds: + - actionId1 + - actionId2 + schema: + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 10000 + type: array + required: + - actionIds + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback agents + tags: + - Elastic Agent actions + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + revoke: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents + responses: + '200': + content: + application/json: + examples: + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk unenroll agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_update_agent_tags: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array + required: + - agents + responses: + '200': + content: + application/json: + examples: + postBulkUpdateAgentTagsExample: + description: Bulk action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk update agent tags + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version + value: + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string + required: + - agents + - version + responses: + '200': + content: + application/json: + examples: + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/files/{fileId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: fileId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted + value: + deleted: true + id: file-id-1 + schema: + additionalProperties: false + type: object + properties: + deleted: + type: boolean + id: + type: string + required: + - id + - deleted + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: + schema: + type: object + description: Successful response — returns the uploaded file content + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] + responses: + '200': + content: + application/json: + examples: + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required + value: + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC + schema: + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + type: object + properties: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent setup info + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + responses: + '200': + content: + application/json: + examples: + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors + value: + isInitialized: true + nonFatalErrors: [] + schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Initiate Fleet setup + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags + parameters: + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: showInactive + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentTagsExample: + description: List of tags used across agents + value: + items: + - production + - linux + - datacenter-1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent tags + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions + parameters: + - in: query + name: fleetServerSetup + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges + value: + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true + schema: + additionalProperties: false + type: object + properties: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Check permissions + tags: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors + parameters: + - description: The page number for pagination. + in: query + name: page + required: false + schema: + type: string + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + type: string + - description: KQL query to filter cloud connectors. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getCloudConnectorsExample: + description: List of Fleet cloud connectors + value: + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connectors + tags: + - Fleet cloud connectors + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector + value: + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} + schema: + additionalProperties: false + type: object + properties: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + required: + - name + - cloudProvider + - vars + responses: + '200': + content: + application/json: + examples: + postCloudConnectorExample: + description: The created Fleet cloud connector + value: + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create cloud connector + tags: + - Fleet cloud connectors + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: If true, forces deletion even if the cloud connector is in use. + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted + value: + id: cloud-connector-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete cloud connector (supports force deletion) + tags: + - Fleet cloud connectors + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getCloudConnectorExample: + description: A Fleet cloud connector + value: + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connector + tags: + - Fleet cloud connectors + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector + value: + name: Updated AWS connector + vars: {} + schema: + additionalProperties: false + type: object + properties: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + responses: + '200': + content: + application/json: + examples: + putCloudConnectorExample: + description: The updated Fleet cloud connector + value: + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update cloud connector + tags: + - Fleet cloud connectors + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: The page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + minimum: 1 + type: number + responses: + '200': + content: + application/json: + examples: + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector + value: + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Cloud connector not found + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) + tags: + - Fleet cloud connectors + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] + responses: + '200': + content: + application/json: + examples: + getDataStreamsExample: + description: List of Fleet-managed data streams + value: + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics + schema: + additionalProperties: false + type: object + properties: + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + type: object + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array + required: + - data_streams + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys + parameters: + - in: query + name: page + required: false + schema: + default: 1 + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnrollmentApiKeysExample: + description: List of enrollment API keys + value: + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + maxItems: 10000 + type: array + list: + deprecated: true + items: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get enrollment API keys + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy + value: + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 + schema: + additionalProperties: false + type: object + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + responses: + '200': + content: + application/json: + examples: + postEnrollmentApiKeyExample: + description: The created enrollment API key + value: + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - created + type: string + item: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + required: + - item + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: keyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked + value: + action: deleted + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid + parameters: + - in: path + name: keyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnrollmentApiKeyExample: + description: An enrollment API key + value: + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/bulk_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + additionalProperties: false + type: object + properties: + assetIds: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + responses: + '200': + content: + application/json: + examples: + postBulkGetAssetsExample: + description: Requested assets + value: + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false + type: object + properties: + description: + type: string + service: + type: string + title: + type: string + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/categories: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories + parameters: + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: include_policy_templates + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getCategoriesExample: + description: List of integration categories + value: + items: + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package categories + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/custom_integrations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + responses: + '200': + content: + application/json: + examples: + postCreateCustomIntegrationExample: + description: Custom integration successfully created + value: + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template + schema: + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData + responses: + '200': + content: + application/json: + examples: + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams + parameters: + - in: query + name: type + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - in: query + name: datasetQuery + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + - in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getDataStreamsExample: + description: List of data streams from installed packages + value: + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages + parameters: + - in: query + name: category + required: false + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackagesExample: + description: List of available integration packages + value: + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: true + type: object + properties: + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + id: + type: string + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - id + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/gzip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + schema: + format: binary + type: string + responses: + '200': + content: + application/gzip; application/zip: + schema: + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta + application/json: + examples: + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template + description: Successful response + '400': + content: + application/gzip; application/zip: + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Install a package by upload + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry + value: + packages: + - system + - aws + schema: + additionalProperties: false + type: object + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + responses: + '200': + content: + application/json: + examples: + postBulkInstallPackagesExample: + description: Bulk install results + value: + items: + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed + schema: + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + - additionalProperties: false + type: object + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk install packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackRequest: + value: + packages: + - name: system + schema: + additionalProperties: false + type: object + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + taskId: taskId + schema: + additionalProperties: false + type: object + properties: + taskId: + type: string + required: + - taskId + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + status: success + schema: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get Bulk rollback packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages + value: + packages: + - name: aws + - name: gcp + schema: + additionalProperties: false + type: object + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + responses: + '200': + content: + application/json: + examples: + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated + value: + taskId: task-id-1 + schema: + additionalProperties: false + type: object + properties: + taskId: + type: string + required: + - taskId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk uninstall packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBulkOperationDetailsExample: + description: Details of the bulk operation task + value: + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success + schema: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk uninstall packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions + value: + packages: + - name: system + - name: elastic_agent + schema: + additionalProperties: false + type: object + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + responses: + '200': + content: + application/json: + examples: + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated + value: + taskId: task-id-1 + schema: + additionalProperties: false + type: object + properties: + taskId: + type: string + required: + - taskId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBulkOperationDetailsExample: + description: Details of the bulk operation task + value: + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success + schema: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk upgrade packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: full + required: false + schema: + type: boolean + - in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackageInfoExample: + description: Package details and installation status + value: + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + metadata: + additionalProperties: false + type: object + properties: + has_policies: + type: boolean + required: + - has_policies + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + additionalProperties: false + type: object + properties: + keepPoliciesUpToDate: + type: boolean + required: + - keepPoliciesUpToDate + responses: + '200': + content: + application/json: + examples: + putUpdatePackageExample: + description: Updated package settings + value: + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: full + required: false + schema: + type: boolean + - in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackageInfoExample: + description: Package details and installation status + value: + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + metadata: + additionalProperties: false + type: object + properties: + has_policies: + type: boolean + required: + - has_policies + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + additionalProperties: false + type: object + properties: + keepPoliciesUpToDate: + type: boolean + required: + - keepPoliciesUpToDate + responses: + '200': + content: + application/json: + examples: + putUpdatePackageExample: + description: Updated package settings + value: + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package file + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: packagePolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted + value: + items: + - id: logs-my_package.access-default + type: index_template + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete assets for an input package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + dependenciesResponse: + value: + items: + - name: aws + title: AWS + version: ^2.0.0 + - name: system + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + packageNotFoundResponse: + value: + message: '[my-package-1.0.0] package not found in registry' + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get package dependencies + tags: + - Elastic Package Manager (EPM) + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + space_ids: + description: When provided install assets in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json: + examples: + postInstallRuleAssetsExample: + description: Rule assets successfully installed + value: + items: + - id: rule-asset-id-1 + type: security_rule + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install Kibana alert rule for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 + schema: + additionalProperties: false + type: object + properties: + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array + required: + - transforms + responses: + '200': + content: + application/json: + examples: + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized + value: + - success: true + transformId: logs-transform-1 + schema: + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to review upgrade for + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + acceptUpgrade: + value: + action: accept + target_version: 2.0.0 + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string + required: + - action + - target_version + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + success: true + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + required: + - success + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations + tags: + - Elastic Package Manager (EPM) + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to roll back + in: path + name: pkgName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + success: true + version: 1.0.0 + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + version: + type: string + required: + - version + - success + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback a package to previous version + tags: + - Elastic Package Manager (EPM) + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageStatsExample: + description: Usage stats for a specific package + value: + response: + agent_policy_count: 3 + schema: + additionalProperties: false + type: object + properties: + response: + additionalProperties: false + type: object + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count + required: + - response + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/installed: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed + parameters: + - in: query + name: dataStreamType + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - in: query + name: showOnlyActiveDataStreams + required: false + schema: + type: boolean + - in: query + name: nameQuery + required: false + schema: + type: string + - in: query + name: searchAfter + required: false + schema: + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - in: query + name: perPage + required: false + schema: + default: 15 + type: number + - in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + getInstalledPackagesExample: + description: List of installed integration packages + value: + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number + required: + - items + - total + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get installed packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/limited: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + '200': + content: + application/json: + examples: + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled + value: + items: + - elastic_agent + - fleet_server + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a limited package list + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + default: json + enum: + - json + - yml + - yaml + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getInputsTemplateExample: + description: Inputs template for a package + value: + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text + schema: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + required: + - inputs + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an inputs template + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/verification_key_id: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] + responses: + '200': + content: + application/json: + examples: + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures + value: + id: D27D666CD88E42B4 + schema: + additionalProperties: false + type: object + properties: + id: + nullable: true + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package signature verification key ID + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] + responses: + '200': + content: + application/json: + examples: + getFleetServerHostsExample: + description: List of Fleet Server hosts + value: + items: + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Fleet Server hosts + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postFleetServerHostRequestExample: + description: Create a new Fleet Server host + value: + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json: + examples: + postFleetServerHostExample: + description: The created Fleet Server host + value: + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted + value: + id: fleet-server-host-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the latest Attack Discovery generations metadata (that are not - dismissed) for the current user. This endpoint retrieves generation - metadata including execution status and statistics for Attack Discovery - generations. - operationId: GetAttackDiscoveryGenerations + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid parameters: - - description: >- - End of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end + - in: path + name: itemId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getFleetServerHostExample: + description: A Fleet Server host + value: + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putFleetServerHostRequestExample: + description: Update a Fleet Server host + value: + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server + schema: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - proxy_id + responses: + '200': + content: + application/json: + examples: + putFleetServerHostExample: + description: The updated Fleet Server host + value: + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/health_check: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/health_check
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID + value: + id: fleet-server-host-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + responses: + '200': + content: + application/json: + examples: + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy + value: + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) + value: + host_id: fleet-server-host-id-1 + status: OFFLINE + schema: + additionalProperties: false + type: object + properties: + host_id: + type: string + name: + type: string + status: + type: string + required: + - status + description: Successful health check response + '400': + content: + application/json: + examples: + badRequestExample: + description: The host ID exists but has no associated host URLs configured + value: + error: Bad Request + message: The requested host id fleet-server-host-id-1 does not have associated host urls. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Check Fleet Server health + tags: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer required: false schema: type: string - - description: The maximum number of generations to retrieve - example: 50 - in: query - name: size + - in: query + name: enrolToken required: false schema: - default: 50 - minimum: 1 - type: number - - description: >- - Start of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start + type: string + responses: + '200': + content: + application/json: + examples: + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent + value: + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + additionalProperties: false + type: object + properties: + item: + type: string + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a full K8s agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken required: false schema: type: string @@ -2729,4912 +48975,9993 @@ paths: '200': content: application/json: - example: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded + examples: + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No manifest was found + value: + error: Not Found + message: Agent manifest not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + responses: + '200': + content: + application/json: + examples: + postLogstashApiKeyExample: + description: The generated Logstash API key + value: + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + schema: + additionalProperties: false + type: object + properties: + api_key: + type: string + required: + - api_key + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Generate a Logstash API key + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: acknowledge + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. + value: + message: Key pair rotated successfully. schema: + additionalProperties: false type: object properties: - generations: - description: List of Attack Discovery generations - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - type: array + message: + type: string required: - - generations - description: Indicates a successful call. + - message + description: Key pair rotated successfully '400': content: application/json: - example: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 + examples: + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true + value: + error: Bad Request + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type - example: Bad Request + type: string + errorType: type: string message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: type: number - description: Bad Request response. - summary: >- - Get the latest Attack Discovery generations metadata for the current - user + required: + - message + - attributes + description: Bad Request + '500': + content: + application/json: + examples: + serviceUnavailableExample: + description: The message signing service is not available + value: + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Internal Server Error + summary: Rotate a Fleet message signing key pair tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}: + - Message Signing Service + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs: get: - description: >- - Returns a specific Attack Discovery generation, including all generated - Attack discoveries and associated metadata, including execution status - and statistics. - operationId: GetAttackDiscoveryGeneration - parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned at the start of an Attack Discovery - generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] responses: '200': content: application/json: - example: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded + examples: + getOutputsExample: + description: List of Fleet outputs + value: + items: + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object properties: - data: - description: >- - Array of Attack discoveries generated during this - execution. + items: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + maxItems: 10000 type: array - generation: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - description: >- - Optional metadata about the attack discovery generation - process, metadata including execution status and - statistics. This metadata may not be available for all - generations. + page: + type: number + perPage: + type: number + total: + type: number required: - - data - description: Indicates a successful call. + - items + - total + - page + - perPage + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type - example: Bad Request + type: string + errorType: type: string message: - description: >- - Human-readable error message describing what went wrong - with the request - example: Invalid request parameters. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: type: number required: - - status_code - - error - message - description: Bad Request response. - summary: >- - Get a single Attack Discovery generation, including its discoveries and - (optional) generation metadata + - attributes + description: Bad Request + summary: Get outputs tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}/_dismiss: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Dismisses an Attack Discovery generation for the current user, - indicating that its status should not be reported in the UI. This sets - the generation's status to "dismissed" and affects how the generation - appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned when an Attack Discovery generation is created - and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - in: path - name: execution_uuid + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postOutputRequestExample: + description: Create a new Elasticsearch output + value: + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: - example: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed + examples: + postOutputExample: + description: The created Fleet output + value: + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: + additionalProperties: false type: object properties: - alerts_context_count: - description: >- - The number of alerts that were sent as context to the LLM - for this generation. - example: 75 - type: number - connector_id: - description: >- - The unique identifier of the connector used to generate - the attack discoveries. - example: chatGpt5_0ChatAzure + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - connector_stats: - description: >- - Statistical information about the connector's performance - for this user, providing insights into usage patterns and - success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: >- - The average duration in nanoseconds for successful - generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: >- - The total number of Attack discoveries successfully - created for this generation - example: 2 - type: number - discoveries: - description: >- - The number of attack discoveries that were generated - during this execution. - example: 3 + errorType: + type: string + message: + type: string + statusCode: type: number - end: - description: >- - The timestamp when the generation process completed, in - ISO 8601 format. This field may be absent for generations - that haven't finished. - example: '2025-09-29T06:42:44.810Z' + required: + - message + - attributes + description: Bad Request + summary: Create output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs/{outputId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteOutputExample: + description: The output was successfully deleted + value: + id: output-id-1 + schema: + additionalProperties: false + type: object + properties: + id: type: string - execution_uuid: - description: >- - The unique identifier for this attack discovery generation - execution. This UUID can be used to reference this - specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - loading_message: - description: >- - A human-readable message describing the current state or - progress of the generation process. Provides context about - what the AI is analyzing. - example: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. + errorType: type: string - reason: - description: >- - Additional context or reasoning provided when a generation - fails or encounters issues. This field helps diagnose - problems with the generation process. - example: Connection timeout to AI service + message: type: string - start: - description: >- - The timestamp when the generation process began, in ISO - 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - status: - description: >- - The current status of the attack discovery generation. - After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed + errorType: + type: string + message: type: string + statusCode: + type: number required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - description: Indicates a successful call. + - message + - attributes + description: Not Found + summary: Delete output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getOutputExample: + description: A Fleet output + value: + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type or category - example: Bad Request + type: string + errorType: type: string message: - description: >- - Human-readable error message describing what went wrong - with the request. - example: Invalid request parameters. type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 + statusCode: type: number required: - - status_code - - error - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules: - post: - description: >- - Creates a new Attack Discovery schedule that analyzes security alerts at - specified intervals. The schedule defines when and how Attack Discovery - analysis should run, including which alerts to analyze, which AI - connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: outputId + required: true + schema: + type: string requestBody: content: application/json: - example: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h + examples: + putOutputRequestExample: + description: Update a Fleet output + value: + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps - description: >- - Attack Discovery schedule configuration including name, parameters, - schedule interval, and actions - required: true + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic + examples: + putOutputExample: + description: The updated Fleet output + value: + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: The Attack Discovery schedule was successfully created. + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs/{outputId}/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getOutputHealthExample: + description: The latest health status of a Fleet output + value: + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + required: + - state + - message + - timestamp + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Create Attack Discovery schedule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get the latest output health tags: - - Security Attack discovery API - x-code-samples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - /api/attack_discovery/schedules/_find: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies: get: - description: >- - Find Attack Discovery schedules that match the search criteria. Supports - pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all package policies. + operationId: get-fleet-package-policies parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query + - in: query name: page required: false schema: type: number - - description: >- - Number of Attack Discovery schedules to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page + - in: query + name: perPage required: false schema: type: number - - description: >- - Field used to sort results. Common fields include 'name', - 'created_at', 'updated_at', and 'enabled'. - example: name - in: query - name: sort_field + - in: query + name: sortField required: false schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Sort order direction. Use 'asc' for ascending or 'desc' for - descending. Defaults to 'asc'. - example: asc - in: query - name: sort_direction + type: string + - in: query + name: sortOrder required: false schema: enum: - - asc - desc + - asc + type: string + - in: query + name: showUpgradeable + required: false + schema: + type: boolean + - in: query + name: kuery + required: false + schema: type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - in: query + name: withAgentCount + required: false + schema: + type: boolean responses: '200': content: application/json: - example: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 + examples: + getPackagePoliciesExample: + description: List of package policies + value: + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object properties: - data: - description: Array of matched Attack Discovery schedule objects. + items: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 type: array page: - description: Current page number of the paginated result set. type: number - per_page: - description: Number of items requested per page. + perPage: type: number total: - description: >- - Total number of Attack Discovery schedules matching the - query (across all pages). type: number required: - - page - - per_page - - total - - data - description: Indicates a successful call. + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postPackagePolicyRequestExample: + description: Create a new nginx package policy + value: + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - inputs + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Deprecated. Use policy_ids instead. + nullable: true + type: string + policy_ids: + description: IDs of the agent policies which that package policy will be added to. + items: + type: string + maxItems: 1000 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + description: You should use inputs as an object and not use the deprecated inputs array. + responses: + '200': + content: + application/json: + examples: + postPackagePolicyExample: + description: The created package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type - example: Bad Request + type: string + errorType: type: string message: - description: Human-readable error message - example: Invalid request payload. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria - tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}: - delete: - description: >- - Permanently deletes an Attack Discovery schedule and all associated - configuration. - operationId: DeleteAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - delete. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + required: + - message + - attributes + description: Bad Request + '409': content: application/json: - example: - id: 12345678-1234-1234-1234-123456789012 + examples: + conflictExample: + description: A package policy with the same name already exists + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: + additionalProperties: false + description: Generic Error type: object properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the deleted Attack Discovery - schedule + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - id - description: >- - Successfully deleted Attack Discovery schedule, returning the ID of - the deleted schedule for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Delete Attack Discovery schedule + - message + - attributes + description: Conflict + summary: Create a package policy tags: - - Security Attack discovery API - x-code-samples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - get: - description: >- - Retrieves a specific Attack Discovery schedule by its unique identifier. - Returns complete schedule configuration including parameters, interval - settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - retrieve. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully retrieved Attack Discovery schedule with complete - configuration and metadata - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Get Attack Discovery schedule by ID - tags: - - Security Attack discovery API - x-code-samples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - put: - description: >- - Updates an existing Attack Discovery schedule with new configuration. - All schedule properties can be modified including name, parameters, - interval, and actions. The update operation replaces the entire schedule - configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - update. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true + example: 'true' + type: string + - in: query + name: format + required: false schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + enum: + - simplified + - legacy + type: string requestBody: content: application/json: - example: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h + examples: + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID + value: + ids: + - package-policy-id-1 + - package-policy-id-2 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps - description: >- - Updated Attack Discovery schedule configuration. All fields are - required as this replaces the entire schedule configuration. - required: true - responses: - '200': - content: - application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully updated Attack Discovery schedule with the new - configuration and metadata - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Update Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - /api/attack_discovery/schedules/{id}/_disable: - post: - description: >- - Disables an Attack Discovery schedule, preventing it from running - according to its configured interval. The schedule configuration is - preserved and can be re-enabled later. Any currently running executions - will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - disable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the disabled Attack Discovery - schedule - required: - - id - description: >- - Successfully disabled Attack Discovery schedule, returning the - schedule ID for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Disable Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}/_enable: - post: - description: >- - Enables a previously disabled Attack Discovery schedule, allowing it to - run according to its configured interval. Once enabled, the schedule - will begin executing at the next scheduled time based on its interval - configuration. - operationId: EnableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - enable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the enabled Attack Discovery - schedule - required: - - id - description: >- - Successfully enabled Attack Discovery schedule, returning the - schedule ID for confirmation - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Enable Attack Discovery schedule - tags: - - Security Attack discovery API - x-code-samples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/data_views: - get: - operationId: getAllDataViewsDefault + additionalProperties: false + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids responses: '200': content: application/json: examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + postBulkGetPackagePoliciesExample: + description: The requested package policies + value: + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: + additionalProperties: false type: object properties: - data_view: + items: items: + additionalProperties: false type: object properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean id: + description: Package policy unique identifier. type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean name: + description: Unique name for the package policy. type: string - namespaces: + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: items: + description: IDs of the agent policies which that package policy will be added to. type: string + maxItems: 1000 type: array - title: + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: type: string - typeMeta: + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 type: array - description: Indicates a successful call. + required: + - items + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - /api/data_views/data_view: - post: - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies tags: - - data views - /api/data_views/data_view/{viewId}: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/{packagePolicyId}: delete: - description: | - WARNING: When you delete a data view, it cannot be recovered. - operationId: deleteDataViewDefault + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean responses: - '204': - description: Indicates a successful call. - '404': + '200': + content: + application/json: + examples: + deletePackagePolicyExample: + description: The package policy was successfully deleted + value: + id: package-policy-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package policy tags: - - data views + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - operationId: getDataViewDefault + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid parameters: - - $ref: '#/components/parameters/Data_views_view_id' + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + getPackagePolicyExample: + description: A package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: + examples: + notFoundExample: + description: No package policy was found with the given ID + value: + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy tags: - - data views - post: - operationId: updateDataViewDefault + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' + putPackagePolicyRequestExample: + description: Update a package policy + value: + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true + anyOf: + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + inputs: + items: + additionalProperties: false + type: object + properties: + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + type: string + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Deprecated. Use policy_ids instead. + nullable: true + type: string + policy_ids: + description: IDs of the agent policies which that package policy will be added to. + items: + type: string + maxItems: 1000 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package responses: '200': content: application/json: + examples: + putPackagePolicyExample: + description: The updated package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - /api/data_views/data_view/{viewId}/fields: - post: - description: > - Update fields presentation metadata such as count, customLabel, - customDescription, and format. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '403': content: application/json: + examples: + forbiddenExample: + description: The update is not authorized for this package + value: + error: Forbidden + message: An error message describing what went wrong + statusCode: 403 schema: + additionalProperties: false + description: Generic Error type: object properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update data view fields metadata + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Forbidden + summary: Update a package policy tags: - - data views - /api/data_views/data_view/{viewId}/runtime_field: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/delete: post: - operationId: createRuntimeFieldDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' + postDeletePackagePoliciesRequestExample: + description: Delete multiple package policies by ID + value: + packagePolicyIds: + - package-policy-id-1 + - package-policy-id-2 schema: + additionalProperties: false type: object properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object + force: + type: boolean + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array required: - - name - - runtimeField - required: true + - packagePolicyIds responses: '200': content: application/json: + examples: + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation + value: + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true + schema: + items: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + id: + type: string + name: + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Use `policy_ids` instead + nullable: true + type: string + policy_ids: + items: + type: string + maxItems: 10000 + type: array + statusCode: + type: number + success: + type: boolean + required: + - id + - success + - policy_ids + - package + maxItems: 10000 + type: array + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object - description: Indicates a successful call. - summary: Create a runtime field + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk delete package policies tags: - - data views - put: - operationId: createUpdateRuntimeFieldDefault + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' + postUpgradePackagePoliciesRequestExample: + description: Upgrade package policies to the latest version + value: + packagePolicyIds: + - package-policy-id-1 schema: + additionalProperties: false type: object properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array required: - - name - - runtimeField - required: true + - packagePolicyIds responses: '200': content: application/json: + examples: + postUpgradePackagePoliciesExample: + description: Results of the upgrade operation + value: + - id: package-policy-id-1 + name: nginx-1 + success: true schema: - type: object - properties: - data_view: - type: object - fields: - items: + items: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false type: object - type: array - description: Indicates a successful call. + properties: + message: + type: string + required: + - message + id: + type: string + name: + type: string + statusCode: + type: number + success: + type: boolean + required: + - id + - success + maxItems: 10000 + type: array + description: Successful response '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field from a data view - tags: - - data views - get: - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': content: application/json: examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade a package policy tags: - - data views + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/upgrade/dryrun: post: - operationId: updateRuntimeFieldDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' + postDryRunPackagePoliciesRequestExample: + description: Dry run an upgrade of a package policy + value: + packagePolicyIds: + - package-policy-id-1 schema: + additionalProperties: false type: object properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + packageVersion: + type: string required: - - runtimeField - required: true + - packagePolicyIds responses: '200': - description: Indicates a successful call. - '400': content: application/json: + examples: + postDryRunPackagePoliciesExample: + description: Preview of the package policy upgrade diff + value: + - diff: + - id: package-policy-id-1 + name: nginx-1 + package: + name: nginx + version: 1.20.0 + - name: nginx-1 + package: + name: nginx + version: 1.21.0 + hasErrors: false + name: nginx-1 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - /api/data_views/default: - get: - operationId: getDefaultDataViewDefault - responses: - '200': + items: + additionalProperties: false + type: object + properties: + agent_diff: + items: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + required: + - package + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + maxItems: 1 + type: array + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + diff: + items: + anyOf: + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + - additionalProperties: true + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + maxItems: 2 + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + maxItems: 10000 + type: array + description: Successful response + '400': content: application/json: examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - data_view_id: + attributes: + nullable: true + error: type: string - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Dry run a package policy upgrade tags: - - data views - post: - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/proxies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] responses: '200': content: application/json: + examples: + getFleetProxiesExample: + description: List of Fleet proxies + value: + items: + - id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object properties: - acknowledged: - type: boolean - description: Indicates a successful call. + items: + items: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get proxies tags: - - data views - /api/data_views/swap_references: + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Changes saved object references from one data view identifier to - another. WARNING: Misuse can break large numbers of saved objects! - Practicing with a backup is recommended. - operationId: swapDataViewsDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' + postFleetProxyRequestExample: + description: Create a new Fleet proxy + value: + name: My proxy + url: http://proxy.example.com:3128 schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - url + - name responses: '200': content: application/json: + examples: + postFleetProxyExample: + description: The created Fleet proxy + value: + item: + id: proxy-id-2 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: + additionalProperties: false type: object properties: - deleteStatus: + item: + additionalProperties: false type: object properties: - deletePerformed: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - /api/data_views/swap_references/_preview: - post: - description: > - Preview the impact of swapping saved object references from one data - view identifier to another. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview a saved object reference swap + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a proxy tags: - - data views - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/proxies/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** - space and index privileges, which determine if the user can create an +
delete /s/{space_id}/api/fleet/proxies/{itemId}
- index for the Elastic Security alerts generated by + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - detection engine rules. - operationId: ReadPrivileges + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string responses: '200': content: application/json: examples: - success: + deleteFleetProxyExample: + description: The Fleet proxy was successfully deleted value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic + id: proxy-id-1 schema: + additionalProperties: false type: object properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean + id: + type: string required: - - is_authenticated - - has_encryption_key + - id description: Successful response - '401': + '400': content: application/json: examples: - unauthorized: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No proxy was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a proxy tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: - delete: - description: > - Delete a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `DELETE /api/detection_engine/rules?id=` + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: DeleteRule + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false + - in: path + name: itemId + required: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + type: string responses: '200': content: application/json: examples: - deletedRule: - summary: Response shape after a rule is deleted + getFleetProxyExample: + description: A Fleet proxy value: - actions: [] - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - false_positives: [] - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: event.action:Process* - references: [] - risk_score: 50 - rule_id: process_started_by_ms_office_user_folder - severity: low - tags: - - tag - throttle: null - to: now - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 3 + item: + id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule - tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - get: - description: > - Retrieve a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `GET /api/detection_engine/rules?id=` - - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item + description: Successful response + '400': content: application/json: examples: - example1: - summary: Example response for a retrieved rule + genericErrorResponseExample: + description: Example of a generic error response value: - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from Elasticsearch - indices listed in the "Index pattern" section of the - rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low - tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 1 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: > - Indicates a successful call. - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: Retrieve a detection rule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a proxy tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - patch: - description: > - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - - > warn + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PatchRule + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string requestBody: content: application/json: examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule + putFleetProxyRequestExample: + description: Update a Fleet proxy value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: > - FROM logs-abc* + name: Updated proxy + url: http://updated-proxy.example.com:3128 + schema: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - certificate_authorities + - certificate + - certificate_key + responses: + '200': + content: + application/json: + examples: + putFleetProxyExample: + description: The updated Fleet proxy + value: + item: + id: proxy-id-1 + is_preconfigured: false + name: Updated proxy + url: http://updated-proxy.example.com:3128 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a proxy + tags: + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/service_tokens: + post: + description: |- + **Spaces method and path for this operation:** - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) +
post /s/{space_id}/api/fleet/service_tokens
- | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"false" - example7: - summary: Patch machine learning rule + Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postGenerateServiceTokenRequestExample: + description: Generate a service token for a remote Fleet Server value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea + remote: true schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. - required: true + additionalProperties: false + nullable: true + type: object + properties: + remote: + default: false + type: boolean responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + postGenerateServiceTokenExample: + description: The generated Fleet Server service token value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 + name: elastic/fleet-server/token-1234567890 + value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule + additionalProperties: false + type: object + properties: + name: + type: string + value: + type: string + required: + - name + - value + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a service token tags: - - Security Detections API - - Rules API - post: - description: > - Create a new detection rule. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - - You can create the following types of rules: - - - * **Custom query**: Searches the defined indices and creates an alert - when a document matches the rule's KQL query. - - * **Event correlation**: Searches the defined indices and creates an - alert when results match an [Event Query Language - (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) - query. - - * **Threshold**: Searches the defined indices and creates an alert when - the number of times the specified field's value meets the threshold - during a single execution. When there are multiple values that meet the - threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined - in the specified [Elasticsearch - index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). - For example, you can create an index for IP addresses and use this index - to create an alert whenever an event's `destination.ip` equals a value - in the index. The index's field mappings should be - [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - - * **New terms**: Generates an alert for each new term detected in source - documents within a specified time range. - - * **ES|QL**: Uses [Elasticsearch Query Language - (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) - to find events and aggregate search results. - - * **Machine learning rules**: Creates an alert when a machine learning - job discovers an anomaly above the defined threshold. - - > info - - > To create machine learning rules, you must have the [appropriate - license](https://www.elastic.co/subscriptions) or use a [cloud - deployment](https://cloud.elastic.co/registration). Additionally, for - the machine learning rule to function correctly, the associated machine - learning job must be running. - - - To retrieve machine learning job IDs, which are required to create - machine learning jobs, call the [Elasticsearch Get jobs - API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). - Machine learning jobs that contain `siem` in the `groups` field can be - used to create rules: - - - ```json - - ... - - "job_id": "linux_anomalous_network_activity_ecs", - - "job_type": "anomaly_detector", - - "job_version": "7.7.0", - - "groups": [ - "auditbeat", - "process", - "siem" - ], - - ... - - ``` - - - Additionally, you can set up notifications for when rules create alerts. - The notifications use the [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting). Each - action type requires a connector. Connectors store the information - required to send notifications via external systems. The following - connector types are supported for rule notifications: - - - * Slack - - * Email - - * PagerDuty - - * Webhook - - * Microsoft Teams - - * IBM Resilient - - * Jira - - * ServiceNow ITSM - - > info - - > For more information on PagerDuty fields, see [Send a v2 - Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - - - To retrieve connector IDs, which are required to configure rule - notifications, call the [Find objects - API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) - with `"type": "action"` in the request payload. + - Fleet service tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/settings: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/fleet/settings
- For detailed information on Kibana actions and alerting, and additional - API calls, see: + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] + responses: + '200': + content: + application/json: + examples: + getSettingsExample: + description: The current Fleet settings + value: + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: false + secret_storage_requirements_met: true + version: WzEsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get settings + tags: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - * [Alerting - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) +
put /s/{space_id}/api/fleet/settings
- * [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting) + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * [Connectors - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule + Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: >- - Threshold rule that detects multiple failed login attempts to - a Windows host from the same external source IP address - summary: Threshold rule - value: - description: >- - Detects when there are 20 or more failed login attempts from - the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: >- - Machine learning rule that creates alerts, and sends Slack - notifications, when the linux_anomalous_network_activity_ecs - machine learning job discovers anomalies with a threshold of - 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: >- - Event correlation rule that creates alerts when the Windows - rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process where - event.type in ("start", "process_started") and (process.name - == "rundll32.exe" or process.pe.original_file_name == - "rundll32.exe") and ((process.args == "rundll32.exe" and - process.args_count == 1) or (process.args != "rundll32.exe" - and process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: > - Indicator match rule that creates an alert when one of the - following is true: The event's destination IP address and port - number matches destination IP and port values in the - threat_index index; The event's source IP address matches a - host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: >- - New terms rule that creates alerts a new IP address is - detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: >- - esql rule that creates alerts from events that match an Excel - parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: >- - from auditbeat-8.10.2 METADATA _id, _version, _index | where - process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: >- - Query rule that searches for processes started by MS Office - and suppresses alerts by the process.parent.name field within - a 5-hour time period - summary: Query rule 2 + putSettingsRequestExample: + description: Update Fleet settings to enable pre-release integrations value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query + prerelease_integrations_enabled: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true + additionalProperties: false + type: object + properties: + additional_yaml_config: + deprecated: true + type: string + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + has_seen_add_data_notice: + deprecated: true + type: boolean + integration_knowledge_enabled: + type: boolean + kibana_ca_sha256: + deprecated: true + type: string + kibana_urls: + deprecated: true + items: + format: uri + type: string + maxItems: 10 + type: array + prerelease_integrations_enabled: + type: boolean responses: '200': content: application/json: examples: - example1: - description: Example response for a query rule - summary: Query rule response + putSettingsExample: + description: The updated Fleet settings value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: true + secret_storage_requirements_met: true + version: WzIsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: >- - Detects when there are 20 or more failed login attempts - from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Update settings + tags: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/setup: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + responses: + '200': + content: + application/json: + examples: + fleetSetupSuccessExample: + description: Fleet initialized successfully with no non-fatal errors value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process - where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe") and - ((process.args == "rundll32.exe" and process.args_count == - 1) or (process.args != "rundll32.exe" and - process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response + isInitialized: true + nonFatalErrors: [] + fleetSetupWithNonFatalErrorsExample: + description: Fleet initialized but encountered non-fatal errors during setup value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response + isInitialized: true + nonFatalErrors: + - message: Package fleet_server not found in registry + name: PackageNotFoundError + schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '500': + content: + application/json: + examples: + internalErrorResponseExample: + description: Example of an internal server error response value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: >- - from auditbeat-8.10.2 METADATA _id | where - process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 + error: Internal Server Error + message: An error message describing what went wrong + statusCode: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule + additionalProperties: false + description: Internal Server Error + type: object + properties: + message: + type: string + required: + - message + description: Internal Server Error + summary: Initiate Fleet setup tags: - - Security Detections API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/space_settings: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/fleet/space_settings
- The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > warn + Get the Fleet settings for the current Kibana space. + operationId: get-fleet-space-settings + parameters: [] + responses: + '200': + content: + application/json: + examples: + getSpaceSettingsExample: + description: The Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Get space settings + tags: [] + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
put /s/{space_id}/api/fleet/space_settings
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: UpdateRule + Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule - value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - risk_score: 21 - severity: low - tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule + putSpaceSettingsRequestExample: + description: Update allowed namespace prefixes for the current Kibana space value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: > - FROM logs* + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 10 + type: array + responses: + '200': + content: + application/json: + examples: + putSpaceSettingsExample: + description: The updated Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Create space settings + tags: [] + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/uninstall_tokens: + get: + description: |- + **Spaces method and path for this operation:** - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* - MIN(dateField) finds the earliest timestamp in the dataset. - */ +
get /s/{space_id}/api/fleet/uninstall_tokens
- | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) /* Calculates the event rate by - dividing the total count of events by the time difference - (in seconds) between the earliest event and the current - time. */ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"true" - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: > - > info + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens + parameters: + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + maxLength: 50 + type: string + - in: query + name: search + required: false + schema: + maxLength: 50 + type: string + - description: The number of items to return + in: query + name: perPage + required: false + schema: + minimum: 5 + type: number + - in: query + name: page + required: false + schema: + minimum: 1 + type: number + responses: + '200': + content: + application/json: + examples: + getUninstallTokensExample: + description: List of uninstall token metadata for agent policies + value: + items: + - created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + - created_at: '2024-01-02T00:00:00.000Z' + id: token-id-2 + namespaces: + - production + policy_id: policy-id-2 + policy_name: Production policy + page: 1 + perPage: 20 + total: 2 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + required: + - id + - policy_id + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + conflictingQueryParamsExample: + description: Both policyId and search query parameters were provided + value: + error: Bad Request + message: Query parameters `policyId` and `search` cannot be used at the same time. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get metadata for latest uninstall tokens + tags: + - Fleet uninstall tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid + parameters: + - in: path + name: uninstallTokenId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getUninstallTokenExample: + description: Decrypted uninstall token for an agent policy + value: + item: + created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + token: CKHJsJcBqNwIRcRBNDaE + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + token: + type: string + required: + - id + - policy_id + - created_at + - token + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No uninstall token was found with the given ID + value: + error: Not Found + message: Uninstall Token not found with ID token-id-1 + statusCode: 404 + description: Not Found + summary: Get a decrypted uninstall token + tags: + - Fleet uninstall tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + example: false + type: boolean + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean + responses: + '200': + content: + application/json: + examples: + ipList: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list using the list ID. + operationId: ReadList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
- > All unspecified fields are deleted. You cannot modify the `id` or - `rule_id` values. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList + requestBody: + content: + application/json: + schema: + example: + id: ip_list + name: Bad ips list - UPDATED + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + description: Value list's properties required: true responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + ip: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + description: This list describes bad internet ips + id: ip_list immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 2 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - - - The edit action allows you to add, delete, or set tags, index patterns, - investigation fields, rule actions and schedules for multiple rules at - once. - - The edit action is idempotent, meaning that if you add a tag to a rule - that already has that tag, no changes are made. The same is true for - other edit actions, for example removing an index pattern that is not - specified in a rule will not result in any changes. The only exception - is the `add_rule_actions` and `set_rule_actions` action, which is - non-idempotent. This means that if you add or set a rule action to a - rule that already has that action, a new action is created with a new - unique ID. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PerformRulesBulkAction - parameters: - - description: > - Enables dry run mode for the request call. - - - Enable dry run mode to verify that bulk actions can be applied to - specified rules. Certain rules, such as prebuilt Elastic rules on a - Basic subscription, can’t be edited and will return errors in the - request response. Error details will contain an explanation, the - rule name and/or ID, and additional troubleshooting information. - + description: |- + **Spaces method and path for this operation:** - To enable dry run mode on a request, add the query parameter - `dry_run=true` to the end of the request URL. Rules specified in the - request will be temporarily updated. These updates won’t be written - to Elasticsearch. +
post /s/{space_id}/api/lists
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Dry run mode is not supported for the `export` bulk action. A 400 - error will be returned in the request response. - in: query - name: dry_run - required: false - schema: - type: boolean + Create a new value list. + operationId: CreateList requestBody: content: application/json: examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: >- - The following request exports the rules with the specified - IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: >- - The following request adds two tags at the same time, tag-1 - and tag-2, to the rules that have the IDs sent in the payload. - If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: >- - The following request removes the tag "tag-1" from the rules - with the specified IDs. If the tag does not exist for a rule, - no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: >- - The following request sets the tags "tag-1" and "tag-2" for - the rules with the specified IDs, overwriting any existing - tags. If the set of tags is the same as the existing tags, no - changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: >- - The following request adds the index pattern "test-*" to the - rules with the specified IDs. If the index pattern already - exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: >- - The following request removes the index pattern "test-*" from - the rules with the specified IDs. If the index pattern does - not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: >- - The following request sets the index patterns "test-*" and - "prod-*" for the rules with the specified IDs, overwriting any - existing index patterns. If the set of index patterns is the - same as the existing index patterns, no changes are made. - summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: >- - The following request adds investigation field to the rules - with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: >- - The following request deletes investigation fields from the - rules with the specified IDs. If the field does not exist for - a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - value: - - field1 - - field2 - example18: - description: >- - The following request sets investigation fields for the rules - with the specified IDs, overwriting any existing investigation - fields. If the set of investigation fields is the same as the - existing investigation fields, no changes are made. - summary: >- - Edit - Set (overwrite existing) investigation fields for rules - (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: >- - The following request sets a timeline template for the rules - with the specified IDs. If the same timeline template is - already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) timeline template for rules - (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: >- - The following request sets a schedule for the rules with the - specified IDs. If the same schedule is already set for a rule, - no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: >- - The following request sets rule actions for the rules with the - specified IDs. Each action receives its own unique ID. - summary: >- - Edit - Set (overwrite existing) rule actions for rules - (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: 2023-10-31T00:00:00.000Z - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: >- - The following request set alert suppression to the rules with - the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) + ip: value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: >- - The following request set alert suppression to threshold rules - with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: >- - The following request removes alert suppression from the rules - with the specified IDs. If the rules do not have alert - suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: >- - The following request triggers the filling of gaps for the - specified rule ids and time range - summary: >- - Fill Gaps - Manually trigger the filling of gaps for specified - rules + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-09T18:23:52.241Z' + created_at: '2025-01-09T18:23:52.241Z' + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: '2025-01-09T18:23:52.241Z' + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:24:55.786Z' + created_at: '2025-01-09T18:24:55.786Z' + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: '2025-01-09T18:24:55.786Z' + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:25:39.604Z' + created_at: '2025-01-09T18:25:39.604Z' + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: '2025-01-09T18:25:39.604Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + notFound: + value: + message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json: schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - name + - description + description: Value list's properties + required: true responses: '200': content: application/json: examples: - example01: - description: >- - In this response one rule was updated and one was skipped. - Objects returned in attributes.results.skipped will only - include rules' id, name, and skip_reason. - summary: Successful response + ip: value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: >- - A machine learning job detected unusually large - numbers of DNS queries for a single top-level DNS - domain, which is often used for DNS tunneling. DNS - tunneling can be used for command-and-control, - persistence, or data exfiltration activity. For - example, dnscat tends to generate many DNS - questions for a top-level domain as it uses the - DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - >- - DNS domains that use large numbers of child - domains, such as software or content - distribution networks, can trigger this alert - and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - >- - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: >- - If processing of any rule fails, a partial error outputs the - ID and/or name of the affected rule and the corresponding - error, as well as successfully processed rules (in the same - format as a successful 200 request). - summary: Partial failure + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - value: - attributes: - errors: - - message: >- - Index patterns can't be added. Machine learning - rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: >- - Generates a detection alert for each external - alert written to the configured indices. - Enabling this rule allows you to immediately - begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: > - event.kind:alert and not event.module:(endgame - or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: >- - The attributes.errors section of the response shows that two - rules failed to update and one succeeded. The same results - would be returned if you ran the request without dry run - mode enabled. Notice that there are no arrays in - attributes.results. In dry run mode, rule updates are not - applied and saved to Elasticsearch, so the endpoint wouldn’t - return results for rules that have been updated, created, or - deleted. - summary: Dry run + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error status_code: 500 - example04: - description: >- - This example presents the successful setting of tags for 2 - rules. There was a difference between the set of tags that - were being added and the tags that were already set in the - rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json: + examples: + ipList: + value: + cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: >- - This example presents the idempotent behavior of the edit - action with set_tags request. Both rules already had exactly - the same tags that were being added, so no changes were made - in any of them. - summary: Idempotent behavior of set_tags + error: Bad Request + message: '[request query]: page: Expected number, received nan' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: >- - This example presents the idempotent behavior of the edit - action with add_tags request. One rule was updated and one - was skipped. The rule that was skipped already had all the - tags that were being added. - summary: Idempotent behavior of add_tags + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: >- - This example shows a non-idempotent nature of the - set_rule_actions requests. Regardless if the actions are the - same as the existing actions for a rule, the actions are - always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + error: Forbidden + message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: >- - This example shows a non-idempotent nature of the - add_rule_actions requests. Regardless if the added action is - the same as another existing action for a rule, the new - action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/index: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: > - File name for saving the exported rules. +
get /s/{space_id}/api/lists/index
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > When using cURL to export rules to a file, use the -O and -J - options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string - requestBody: - content: - application/json: - examples: - exportByRuleIds: - summary: Request body to export a subset of rules - value: - objects: - - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d - schema: - nullable: true - type: object - properties: - objects: - description: >- - Array of objects with a rule's `rule_id` field. Do not use - rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array - required: - - objects - required: false + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex responses: '200': content: - application/ndjson: + application/json: + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: examples: - sampleNdjson: - value: > - {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example - rule","type":"query","enabled":true} - - {"exception_list":true} - - {"export_summary":{"total_rules":1,"exceptions_count":0}} + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - description: > - An `.ndjson` file containing the returned rules. - - - Each line in the file represents an object (a rule, exception - list parent container, or exception list item), and the last - line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: > - curl -X POST - "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" - -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - /api/detection_engine/rules/_find: - get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - description: > - List of `alert.attributes` field names to return for each rule (for - example `name`, `enabled`). - - If omitted, the default field set is returned. Repeat the parameter - to pass multiple field names, or - - use comma-separated values when supported by your client. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: > - Search query - - - Filters the returned results according to the value of the specified - field, using the alert.attributes.: syntax, - where can be: - - - name - - - enabled + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** - - tags +
post /s/{space_id}/api/lists/index
- - createdBy + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - interval + Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: | + [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'data stream: \".lists-default\" and \".items-default\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items: + delete: + description: |- + **Spaces method and path for this operation:** - - updatedBy +
delete /s/{space_id}/api/lists/items
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Even though the JSON rule object uses created_by and updated_by - fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem + parameters: + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query - name: sort_order + name: id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. in: query - name: page + name: list_id required: false schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: per_page + name: value required: false schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start + example: 255.255.255.255 + type: string + - description: Determines when changes made by the request are made visible to search. in: query - name: gaps_range_start + name: refresh required: false schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false type: string - - description: Gaps range end + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem + parameters: + - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query - name: gaps_range_end + name: id required: false schema: - type: string - - description: Gap fill statuses + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query - name: gap_fill_statuses + name: list_id required: false schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: gap_auto_fill_scheduler_id + name: value required: false schema: + example: 127.0.0.2 type: string responses: '200': content: application/json: examples: - example1: + ip: + value: + _version: WzExLDFd + '@timestamp': '2025-01-08T05:16:25.882Z' + created_at: '2025-01-08T05:16:25.882Z' + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: '2025-01-08T05:16:25.882Z' + updated_by: elastic + value: 127.0.0.2 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem + requestBody: + content: + application/json: + schema: + example: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ipItem: + value: + _version: WzE5LDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:23:37.602Z' + updated_by: elastic + value: 255.255.255.255 + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: >- - Identifies a PowerShell process launched by either - cscript.exe or wscript.exe. Observing Windows - scripting processes executing a PowerShell script, may - be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but no - matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: >- - event.action:"Process Create (rule: ProcessCreate)" - and process.parent.name:("wscript.exe" or - "cscript.exe") and process.name:"powershell.exe" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 + message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' + status_code: 400 schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - required: - - page - - perPage - - total - - data - description: > - Successful response - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: List all detection rules + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: > - curl -X GET - "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" - -H 'kbn-xsrf: true' - /api/detection_engine/rules/_import: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. + description: | + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/lists/items
- > To import rules with actions, you need at least Read privileges for - the Action and Connectors feature. To overwrite or add new connectors, - you need All privileges for the Actions and Connectors feature. To - import rules without actions, you don’t need Actions and Connectors - privileges. Refer to [Enable and access - detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) - for more information. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Create a value list item and associate it with the specified value list. + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - - - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ImportRules - parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. Both the exception list container and its items are - overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean + > Before creating a list item, you must create a list. + operationId: CreateListItem requestBody: content: - multipart/form-data: + application/json: examples: - rulesFile: - summary: Multipart part containing a rule export + ip: + value: + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: value: - file: rules_import.ndjson + list_id: keyword_list + value: zeek schema: type: object properties: - file: - description: The `.ndjson` file containing the rules. - format: binary + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties required: true responses: '200': content: application/json: examples: - example1: - summary: Import rules with success + ip: value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:33:08.202Z' + created_at: '2025-01-09T18:33:08.202Z' + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: '2025-01-09T18:33:08.202Z' + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:34:29.422Z' + created_at: '2025-01-09T18:34:29.422Z' + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: '2025-01-09T18:34:29.422Z' + updated_by: elastic + value: zeek schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer - required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - /api/detection_engine/rules/{id}/exceptions: - post: - description: Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem requestBody: content: application/json: - examples: - addItems: - value: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + example: + id: ip_item + value: 255.255.255.255 schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple type: object properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - items - description: Rule exception items. + - id + - value + description: Value list item's properties required: true responses: '200': content: application/json: examples: - ruleExceptionItems: + ip: + value: + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems + parameters: + - description: Value list's `id` to export. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/ndjson: + schema: + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string description: Successful response '400': content: application/json: examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 badRequest: value: - error: Bad Request - message: '[request params]: id: Invalid uuid' + error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -7643,16 +58970,10 @@ paths: unauthorized: value: error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: @@ -7660,12 +58981,18 @@ paths: examples: forbidden: value: - message: Unable to create exception-list - status_code: 403 + error: Forbidden + message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response '500': content: application/json: @@ -7675,136 +59002,124 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response - summary: Create rule exception items + summary: Export value list items tags: - - Security Exceptions API - /api/detection_engine/rules/preview: - post: - description: > - Simulates a detection rule using the same rule type and query logic as a - persisted rule, over a short + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** - time window, without persisting a rule or writing alerts. Use the - response to validate queries, see sample +
get /s/{space_id}/api/lists/items/_find
- matching documents, and inspect execution logs. Pair `invocationCount` - and `timeframeEnd` to cap run time. - operationId: RulePreview + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. in: query - name: enable_logged_requests + name: page required: false schema: - type: boolean - requestBody: - content: - application/json: - examples: - queryRule: - value: - description: Find matching events - from: now-24h - index: - - logs-* - invocationCount: 1 - language: kuery - max_signals: 20 - name: Rule preview - query: 'process.name : *' - risk_score: 25 - severity: low - timeframeEnd: '2025-01-20T12:00:00.000Z' - to: now - type: query - schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: > - Rule create payload (same shape as `POST /api/detection_engine/rules` - for a given `type`) plus - - `invocationCount` and `timeframeEnd` to control how the preview is - executed. Optional - - `enable_logged_requests` surfaces Elasticsearch request logging for - debugging. - required: true + example: 1 + type: integer + - description: The number of list items to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: - success: + ip: value: - isAborted: false - logs: - - duration: 45 - errors: [] - requests: [] - startedAt: 2025-01-20T10:00:00.000Z - warnings: [] - previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 schema: type: object properties: - isAborted: - type: boolean - logs: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs + $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - logs + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: @@ -7812,17 +59127,13 @@ paths: examples: badRequest: value: - error: Bad Request - message: >- - [request body].timeframeEnd: expected string, received - null - statusCode: 400 + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -7831,12 +59142,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -7846,78 +59168,116 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response - summary: Preview rule alerts generated on specified time range + summary: Get value list items tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_import: post: description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + example: true + type: string requestBody: content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove + multipart/form-data: schema: - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertAssigneesBody - description: User profile IDs to add or remove on each listed alert document ID. + type: object + properties: + file: + description: A `.txt` or `.csv` file containing newline separated list items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string required: true responses: '200': content: application/json: examples: - add: + ip: value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 76 - total: 1 - updated: 1 - version_conflicts: 0 + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 schema: - additionalProperties: true - description: Elasticsearch update by query or update by IDs response - type: object - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response '400': content: application/json: examples: badRequest: value: - error: Bad Request - message: >- - [request body].ids: at least one alert id is required to - update assignees - statusCode: 400 + message: Either type or list_id need to be defined in the query + status_code: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -7926,11 +59286,10 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: @@ -7939,16 +59298,17 @@ paths: forbidden: value: error: Forbidden - message: >- - API [POST /api/detection_engine/signals/assignees] is - unauthorized for the current user, this action is granted - by the Kibana Security Solution privileges for cases and - detections + message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response + '409': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response '500': content: application/json: @@ -7958,105 +59318,110 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response - summary: Assign and unassign users from detection alerts + summary: Import value list items tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: 2025-01-17T08:00:00.000Z - lte: 2025-01-18T07:59:59.999Z - runtime_mappings: {} - size: 0 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_QueryAlertsBodyParams - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/privileges: + get: + operationId: ReadListPrivileges responses: '200': content: application/json: examples: - success: + privileges: value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic schema: - additionalProperties: true - description: Elasticsearch search response type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated description: Successful response '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - Failed to parse search request: unknown query clause in - bool filter - statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -8065,12 +59430,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -8080,2631 +59456,4509 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response - summary: Find and/or aggregate detection alerts + summary: Get value list privileges tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/maintenance_window: post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - byId: - value: - signal_ids: - - >- - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: + createMaintenanceWindowRequest: + description: | + Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. + summary: Create a maintenance window value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed + enabled: true + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + title: Weekly Maintenance Window schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + required: + - title + - schedule responses: '200': content: application/json: examples: - byId: + createMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully created. + summary: Create a maintenance window response value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Create a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find + parameters: + - description: The title of the maintenance window. + in: query + name: title + required: false + schema: + type: string + - description: The user who created the maintenance window. + in: query + name: created_by + required: false + schema: + type: string + - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". + in: query + name: status + required: false + schema: + items: + enum: + - running + - finished + - upcoming + - archived + - disabled + type: string + type: array + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + maximum: 100 + minimum: 1 + type: number + - description: The number of maintenance windows to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + maximum: 100 + minimum: 1 + type: number + responses: + '200': + content: + application/json: + examples: + findMaintenanceWindowsResponse: + description: | + The response returned when maintenance windows are successfully found. + summary: Find maintenance windows response value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 + maintenanceWindows: + - created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + - created_at: '2025-03-10T09:00:00.000Z' + created_by: elastic + enabled: true + id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Database Upgrade Window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 2 schema: - additionalProperties: true - description: Elasticsearch update by query response + additionalProperties: false type: object - description: Successful response + properties: + maintenanceWindows: + description: The list of maintenance windows. + items: + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: array + page: + description: The current page number. + type: number + per_page: + description: The number of maintenance windows returned per page. + type: number + total: + description: The total number of maintenance windows that match the query. + type: number + required: + - page + - per_page + - total + - maintenanceWindows + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be deleted. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id + parameters: + - description: The identifier for the maintenance window. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - badRequest: + getMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully retrieved. + summary: Get a maintenance window response value: - error: Bad Request - message: >- - [request body].signal_ids: at least one alert id is - required to update status - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateMaintenanceWindowRequest: + description: | + Update a maintenance window to change its title, schedule, and scope. + summary: Update a maintenance window + value: + enabled: true + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + title: Updated maintenance window + schema: + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + responses: + '200': content: application/json: examples: - unauthorized: + updateMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully updated. + summary: Update a maintenance window response value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Updated maintenance window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + '409': + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be archived. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - serverError: + archiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully archived. + summary: Archive a maintenance window response value: - message: Internal Server Error - status_code: 500 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: archived + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}/_unarchive: post: - description: > - Add tags to detection alerts, and remove them from alerts, by alert IDs - or a query, in a single request. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
- > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be unarchived. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - success: + unarchiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully unarchived. + summary: Unarchive a maintenance window response value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - additionalProperties: true - description: Elasticsearch update by query response + additionalProperties: false type: object - description: Successful response + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/sync: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': content: application/json: examples: - badRequest: - value: - error: Bad Request - message: >- - [request body].tags: cannot add and remove the same tag in - a single request - statusCode: 400 + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call '401': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: - get: - description: List all unique tags from all detection rules. - operationId: ReadTags + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/update_jobs_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces + requestBody: + content: + application/json: + examples: + updateADJobSpacesRequest: + value: + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' responses: '200': content: application/json: examples: - example1: + successADResponse: value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics description: Indicates a successful call - summary: List all detection rule tags + summary: Update jobs spaces tags: - - Security Detections API - - Tags API - /api/endpoint_list: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/update_trained_models_spaces: post: - description: >- - Create the exception list for Elastic Endpoint rule exceptions. When you - create the exception list, it will have a `list_id` of `endpoint_list`. - If the Elastic Endpoint exception list already exists, your request will - return an empty response. - operationId: CreateEndpointList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of trained models to add and/or remove them from given spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' responses: '200': content: application/json: examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created + successTMResponse: value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '500': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/note: delete: - description: >- - Delete an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: DeleteEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. + + The response has HTTP 200 with an empty body on success. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: + type: string + nullable: true + type: array + required: + - noteIds + description: | + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. + `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. + required: true responses: '200': - content: - application/json: - examples: - deleted: - summary: Deleted endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Delete an Elastic Endpoint exception list item + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes tags: - - Security Endpoint Exceptions API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the details of an Elastic Endpoint exception list item, specified by - the `id` or `item_id` field. - operationId: ReadEndpointListItem + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns Security Timeline notes as saved objects. + + **Query modes (mutually exclusive branches on the server):** + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). + + 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes parameters: - - description: Either `id` or `item_id` must be specified + - description: | + Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: | + Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: | + Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. + example: '1' in: query - name: id - required: false + name: page schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified + nullable: true + type: string + - description: | + Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. + example: '20' in: query - name: item_id - required: false + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: | + Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: | + Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter + schema: + nullable: true + type: string + - description: | + Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: examples: - item: - summary: Endpoint exception list item + notesPage: + summary: Paged notes for a timeline value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes tags: - - Security Endpoint Exceptions API - post: - description: >- - Create an Elastic Endpoint exception list item, and associate it with - the Elastic Endpoint exception list. - operationId: CreateEndpointListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new note or updates an existing one. + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute requestBody: content: application/json: examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash + addNote: + summary: Add a note on an event value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: Note payload (timeline, text, optional event linkage, metadata). + noteId: + description: The `savedObjectId` of the note to update. Omit when creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true + type: string + version: + description: Saved object version string from a previous read; optional on update. + example: WzQ2LDFd + nullable: true + type: string required: - - type - - name - - description - - entries - description: Exception list item's properties + - note + description: | + Body must include the `note` object. For updates, include `noteId` (and optionally `version`). + To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. required: true responses: '200': content: application/json: examples: - created: - summary: Endpoint exception list item created + persisted: + summary: Persisted note wrapper value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': - content: - application/json: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note tags: - - Security Endpoint Exceptions API - put: - description: >- - Update an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: UpdateEndpointListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/observability_ai_assistant/chat/complete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/observability_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new chat completion by using the Observability AI Assistant. + + The API returns the model's response based on the current conversation context. + + It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: observability-ai-assistant-chat-complete requestBody: content: application/json: examples: - updateName: - summary: Update an endpoint exception list item - value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple + chatCompleteRequestExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' schema: type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - is retrieved. Use it ensure updates are made against the - latest version. + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + - messages + - connectorId + - persist responses: '200': content: application/json: examples: - updated: - summary: Endpoint exception list item updated - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic + chatCompleteResponseExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: object description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': + summary: Generate a chat completion + tags: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/history: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + in: query + name: nextPage + required: false + schema: + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + type: string + - description: A search string to filter history entries by pack name, query text, or query ID. + in: query + name: kuery + required: false + schema: + description: A search string to filter history entries by pack name, query text, or query ID. + type: string + - description: Comma-separated list of user IDs to filter live query history. + in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + in: query + name: sourceFilters + required: false + schema: + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). + in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). + in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': content: application/json: + examples: + unifiedHistoryExample: + summary: Example unified history response + value: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: Indicates a successful call. + summary: Get unified query history tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries: get: - description: Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. +
get /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. in: query - name: filter + name: kuery required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. in: query name: page required: false schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: per_page + name: pageSize required: false schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: sort_field + name: sort required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: Determines the sort order, which can be `desc` or `asc` + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. in: query - name: sort_order + name: sortOrder required: false schema: - enum: - - desc - - asc - type: string + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': - content: - application/json: - examples: - foundItems: - summary: Found endpoint exception list items - value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - description: The list of endpoint exception list items. - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - type: array - page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string - total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: Indicates a successful call. + summary: Get live queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + required: true + responses: + '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: Indicates a successful call. + summary: Create a live query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + responses: + '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get Elastic Endpoint exception list items + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: Indicates a successful call. + summary: Get live query details tags: - - Security Endpoint Exceptions API - /api/endpoint/action: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults parameters: - - in: query - name: page - required: false + - description: The ID of the live query. + in: path + name: id + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + type: string + - description: A KQL search string to filter results. + in: query + name: kuery required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: commands + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - in: query - name: agentIds + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - in: query - name: userIds + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - in: query - name: startDate + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - in: query - name: endDate + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: Indicates a successful call. + summary: Get live query results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - description: The page number to return. + in: query + name: page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - in: query - name: agentTypes + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - in: query - name: withOutputs + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - in: query - name: types + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' description: Indicates a successful call. - summary: Get response actions + summary: Get packs tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids + - description: The pack ID. + in: path + name: id required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse + example: {} + type: object + properties: {} description: Indicates a successful call. - summary: Get response actions status + summary: Delete a pack tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails parameters: - - in: path - name: action_id + - description: The pack ID. + in: path + name: id required: true schema: - description: The ID of the action to retrieve. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse - description: OK - summary: Get action details + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}: - get: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: description: | - Get information for the specified response action file download. - operationId: EndpointFileInfo + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks parameters: - - description: The ID of the response action that generated the file. + - description: The pack ID. in: path - name: action_id + name: id required: true schema: - type: string - - description: > - The file identifier is constructed in one of two ways: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: +
post /s/{space_id}/api/osquery/packs/{id}/copy
- `{file_id}` = `{action_id}.{agent_id}` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. in: path - name: file_id + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: + examples: + copyPackExample: + summary: Example response for copying a pack + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - properties: - data: - type: object - properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time - type: string - id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. - type: string - name: - description: The file name. - type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED - type: string + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' description: Indicates a successful call. - summary: Get file information + summary: Copy a pack tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}/download: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries: get: - description: > - Download a file associated with a response action. Files are downloaded - in a password-protected `.zip` archive to prevent the file from running. - Use password `elastic` to open the `.zip` in a safe environment. + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/osquery/saved_queries
- > Files retrieved from third-party-protected hosts require a different - password. Refer to [Third-party response - actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) - for your system's password. - operationId: EndpointFileDownload + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true + - description: The page number to return. + in: query + name: page + required: false schema: - type: string - - description: > - The file identifier is constructed in one of two ways: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: Indicates a successful call. + summary: Get saved queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and save a query for later use. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: Indicates a successful call. + summary: Create a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: +
delete /s/{space_id}/api/osquery/saved_queries/{id}
- `{file_id}` = `{action_id}.{agent_id}` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - description: The saved query ID. in: path - name: file_id + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: - application/octet-stream: + application/json: schema: - format: binary - type: string + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' description: Indicates a successful call. - summary: Download a file + summary: Delete a saved query tags: - - Security Endpoint Management API - /api/endpoint/action/cancel: - post: - description: >- - Cancel a running or pending response action (Applies only to some agent - types). - operationId: CancelAction - requestBody: - content: - application/json: - examples: - MicrosoftDefenderEndpoint: - summary: >- - Cancel a response action on a Microsoft Defender for Endpoint - host - value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody - required: true + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: - examples: - CancelSuccess: - summary: Cancel action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' description: Indicates a successful call. - summary: Cancel a response action + summary: Get saved query details tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' required: true responses: '200': content: application/json: - examples: - ExecuteSuccess: - summary: Execute action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' description: Indicates a successful call. - summary: Run a command + summary: Update a saved query tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries/{id}/copy: post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: - GetFileSuccess: - summary: Get file action successfully created + copySavedQueryExample: + summary: Example response for copying a saved query value: data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' description: Indicates a successful call. - summary: Get a file + summary: Copy a saved query tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: >- - Isolates a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - IsolateSuccess: - summary: Isolate action successfully created + scheduledActionResultsExample: + summary: Example scheduled action results response value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' description: Indicates a successful call. - summary: Isolate an endpoint + summary: Get scheduled action results tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string responses: '200': content: application/json: examples: - KillProcessSuccess: - summary: Kill process action successfully created + scheduledQueryResultsExample: + summary: Example scheduled query results response value: data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' description: Indicates a successful call. - summary: Terminate a process + summary: Get scheduled query results tags: - - Security Endpoint Management API - /api/endpoint/action/memory_dump: - post: - description: Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute requestBody: content: application/json: examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine + pinEvent: + summary: Pin an event value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody + type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. required: true responses: '200': content: application/json: examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created + pinnedSaved: + summary: Pinned event saved object value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' description: Indicates a successful call. - summary: Generate a memory dump from the host machine + summary: Pin/unpin an event tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/dangerously_delete_data: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json: + examples: + CleanUpRiskEngineResponse: + summary: Successful cleanup response + value: + cleanup_successful: true + schema: + type: object + properties: + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: examples: - singleEndpoint: - summary: Get running processes on a single endpoint + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + range: + type: object + properties: + end: + type: string + start: + type: string required: true responses: '200': content: application/json: examples: - RunningProcsSuccess: - summary: Running processes action successfully created + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + risk_engine_saved_object_configured: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get running processes + type: object + properties: + risk_engine_saved_object_configured: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object tags: - - Security Endpoint Management API - /api/endpoint/action/runscript: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/schedule_now: post: - description: Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow requestBody: content: - application/json: - examples: - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent - value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: >- - --delete --paths-to-delete - /tmp/temp_file.txt,/tmp/random_file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody - required: true + application/json: {} responses: '200': content: application/json: examples: - RunScriptSuccess: - summary: Run script action successfully created + ScheduleRiskEngineNowResponse: + summary: Successful schedule response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + success: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a script + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine tags: - - Security Endpoint Management API - /api/endpoint/action/scan: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_export: post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - scanFile: - summary: Scan a file on an endpoint + exportSavedObjectsRequest: + summary: Export a specific saved object. value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + hasReference: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. responses: '200': content: - application/json: + application/x-ndjson: examples: - ScanSuccess: - summary: Scan action successfully created + exportSavedObjectsResponse: + summary: The export objects API response contains a JSON record for each exported object. value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Scan a file or directory - tags: - - Security Endpoint Management API - /api/endpoint/action/state: - get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState - responses: - '200': + attributes: + description: '' + layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' + mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + schema: {} + description: Indicates a successfull call. + '400': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state + additionalProperties: false + description: Indicates an unsuccessful response. + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + description: Bad request. + summary: Export saved objects tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: + - saved objects + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_import: post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. + operationId: post-saved-objects-import + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean requestBody: content: - application/json: + multipart/form-data: examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID + importObjectsRequest: value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 + file: file.ndjson schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' + type: object + required: + - file responses: '200': content: application/json: examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created + importObjectsResponse: + summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse + additionalProperties: false + type: object + properties: + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + type: object + properties: {} + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + type: object + properties: {} + type: array + required: + - success + - successCount + - errors + - successResults description: Indicates a successful call. - summary: Suspend a process + '400': + content: + application/json: + schema: + additionalProperties: false + description: Indicates an unsuccessful response. + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + description: Bad request. + summary: Import saved objects tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: post: - description: Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: - examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: >- - Releases a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e schema: + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 type: object properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + create: + description: Array of anonymization fields to create. items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true responses: '200': content: application/json: - examples: - UnisolateSuccess: - summary: Unisolate action successfully created - value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + example: + anonymization_fields_count: 5 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 1 + skipped: 1 + succeeded: 2 + total: 5 + message: Bulk action completed successfully + status_code: 200 + success: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': + '400': content: application/json: - examples: - UploadSuccess: - summary: Upload action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: >- - a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false + example: + error: Bad Request + message: Invalid request body + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Upload a file + type: object + properties: + error: + description: Error type or name. + type: string + message: + description: Detailed error message. + type: string + statusCode: + description: Status code of the response. + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields tags: - - Security Endpoint Management API - /api/endpoint/metadata: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: get: - description: Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields parameters: - - in: query - name: page + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize + items: + type: string + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: kuery + type: string + - description: Field to sort by + example: created_at + in: query + name: sort_field required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - in: query - name: hostStatuses - required: true + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + example: asc + in: query + name: sort_order + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - in: query - name: sortField + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 + in: query + name: page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - in: query - name: sortDirection + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection + type: boolean responses: '200': content: application/json: + example: + aggregations: + anonymized: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse - description: Indicates a successful call. - summary: Get a metadata list - tags: - - Security Endpoint Management API - /api/endpoint/metadata/{id}: - get: - description: Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata - parameters: - - description: The agent ID of the endpoint. - in: path - name: id - required: true - schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 - type: string - responses: - '200': + type: object + properties: + aggregations: + type: object + properties: + field_status: + type: object + properties: + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + data: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': content: application/json: + example: + error: Bad Request + message: Invalid request parameters + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse - description: Indicates a successful call. - summary: Get metadata + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - description: Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/chat/complete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete parameters: - - description: The agent ID to retrieve the policy response for. + - description: If true, the response will not include content references. + example: false in: query - name: agentId - required: true + name: content_references_disabled + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + default: false + type: boolean + requestBody: + content: + application/json: + example: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: sk-abc123 + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true responses: '200': content: - application/json: + application/octet-stream: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: Indicates a successful call. - summary: Get a policy response - tags: - - Security Endpoint Management API - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote - parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': + format: binary + type: string + description: Indicates a successful model response call. + '400': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Get a protection updates note - tags: - - Security Endpoint Management API - post: - description: Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - description: >- - The package policy ID to create or update the protection updates - note for. - in: path - name: package_policy_id - required: true - schema: - type: string + type: object + properties: + error: + description: Error type. + example: Bad Request + type: string + message: + description: Human-readable error message. + example: Invalid request payload. + type: string + statusCode: + description: HTTP status code. + example: 400 + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations requestBody: content: application/json: schema: type: object properties: - note: - description: The note content. - type: string - required: true - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - /api/entity_analytics/monitoring/engine/delete: - delete: - description: >- - Deletes the Privilege Monitoring Engine and optionally removes all - associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false - schema: - default: false - type: boolean + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false responses: '200': content: application/json: - examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully - value: - deleted: true + example: + success: true schema: type: object properties: - deleted: + failures: + items: + type: string + type: array + success: + example: true type: boolean - required: - - deleted - description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/disable: - post: - description: >- - Disables the Privilege Monitoring Engine, stopping all monitoring - activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': + totalDeleted: + example: 10 + type: number + description: Indicates a successful call. The conversations were deleted successfully. + '400': content: application/json: - examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully - value: - status: disabled schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - summary: Disable the Privilege Monitoring Engine + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete conversations tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/init: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Initializes the Privilege Monitoring Engine, setting up the required - resources and starting the engine. - operationId: InitMonitoringEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true responses: '200': content: application/json: - examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully - value: - status: started + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. + '400': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required parameter: title' + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + summary: Create a conversation tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/schedule_now: - post: - description: >- - Schedules the Privilege Monitoring Engine to run as soon as possible, - triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations + parameters: + - description: A list of fields to include in the response. If omitted, all fields are returned. + in: query + name: fields + required: false + schema: + example: + - id + - title + - createdAt + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. + in: query + name: filter + required: false + schema: + example: Security Issue + type: string + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + example: created_at + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean responses: '200': content: application/json: - examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully - value: - success: true schema: type: object properties: - success: - description: Indicates the scheduling was successful - type: boolean - description: Successful response - '409': + data: + description: A list of conversations. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + type: array + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: The total number of conversations matching the filter criteria. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response, returns a paginated list of conversations matching the specified criteria. + '400': content: application/json: schema: type: object properties: + error: + example: Bad Request + type: string message: - description: Error message indicating the engine is already running + example: Invalid filter query parameter type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine + statusCode: + example: 400 + type: number + description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. + summary: Get conversations tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/health: - get: - description: >- - Returns the current health status of the Privilege Monitoring Engine, - including engine status, error details, and user count statistics. - operationId: PrivMonHealth + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: - examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine - value: - status: started - users: - current_count: 42 - max_allowed: 1000 + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. + '400': + content: + application/json: schema: type: object properties: error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: >- - Maximum number of privileged users allowed to be - monitored - type: integer - required: - - current_count - - max_allowed - required: - - status - description: Successful response - summary: Health check on Privilege Monitoring + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete a conversation tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/privileges: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Check if the current user has all required permissions for Privilege - Monitoring - operationId: PrivMonPrivileges + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value, a unique identifier for the conversation. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges - description: Successful response - summary: Run a privileges check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users: - post: - description: >- - Creates a new privileged user to be monitored by the Privilege - Monitoring Engine. - operationId: CreatePrivMonUser - requestBody: - content: - application/json: - examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true - responses: - '200': + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. + '400': content: application/json: - examples: - CreatePrivMonUserResponse: - summary: Created monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User created successfully - summary: Create a new monitored user + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. The request could not be processed due to an error. + summary: Get a conversation tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/_csv: - post: - description: >- - Bulk upserts privileged users by uploading a CSV file. Returns per-row - errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: - multipart/form-data: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' + required: true responses: '200': + content: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. + '400': content: application/json: schema: - example: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 1 type: object properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload + error: + example: Bad Request + type: string + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + summary: Update a conversation tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/{id}: - delete: - description: Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - in: path - name: id - required: true - schema: - type: string + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: GetKnowledgeBase responses: '200': content: application/json: examples: - DeletePrivMonUserResponse: - summary: User deleted successfully + KnowledgeBaseReadResponse200Example2: + summary: A response that returns information about the knowledge base. value: - acknowledged: true - message: User deleted successfully + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - type: object - properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean - message: - description: >- - A message providing additional information about the - deletion status - type: string - required: - - success - description: User deleted successfully - summary: Delete a monitored user + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Read a KnowledgeBase tags: - - Security Entity Analytics API - put: - description: >- - Updates the details of an existing monitored privileged user by their - document ID. - operationId: UpdatePrivMonUser + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + operationId: PostKnowledgeBase parameters: - - in: path - name: id - required: true + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false schema: type: string - requestBody: - content: - application/json: - examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - required: true + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe + success: true schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User updated successfully - summary: Update a monitored user + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + KnowledgeBaseResponse400Example2: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Create a KnowledgeBase tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/list: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/security_ai_assistant/knowledge_base/{resource}: get: - description: >- - Returns a list of all privileged users currently being monitored. - Supports optional KQL filtering. - operationId: ListPrivMonUsers + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase parameters: - - description: KQL query to filter the list of monitored users - in: query - name: kql - required: false + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true schema: type: string responses: @@ -10712,15849 +63966,36099 @@ paths: content: application/json: examples: - ListPrivMonUsersResponse: - summary: List of monitored users + KnowledgeBaseReadResponse200Example1: + summary: A response that returns information about the knowledge base. value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - type: array - description: List of monitored users - summary: List all monitored users + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Read a KnowledgeBase for a resource tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/install: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Installs the privileged access detection integration package and sets up - the associated ML modules required for the Entity Analytics privileged - user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. value: - message: Privileged access detection package installed successfully + success: true schema: - type: object - properties: - message: - type: string - required: - - message - description: Successful response - summary: >- - Installs the privileged access detection package for the Entity - Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: >- - Returns the installation and ML module setup status of the privileged - access detection package, along with the state of each associated ML - job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running - value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete + KnowledgeBaseResponse400Example1: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - type: object - properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete - type: string - package_installation_status: - enum: - - complete - - incomplete - type: string - required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: >- - Gets the status of the privileged access detection package for the - Entity Analytics privileged user monitoring experience + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Create a KnowledgeBase for a resource tags: - - Security Entity Analytics API - /api/entity_analytics/watchlists: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries: post: - description: >- - Creates a new entity analytics watchlist with an optional set of entity - sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources - value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 + example: + content: To reset your password, go to the settings page and click 'Reset Password'. + tags: + - password + - reset + - help + title: How to reset a password schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Filter - identifierField: - description: >- - Field used to query the entity store for index-type - sources - type: string - indexPattern: - type: string - integrationName: - description: >- - Required when type is entity_analytics_integration. - One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Matcher - type: array - name: - type: string - queryRule: - description: >- - KQL query used to filter data from the provided index - patterns - type: string - range: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_DateRange - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitySourceType - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: - examples: - CreateWatchlistResponse: - summary: Created watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' + example: + content: To reset your password, go to the settings page and click 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - - type: object - properties: - entitySources: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{id}: - get: - description: >- - Retrieves the details of an entity analytics watchlist by its unique - identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries + '400': content: application/json: - examples: - GetWatchlistResponse: - summary: Watchlist details - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + example: + error: Invalid input + message: The 'title' field is required. schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist details - summary: Get a watchlist by ID + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as invalid input or missing required fields. + summary: Create a Knowledge Base Entry tags: - - Security Entity Analytics API - x-state: Technical Preview - put: - description: >- - Updates the name, description, risk modifier, or managed status of an - existing entity analytics watchlist. - operationId: UpdateWatchlist - parameters: - - description: The ID of the watchlist to update - in: path - name: id - required: true - schema: - type: string + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: application/json: - examples: - UpdateWatchlistRequest: - summary: Update watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 schema: type: object properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true + create: + description: List of Knowledge Base Entries to create. + example: + - content: This is the content of the new entry. + title: New Entry + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - content: Updated content. + id: '123' + title: Updated Entry + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array responses: '200': content: application/json: - examples: - UpdateWatchlistResponse: - summary: Updated watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist updated successfully - summary: Update an existing watchlist + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Generic Error + summary: Applies a bulk action to multiple Knowledge Base Entries tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: - post: - description: > - Uploads a CSV file to add entities to a watchlist. The CSV must contain - a header row - - with a "type" column (user, host, service, or generic) and one or more - ECS identity - - fields (e.g. "user.name", "host.hostname") used to match entities in the - entity store. - - - Matched entities are added to the watchlist and their - `entity.attributes.watchlists` + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: + get: + description: |- + **Spaces method and path for this operation:** - field is updated in the entity store. +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true + - description: A list of fields to include in the response. If not provided, all fields will be included. + in: query + name: fields + required: false + schema: + example: + - title + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false schema: + example: error handling type: string - requestBody: - content: - multipart/form-data: - examples: - csvUpload: - summary: CSV file with user entities - value: - file: | - type,user.name - user,john.doe - user,jane.smith - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - required: true + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + example: created_at + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: asc + - description: Page number for paginated results. Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 10 + minimum: 0 + type: integer responses: '200': content: application/json: - examples: - CsvUploadResponse: - summary: CSV upload response with mixed results - value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 schema: type: object properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: + data: + description: The list of Knowledge Base Entries for the current page. items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array - successful: - description: Number of rows that matched at least one entity + page: + description: The current page number. example: 1 type: integer - total: - description: Total number of rows processed - example: 3 + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 + total: + description: The total number of Knowledge Base Entries available. + example: 100 type: integer required: - - successful - - failed + - page + - perPage - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist + - data + description: Successful response containing the paginated Knowledge Base Entries. + '400': + content: + application/json: + schema: + type: object + properties: + error: + description: A short description of the error. + example: Bad Request + type: string + message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' + type: string + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + description: Generic Error indicating an issue with the request. + summary: Finds Knowledge Base Entries that match the given query. tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: - post: - description: > - Assigns the provided entities to the specified watchlist using a - "manual" source label. + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** - The entities must already exist in the entity store. +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: '12345' + message: Knowledge Base Entry successfully deleted. + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. + '400': + content: + application/json: + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as an invalid `id` or the entry not being found. + summary: Deletes a single Knowledge Base Entry using the `id` field + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- If an entity is already on the watchlist, no new document is created — - the "manual" label + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - is added to its existing source labels instead. - operationId: AssignWatchlistEntities + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + example: '12345' in: path - name: watchlist_id + name: id required: true schema: - type: string - requestBody: - content: - application/json: - examples: - assignEntities: - summary: Assign two entities to a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: - examples: - assignEntitiesResponse: - summary: Successful assignment of two entities - value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + example: + content: To reset your password, go to the settings page and click 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. + '400': + content: + application/json: + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as an invalid `id` or the entry not being found. + summary: Read a Knowledge Base Entry tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: - post: - description: | - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' in: path - name: watchlist_id + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: - examples: - unassignEntities: - summary: Unassign two entities from a watchlist - value: - euids: - - user:john.doe - - host:web-01 + example: + content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) schema: - type: object - properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' required: true responses: '200': content: application/json: - examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities - value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + example: + content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. + id: '12345' + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem - type: array - not_found: - description: >- - Number of entities not found in the manual watchlist - assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/list: - get: - description: Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. + '400': content: application/json: - examples: - ListWatchlistsResponse: - summary: List of watchlists - value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' + example: + error: Invalid input + message: The 'content' field cannot be empty. schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - type: array - description: List of watchlists - summary: List all watchlists + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as invalid input or the entry not being found. + summary: Update a Knowledge Base Entry tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_store/enable: + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: post: - description: >- - Initialize the entire Entity Store, creating engines for all or - specified entity types. - operationId: InitEntityStore + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction requestBody: content: application/json: + example: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 schema: type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true responses: '200': content: application/json: examples: - initEntityStoreExample: - description: >- - The Entity Store was successfully initialized, creating host - and user engines in the installing state. - summary: Entity Store initialized with host and user engines + success: value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. + '400': + content: + application/json: schema: type: object properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean - description: Successful response - '400': - description: Invalid request - summary: Initialize the Entity Store + error: + description: A short error message. + example: Bad Request + type: string + message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. + type: string + statusCode: + description: The HTTP status code for the error. + example: 400 + type: number + description: Indicates a generic error due to a bad request. + summary: Apply a bulk action to prompts tags: - - Security Entity Analytics API - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/prompts/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts parameters: - - description: >- - The entity type of the engine ('user', 'host', 'service', - 'generic'). - examples: - hostAndService: - value: host,service + - description: List of specific fields to include in each returned prompt. in: query - name: entityTypes + name: fields required: false schema: - description: >- - Array of engine types to delete. Empty by default, which results - in all the engines being deleted. + example: + - id + - name + - content items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string type: array - - description: Control flag to also delete the entity data. + - description: Search query string to filter prompts by matching fields. in: query - name: delete_data + name: filter required: false schema: - type: boolean + example: error handling + type: string + - description: Field to sort prompts by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer responses: '200': content: application/json: - examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine - value: - deleted: - - host - still_running: - - generic - - user - - service schema: + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 type: object properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - still_running: - description: Entity types whose engines are still running. + data: + description: The list of prompts returned based on the search query, sorting, and pagination. items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array - description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - get: - description: Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. + '400': content: application/json: - examples: - listEntityEnginesExample: - description: >- - Returns a list with one running host engine and one stopped - user engine. - summary: Two engines installed - value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user schema: type: object properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines + error: + description: Short error message. + example: Bad Request + type: string + message: + description: Detailed description of the error. + example: Invalid sort order value provided. + type: string + statusCode: + description: HTTP status code for the error. + example: 400 + type: number + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine + - Security AI Assistant API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + updateLogExtractionExample: + description: Update the log extraction configuration with a new lookback period and frequency. + summary: Update log extraction settings + value: + logExtraction: + fieldHistoryLength: 15 + frequency: 10m + lookbackPeriod: 6h + schema: + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + type: string + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + required: + - logExtraction responses: '200': content: application/json: examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine + updateSuccessExample: + description: The Entity Store configuration was successfully updated. + summary: Entity Store updated value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - get: - description: >- - Get the engine descriptor for a specific entity type, including its - configuration and current status. - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - getEntityEngineExample: - description: >- - Returns the engine descriptor for a host engine that is - currently running with default settings. - summary: A running host engine + invalidDurationExample: + description: A log extraction parameter has an invalid duration format. + summary: Invalid duration parameter value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine + error: Bad Request + message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' + statusCode: 400 + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: The Entity Store has not been installed yet. + summary: Entity Store not installed + value: + error: Not Found + message: Entity store is not installed + statusCode: 404 + description: Entity Store not found. + summary: Update the Entity Store tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/init: - post: - description: Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ + "${KIBANA_URL}/api/security/entity_store" + - lang: Console + source: | + PUT kbn://api/security/entity_store + { + "logExtraction": { + "lookbackPeriod": "6h", + "frequency": "10m", + "fieldHistoryLength": 15 + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/entities
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-entities parameters: - - description: The entity type of the engine. - in: path - name: entityType - required: true + - description: A Kibana Query Language (KQL) filter for the search-after mode. + in: query + name: filter + required: false schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. - type: string - description: Schema for the engine initialization - required: true + type: string + - description: Number of entities to return in search-after mode. + in: query + name: size + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. + in: query + name: searchAfter + required: false + schema: + type: string + - description: Fields to include in the response source. + in: query + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order in page mode. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed) in page mode. + in: query + name: page + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: false + schema: + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - initEntityEngineExample: - description: >- - A host engine was successfully initialized and is now in the - installing state. - summary: Host engine initialized + emptyResultExample: + description: No entities matched the query. + summary: Empty result value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response + page: 1 + per_page: 10 + records: [] + total: 0 + pageModeExample: + description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. + summary: Page mode response with host entities + value: + inspect: + dsl: + - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' + response: + - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' + page: 1 + per_page: 10 + records: + - '@timestamp': '2026-04-10T08:30:00.000Z' + asset: + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + lifecycle: + first_seen: '2026-01-15T10:00:00.000Z' + last_activity: '2026-04-10T08:30:00.000Z' + name: web-server-prod-01 + risk: + calculated_level: Moderate + calculated_score: 47.5 + calculated_score_norm: 47.5 + source: + - logs + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + os: + name: Ubuntu + type: linux + total: 1 + searchAfterModeExample: + description: A cursor-based response with entities and a search_after token for the next page. + summary: Search-after mode response + value: + entities: + - '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + nextSearchAfter: + - 1712736600000 + - 1 + description: Indicates a successful response. '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/start: - post: - description: >- - Start a previously stopped entity engine, resuming transform processing - for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': content: application/json: examples: - startEntityEngineExample: - description: >- - The engine was successfully started and is now processing - data. - summary: Engine started successfully + invalidFilterExample: + description: The provided Kibana Query Language filter could not be parsed. + summary: Invalid filter value: - started: true - schema: - type: object - properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine + error: Bad Request + message: |- + Invalid filter: Expected "(", "{", value, whitespace but ":" found. + invalid :: query + ---------^ + statusCode: 400 + mixedModesExample: + description: Cannot combine page-based pagination with cursor-based pagination in the same request. + summary: Mixed pagination modes + value: + error: Bad Request + message: '[request query]: Cannot combine page/per_page with searchAfter' + statusCode: 400 + description: Bad request. + summary: List entities tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/stop: - post: - description: >- - Stop a running entity engine, pausing transform processing for the given - entity type. - operationId: StopEntityEngine + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" + - lang: Console + source: | + GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security/entity_store/entities/
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. + operationId: delete-security-entity-store-entities parameters: - - description: The entity type of the engine to stop. - example: host - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - stopEntityEngineExample: - description: >- - The engine was successfully stopped and is no longer - processing data. - summary: Engine stopped successfully - value: - stopped: true - schema: - type: object - properties: - stopped: - description: Whether the engine was successfully stopped. - type: boolean - description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - description: >- - Synchronize data view index patterns to all running entity engines so - that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + deleteEntityExample: + description: Delete a single entity from the Entity Store using its entity identifier. + summary: Delete an entity by identifier + value: + entityId: host:web-server-prod-01 + schema: + additionalProperties: false + type: object + properties: + entityId: + description: The identifier of the entity to delete. + type: string + required: + - entityId responses: '200': content: application/json: examples: - applyDataviewIndicesExample: - description: >- - All running engines were successfully updated with the - current data view index patterns. - summary: All engines updated + deleteSuccessExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true - schema: - type: object - properties: - result: - description: Per-engine update results. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': + deleted: true + description: Indicates the entity was successfully deleted. + '404': content: application/json: examples: - partialSuccessExample: - description: >- - The host engine was updated but the user engine failed due - to insufficient privileges. - summary: One engine failed + notFoundExample: + description: No entity with the specified identifier exists in the Entity Store. + summary: Entity not found value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false - schema: - type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: + error: Not Found + message: Entity ID 'host:web-server-prod-01' not found + statusCode: 404 + description: Entity not found. + summary: Delete an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityId":"host:web-server-prod-01"}' \ + "${KIBANA_URL}/api/security/entity_store/entities/" + - lang: Console + source: | + DELETE kbn://api/security/entity_store/entities/ + { + "entityId": "host:web-server-prod-01" + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/{entityType}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + requestBody: + content: + application/json: + examples: + createHostEntityExample: + description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. + summary: Create a host entity + value: + asset: + business_unit: Engineering + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + name: web-server-prod-01 + source: + - manual + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': - content: - application/json: - examples: - serverErrorExample: - description: >- - An unexpected error occurred while applying data view - indices. - summary: Internal server error - value: - body: An internal error occurred while updating engine indices - statusCode: 500 - schema: - type: object - properties: - body: - description: Error message. - type: string - statusCode: - description: HTTP status code. - type: number - description: Error response - summary: Apply DataView indices to all installed engines - tags: - - Security Entity Analytics API - /api/entity_store/entities/{entityType}: - delete: - description: > - Delete a single entity in Entity Store. - - The entity will be immediately deleted from the latest index. It will - remain available in historical snapshots if it has been snapshotted. - The delete operation does not prevent the entity from being recreated if - it is observed again in the future. - operationId: DeleteSingleEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - id: - description: >- - Identifier of the entity to be deleted, commonly entity.id - value. - example: arn:aws:iam::123456789012:user/jane.doe - type: string - required: - - id - description: Schema for the deleting entity - required: true - responses: - '200': - content: - application/json: - examples: - deleteEntityExample: - description: >- - The entity was found and successfully removed from the - latest index. - summary: Entity deleted - value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Delete an entity in Entity Store - tags: - - Security Entity Analytics API - put: - description: > - Update or create an entity in Entity Store. - - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. By default, - only the following fields can be updated: * `entity.attributes.*` * - `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set - the `force` query parameter to `true`. > info > Some fields always - retain the first observed value. Updates to these fields will not appear - in the final index. - - > Due to technical limitations, not all updates are guaranteed to appear - in the final list of observed values. - - > Due to technical limitations, create is an async operation. The time - for a document to be present in the > final index depends on the entity - store transform and usually takes more than 1 minute. - operationId: UpsertEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: >- - Conflict. The entity was updated while another update was happening - in ElasticSearch - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert an entity in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/bulk: - put: - description: > - Update or create many entities in Entity Store. - - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. - - The creation is asynchronous. The time for a document to be present in - the final index depends on the entity store transform and usually takes - more than 1 minute. - operationId: UpsertEntitiesBulk - parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: List entities records, paging, sorting and filtering as needed. - operationId: ListEntities - parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - responses: - '200': - content: - application/json: - schema: - type: object - properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity - type: array - total: - description: Total number of entities matching the query. - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/entity_store/status: - get: - description: >- - Get the overall Entity Store status and per-engine statuses, optionally - including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: >- - If true, returns a detailed status of each engine including all its - components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - entityStoreRunning: - description: >- - The Entity Store is running with both host and user engines - started and using default settings. - summary: Entity Store running with two engines - value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running - schema: - type: object - properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - - type: object + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object properties: - components: - description: >- - Detailed component-level status. Only included - when include_components is true. + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus + type: string type: array - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_StoreStatus - description: The overall status of the Entity Store. - required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store - tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - description: Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList - parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` deletes the list in the current Kibana space; `agnostic` - deletes a global list. Must match the - - list you are removing when using `list_id` or `id`. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - detectionExceptionList: + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response + ok: true + description: Indicates the entity was successfully created. '400': content: application/json: examples: - badRequest: + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + description: Bad request. + '409': content: application/json: examples: - serverError: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity tags: - - Security Exceptions API - get: - description: Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - in: query - name: list_id - required: false + example: 'true' + type: string + - description: The entity type to update. + in: path + name: entityType + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - When `single`, the list is resolved in the current Kibana space. - When `agnostic`, the list is a global - - (space-agnostic) container. Required for looking up the correct list - when `list_id` is not unique. - examples: - agnostic: - value: agnostic - single: - value: single + enum: + - user + - host + - service + - generic + type: string + - description: When true, allows updating protected fields. in: query - name: namespace_type + name: force required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json: - examples: - detectionType: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details - tags: - - Security Exceptions API - post: - description: > - An exception list groups exception items and can be associated with - detection rules. You can assign exception lists to multiple detection - rules. - - > info - - > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - createDetection: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json: - examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: 2025-01-09T01:05:23.019Z - created_by: elastic - description: >- - This is a sample detection type exception with an - autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: 2025-01-09T01:05:23.020Z - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: 2025-01-09T01:10:36.369Z - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: 2025-01-09T01:10:36.369Z - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - typeEndpoint: - value: - _version: WzQsMV0= - created_at: 2025-01-09T01:07:49.658Z - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: 2025-01-09T01:07:49.658Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list - tags: - - Security Exceptions API - put: - description: Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList - requestBody: - content: - application/json: - examples: - fullReplace: - value: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft - - malware - type: detection - schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection - type: object - properties: - _version: - description: >- - The version id, normally returned by the API when the item - was retrieved. Use it ensure updates are done against the - latest version. - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json: - examples: - simpleList: - value: - _version: WzExLDFd - created_at: 2025-01-07T20:43:55.264Z - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: 2025-01-07T21:32:03.726Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list - tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - description: Duplicate an existing exception list. - operationId: DuplicateExceptionList - parameters: - - description: The `list_id` of the existing exception list to copy (source list). - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: >- - Scope in which the source list is defined (`single` = current space, - `agnostic` = all spaces). - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the duplicated - list. Expiration date defined by `expire_time`. - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true - type: string + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - detectionExceptionList: - value: - _version: WzExNDY1LDFd - created_at: 2025-01-09T16:19:50.280Z - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: 2025-01-09T16:19:50.280Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type: Invalid enum value. - Expected 'agnostic' | 'single', received 'foo' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_duplicate] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list id: "foo" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Exception list not found - '405': - content: - application/json: - examples: - notAllowed: - value: - message: >- - Cannot duplicate: list is immutable or the operation is - not allowed in this state - status_code: 405 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list - tags: - - Security Exceptions API - /api/exception_lists/_export: - post: - description: Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList - parameters: - - description: >- - Exception list's internal `id` (UUID) returned on create; use with - `list_id` and `namespace_type` for an unambiguous target. - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human-readable `list_id` of the exception list to export, as shown - in the UI and API responses. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` exports a list in the current Kibana space; `agnostic` - exports a global (space-agnostic) list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list. Expiration date defined by `expire_time`. - example: true - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/ndjson: - examples: - exportSavedObjectsResponse: - value: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} - schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string - description: Successful response + ok: true + description: Indicates the entity was successfully updated. '400': content: application/json: examples: - badRequest: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: error: Bad Request - message: >- - [request query]: list_id: Required, namespace_type: - Required + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_export] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response + description: Bad request. '404': content: application/json: examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity tags: - - Security Exceptions API - /api/exception_lists/_find: - get: - description: Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - - - Uses the `so type.field name:field` value syntax, where `so type` - can be: - + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/user?force=true + { + "entity": { + "id": "user:jane.doe@example.com", + "name": "jane.doe", + "type": "user", + "attributes": { "managed": true, "mfa_enabled": true } + }, + "user": { "name": "jane.doe" } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/bulk: + put: + description: |- + **Spaces method and path for this operation:** - - `exception-list`: Specify a space-aware exception list. +
put /s/{space_id}/api/security/entity_store/entities/bulk
- - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: desc - type: string - responses: - '200': - content: - application/json: - examples: - simpleLists: - value: - data: - - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/exception_lists/_find?namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists - tags: - - Security Exceptions API - /api/exception_lists/_import: - post: - description: Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList + Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-bulk parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. - - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - example: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. - - Additional `item_id`'s are generated for each exception item. Both - the exception - - list and its items are overwritten. + example: 'true' + type: string + - description: When true, allows updating protected fields. in: query - name: as_new_list + name: force required: false schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean default: false - example: false - type: boolean requestBody: content: - multipart/form-data: + application/json: examples: - ndjsonUpload: + bulkUpdateExample: + description: Update a host entity and a user entity in a single request. + summary: Bulk update multiple entities value: - file: exception_lists.ndjson + entities: + - doc: + entity: + attributes: + asset: true + id: host:web-server-prod-01 + name: web-server-prod-01 + type: host + host: + name: web-server-prod-01 + type: host + - doc: + entity: + attributes: + managed: true + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + name: jane.doe + type: user schema: + additionalProperties: false type: object properties: - file: - description: A `.ndjson` file containing the exception list - example: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - withErrors: - value: - errors: - - error: - message: >- - Error found importing exception list: Invalid value - \"4\" supplied to \"list_id\" - status_code: 400 - list_id: (unknown list_id) - - error: - message: >- - Found that item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already - exists. Import of item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: - value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, - schema: - type: object - properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - Multipart part `file` is required and must contain a valid - .ndjson exception list export - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + - doc + type: array + required: + - entities + responses: + '200': content: application/json: examples: - forbidden: + bulkUpdatePartialExample: + description: Some entities were updated but others encountered Elasticsearch-level errors. + summary: Partial success with errors value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_import] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + errors: + - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf + reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' + status: 404 + type: document_missing_exception + ok: true + bulkUpdateSuccessExample: + description: All entities were successfully updated with no errors. + summary: All entities updated + value: + errors: [] + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - serverError: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + summary: Bulk update entities tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - description: Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ + "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/bulk?force=true + { + "entities": [ + { + "type": "host", + "doc": { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "attributes": { "asset": true } + }, + "host": { "name": "web-server-prod-01" } + } + } + ] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the Entity Store, creating engines for the specified entity types and configuring log extraction.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-install parameters: - - description: >- - Exception item's identifier. Either `id` or `item_id` must be - specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` deletes the item in the current Kibana space; `agnostic` - deletes an item in a space-agnostic list. Must match the list that - owns the item. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installDefaultExample: + description: Install the Entity Store for all entity types with default log extraction settings. + summary: Install with default entity types + value: + entityTypes: + - user + - host + - service + - generic + logExtraction: {} + installWithCustomSettingsExample: + description: Install the Entity Store for host entities only with a custom lookback period and field history length. + summary: Install with custom log extraction + value: + entityTypes: + - host + logExtraction: + delay: 2m + fieldHistoryLength: 20 + filter: 'host.os.type: linux' + frequency: 5m + lookbackPeriod: 12h + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false + type: object + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: + type: string + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + default: '' + type: string + frequency: + default: 30s + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 40000 + maximum: 9007199254740991 + minimum: 1 + type: integer responses: '200': content: application/json: examples: - simpleExceptionItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: + alreadyInstalledExample: + description: All requested entity types were already installed. + summary: Already installed value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + ok: true + description: Indicates all requested entity types are already installed. + '201': content: application/json: examples: - unauthorized: + installSuccessExample: + description: The Entity Store was installed and engines are being created. + summary: Entity Store installed value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response + ok: true + description: Indicates the Entity Store was successfully installed. '403': content: application/json: examples: - forbidden: + forbiddenExample: + description: The user does not have the required Elasticsearch privileges. + summary: Insufficient privileges value: error: Forbidden - message: >- - API [DELETE - /api/exception_lists/items?item_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] + message: User 'analyst' has insufficient privileges statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item + description: Insufficient privileges. + summary: Install the Entity Store tags: - - Security Exceptions API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ + "${KIBANA_URL}/api/security/entity_store/install" + - lang: Console + source: | + POST kbn://api/security/entity_store/install + { + "entityTypes": ["user", "host", "service", "generic"], + "logExtraction": {} + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/group: get: - description: >- - Get the details of an exception list item using the `id` or `item_id` - field. - operationId: ReadExceptionListItem - parameters: - - description: >- - Exception list item's identifier. Either `id` or `item_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified. - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` fetches the item in the current space; `agnostic` fetches a - global (space-agnostic) item. Must + description: |- + **Spaces method and path for this operation:** - match how the list was created. - examples: - agnostic: - value: agnostic - single: - value: single +
get /s/{space_id}/api/security/entity_store/resolution/group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: get-security-entity-store-resolution-group + parameters: + - description: The entity identifier to look up the resolution group for. in: query - name: namespace_type - required: false + name: entity_id + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - simpleListItem: + resolutionGroupExample: + description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. + summary: Resolution group with linked entities value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response + aliases: + - '@timestamp': '2026-04-10T08:25:00.000Z' + entity: + id: user:jdoe@example.com + name: jdoe + relationships: + resolution: + resolved_to: user:jane.doe@example.com + type: user + user: + name: jdoe + group_size: 2 + target: + '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + description: Indicates a successful response. '400': content: application/json: examples: - badRequest: + truncatedSearchExample: + description: The resolution search returned too many results and was truncated. + summary: Search results truncated value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: Resolution search truncated statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items?item_id=&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response + description: Bad request. '404': content: application/json: examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: The specified entity does not exist or has no resolution group. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entity not found. + summary: Get resolution group tags: - - Security Exceptions API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" + - lang: Console + source: | + GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/link: post: - description: > - Create an exception item and associate it with the specified exception - list. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/security/entity_store/resolution/link
- > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Link one or more entities to a target entity, creating a resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-link + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - simpleItem: + linkEntitiesExample: + description: Link two user entities to a target entity, creating a resolution group. + summary: Link entities to a target value: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + target_id: user:jane.doe@example.com schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. + type: string + required: + - target_id + - entity_ids responses: '200': content: - application/json: - examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: 2025-01-09T01:16:23.322Z - created_by: elastic - description: >- - This is a sample exception that has no item_id so it is - autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: 2025-01-09T01:16:23.322Z - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withValueListEntry: - value: - _version: WzcsMV0= - comments: [] - created_at: 2025-01-09T01:31:12.614Z - created_by: elastic - description: >- - Don't signal when agent.name is rock01 and source.ip is in - the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: 2025-01-09T01:31:12.614Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + application/json: + examples: + linkSuccessExample: + description: The entities were successfully linked to the target entity. + summary: Entities linked + value: + linked: + - user:jdoe@example.com + - user:j.doe@example.com + skipped: [] + target_id: user:jane.doe@example.com + description: Indicates a successful response. + '400': content: application/json: examples: - alreadyExists: + mixedTypesExample: + description: All entities in a resolution group must be of the same type. + summary: Mixed entity types value: - message: >- - exception list item id: \"simple_list_item\" already - exists - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': + error: Bad Request + message: Cannot link entities of different types + statusCode: 400 + selfLinkExample: + description: Cannot link an entity to itself. + summary: Self-link error + value: + error: Bad Request + message: Cannot link entity 'user:jane.doe@example.com' to itself. + statusCode: 400 + description: Bad request. + '404': content: application/json: examples: - serverError: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Link entities tags: - - Security Exceptions API - put: - description: Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/link" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/link + { + "target_id": "user:jane.doe@example.com", + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/unlink: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/unlink
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove one or more entities from their resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-unlink + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateItem: + unlinkEntitiesExample: + description: Remove entities from their resolution group, restoring them as standalone entities. + summary: Unlink entities from their resolution group value: - description: Updated description - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - name: Updated name - namespace_type: single - type: simple + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - entity_ids responses: '200': content: application/json: examples: - simpleListItem: + unlinkSuccessExample: + description: The entities were successfully removed from their resolution group. + summary: Entities unlinked value: - _version: WzEyLDFd - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:34:50.233Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': + skipped: [] + unlinked: + - user:jdoe@example.com + - user:j.doe@example.com + description: Indicates a successful response. + '404': content: application/json: examples: - badRequest: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - error: Bad Request - message: '[request body]: item_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Unlink entities + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/unlink" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/unlink + { + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/start: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-start + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + startAllExample: + description: Start all stopped entity engines. + summary: Start all entity engines + value: + entityTypes: + - user + - host + - service + - generic + startSingleExample: + description: Start only the host entity engine. + summary: Start a single entity engine + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - unauthorized: + startSuccessExample: + description: The specified entity engines were successfully started. + summary: Engines started value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates a successful response. + summary: Start Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/start" + - lang: Console + source: | + PUT kbn://api/security/entity_store/start + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-status + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + responses: + '200': content: application/json: examples: - forbidden: + notInstalledExample: + description: The Entity Store has not been installed. + summary: Entity Store not installed value: - error: Forbidden - message: >- - API [PUT /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + engines: [] + status: not_installed + runningStatusExample: + description: The Entity Store is running with two started engines using default settings. + summary: Entity Store running + value: + engines: + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxPageSearchSize: 10000 + status: started + timeout: 25s + timestampField: '@timestamp' + type: host + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxPageSearchSize: 10000 + status: started + timeout: 25s + timestampField: '@timestamp' + type: user + status: running + description: Indicates a successful response. + summary: Get Entity Store status + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/status?include_components=false" + - lang: Console + source: | + GET kbn://api/security/entity_store/status?include_components=false + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/stop: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-stop + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + stopAllExample: + description: Stop all running entity engines. + summary: Stop all entity engines + value: + entityTypes: + - user + - host + - service + - generic + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - notFound: + stopSuccessExample: + description: The specified entity engines were successfully stopped. + summary: Engines stopped value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + ok: true + description: Indicates a successful response. + summary: Stop Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/stop" + - lang: Console + source: | + PUT kbn://api/security/entity_store/stop + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + uninstallAllExample: + description: Uninstall all entity engines from the Entity Store. + summary: Uninstall all entity types + value: + entityTypes: + - user + - host + - service + - generic + uninstallSingleExample: + description: Uninstall only the host engine from the Entity Store. + summary: Uninstall a single entity type + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - serverError: + uninstallSuccessExample: + description: The specified entity engines were successfully uninstalled. + summary: Entity Store uninstalled value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item + ok: true + description: Indicates a successful response. + summary: Uninstall the Entity Store tags: - - Security Exceptions API - /api/exception_lists/items/_find: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/uninstall" + - lang: Console + source: | + POST kbn://api/security/entity_store/uninstall + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role: get: - description: Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems + operationId: get-security-role parameters: - - description: The `list_id`s of the items to fetch. + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query - name: list_id + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean + responses: + '200': + description: Indicates a successful call. + summary: Get all roles + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role/_query: + post: + operationId: post-security-role-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + filters: + additionalProperties: false + type: object + properties: + showReservedRoles: + type: boolean + from: + type: number + query: + type: string + size: + type: number + sort: + additionalProperties: false + type: object + properties: + direction: + enum: + - asc + - desc + type: string + field: + type: string + required: + - field + - direction + responses: + '200': + description: Indicates a successful call. + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role/{name}: + delete: + operationId: delete-security-role-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - in: path + name: name + required: true schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: > - Free-text search term applied to exception list item fields (for - example a hostname or file path fragment). - in: query - name: search - required: false + minLength: 1 + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a role + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + operationId: get-security-role-name + parameters: + - description: The role name. + in: path + name: name + required: true schema: - example: host.name + minLength: 1 type: string - - description: The page number to return + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query - name: page + name: replaceDeprecatedPrivileges required: false schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false + type: boolean + responses: + '200': + description: Indicates a successful call. + summary: Get a role + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name - in: query - name: sort_field - required: false + example: 'true' + type: string + - description: The role name. + in: path + name: name + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. + maxLength: 1024 + minLength: 1 + type: string + - description: When true, a role is not overwritten if it already exists. in: query - name: sort_order + name: createOnly required: false schema: - enum: - - desc - - asc - example: desc + default: false + type: boolean + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + maxItems: 1000 + type: array + remote_cluster: + items: + additionalProperties: false + type: object + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + maxItems: 100 + type: array + remote_indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + maxItems: 1000 + type: array + run_as: + items: + description: A user name that the role member can impersonate. + type: string + maxItems: 100 + type: array + kibana: + items: + additionalProperties: false + type: object + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + responses: + '204': + description: Indicates a successful call. + summary: Create or update a role + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/roles: + post: + operationId: post-security-roles + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + roles: + additionalProperties: + additionalProperties: false + type: object + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + maxItems: 1000 + type: array + remote_cluster: + items: + additionalProperties: false + type: object + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + maxItems: 100 + type: array + remote_indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + maxItems: 1000 + type: array + run_as: + items: + description: A user name that the role member can impersonate. + type: string + maxItems: 100 + type: array + kibana: + items: + additionalProperties: false + type: object + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + type: object + required: + - roles responses: '200': - content: - application/json: - examples: - simpleListItems: - value: - data: - - _version: WzgsMV0= - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:12:25.512Z - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items + description: Indicates a successful call. + summary: Create or update roles tags: - - Security Exceptions API - /api/exception_lists/summary: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/spaces/space: get: - description: Get a summary of the specified exception list. - operationId: ReadExceptionListSummary + description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. + operationId: get-spaces-space parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` returns summary for a list in the current space; `agnostic` - for a space-agnostic list. Must - - line up with `id` / `list_id` used to look up the list. - examples: - agnostic: - value: agnostic - single: - value: single + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query - name: namespace_type + name: purpose required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. in: query - name: filter + name: include_authorized_purposes required: false schema: - example: >- - exception-list-agnostic.attributes.tags:"policy:policy-1" OR - exception-list-agnostic.attributes.tags:"policy:all" - type: string + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: examples: - summary: - value: - linux: 0 - macos: 0 - total: 0 - windows: 0 - schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-summary] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary + getSpacesResponseExample1: + $ref: '#/components/examples/get_spaces_response1' + getSpacesResponseExample2: + $ref: '#/components/examples/get_spaces_response2' + summary: Get all spaces tags: - - Security Exceptions API - /api/exceptions/shared: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - An exception list groups exception items and can be associated with - detection rules. A shared exception list can apply to multiple detection - rules. - - > info - - > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList + description: Create a new Kibana space. + operationId: post-spaces-space + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware + additionalProperties: false type: object properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string required: + - id - name - - description - required: true + examples: + createSpaceRequest: + $ref: '#/components/examples/create_space_request' responses: '200': content: application/json: - examples: - sharedList: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + required: + - id + - name examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list + createSpaceResponseExample: + $ref: '#/components/examples/get_space_response' + description: Indicates a successful call. + summary: Create a space tags: - - Security Exceptions API - /api/lists: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/spaces/space/{id}: delete: - description: | - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id parameters: - - description: Value list identifier to delete, including all of its list items. - in: query - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Determines whether exception items referencing this value list - should be deleted. - in: query - name: deleteReferences - required: false + example: 'true' + type: string + - description: The space identifier. + in: path + name: id + required: true schema: - default: false - example: false - type: boolean - - description: >- - Determines whether to delete value list without performing any - additional checks of where this list may be utilized. - in: query - name: ignoreReferences - required: false + type: string + responses: + '204': + description: Indicates a successful call. + '404': + description: Indicates that the request failed. + summary: Delete a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: Retrieve a single Kibana space by its identifier. + operationId: get-spaces-space-id + parameters: + - description: The space identifier. + in: path + name: id + required: true schema: - default: false - example: false - type: boolean + type: string responses: '200': + description: Indicates a successful call. content: application/json: examples: - ipList: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists?id=ip_list] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list + getSpaceResponseExample: + $ref: '#/components/examples/get_space_response' + summary: Get a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: Update an existing Kibana space. + operationId: put-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. You are unable to change the ID with the update operation. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + required: + - id + - name + examples: + updateSpaceRequest: + $ref: '#/components/examples/update_space_request' + responses: + '200': + description: Indicates a successful call. + summary: Update a space tags: - - Security Lists API + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/status: get: - description: Get the details of a value list using the list ID. - operationId: ReadList + operationId: get-status parameters: - - description: Value list identifier (`id`) returned when the list was created. + - description: Set to "true" to get the response in v7 format. in: query - name: id - required: true + name: v7format + required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean responses: '200': content: application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists?id=ip_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams + parameters: [] + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - notFound: + listStreams: value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + streams: + - description: Root logs stream + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-10T08:00:00.000Z' + settings: {} + wired: + fields: + '@timestamp': + type: date + log.level: + type: keyword + message: + type: match_only_text + routing: + - destination: logs.nginx + status: enabled + where: + eq: nginx + field: host.name + name: logs + type: wired + updated_at: '2025-01-10T08:00:00.000Z' + - description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + - description: Legacy application logs + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + updated_at: '2024-12-01T09:00:00.000Z' + settings: {} + name: logs-myapp-default + type: classic + updated_at: '2024-12-01T09:00:00.000Z' + - description: All error-level logs across every stream + name: logs.errors + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + updated_at: '2025-01-20T14:00:00.000Z' + summary: Get stream list + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Disable streams + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Enable streams + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_resync: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_resync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Resync streams + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Delete a stream + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - serverError: + getWiredStream: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details + dashboards: [] + data_stream_exists: true + effective_failure_store: + disabled: {} + from: logs + effective_lifecycle: + dsl: + data_retention: 7d + from: logs + effective_settings: {} + inherited_fields: + '@timestamp': + from: logs + type: date + log.level: + from: logs + type: keyword + privileges: + create_snapshot_repository: false + lifecycle: true + manage: true + manage_failure_store: true + monitor: true + read_failure_store: true + simulate: true + text_structure: true + view_index_metadata: true + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + summary: Get a stream tags: - - Security Lists API - patch: - description: Update specific fields of an existing list using the list `id`. - operationId: PatchList + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - patchName: + createQueryStream: value: - id: ip_list - name: Bad ips list - UPDATED + dashboards: [] + queries: [] + rules: [] + stream: + description: All error-level logs across every stream + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + createWiredStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + type: wired + updateClassicStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Legacy application logs managed as a classic data stream + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + settings: {} + type: classic schema: - example: - id: ip_list - name: Bad ips list - UPDATED + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' + responses: {} + summary: Create or update a stream + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_fork: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + forkStream: + value: + status: enabled + stream: + name: logs.nginx.errors + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - - id - description: Value list's properties - required: true + - stream + - where + responses: {} + summary: Fork a stream + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_ingest: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: + getWiredIngest: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + summary: Get ingest stream settings tags: - - Security Lists API - post: - description: Create a new value list. - operationId: CreateList + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - ip: + upsertWiredIngest: value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + ingest: + anyOf: + - additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + - additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + required: + - ingest + responses: {} + summary: Update ingest stream settings + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_query: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-query + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Get query stream settings + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + upsertQueryStream: value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword + query: + esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level + schema: + additionalProperties: false + type: object + properties: + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + required: + - esql + required: + - query + responses: {} + summary: Upsert query stream settings + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/content/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: schema: + additionalProperties: false type: object properties: description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + type: string + include: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' + type: string version: - default: 1 - minimum: 1 - type: integer + type: string required: - name - description - - type - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-09T18:23:52.241Z - created_at: 2025-01-09T18:23:52.241Z - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: 2025-01-09T18:23:52.241Z - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:24:55.786Z - created_at: 2025-01-09T18:24:55.786Z - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: 2025-01-09T18:24:55.786Z - updated_by: elastic - version: 1 - keyword_custom_format: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:25:39.604Z - created_at: 2025-01-09T18:25:39.604Z - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: 2025-01-09T18:25:39.604Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - notFound: - value: - message: >- - To create a list, the data stream must exist first. Data - stream \".lists-default\" does not exist - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list + - version + - include + responses: {} + summary: Export stream content tags: - - Security Lists API + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/content/import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + schema: + additionalProperties: false + type: object + properties: + content: {} + include: + type: string + required: + - include + - content + responses: {} + summary: Import content into a stream + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Get stream queries + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/queries/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + description: + default: '' + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + - id + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + required: + - id + required: + - delete + type: array + required: + - operations + responses: {} + summary: Bulk update queries + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries/{queryId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - in: path + name: queryId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Remove a query from a stream + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: > - Update a value list using the list `id`. The original list is replaced, - and all unspecified fields are deleted. + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
- > You cannot modify the `id` value. - operationId: UpdateList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: - examples: - replaceList: - value: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + default: '' + type: string + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string required: - - id - - name - - description - description: Value list's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/lists] is unauthorized for user, this action - is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list + - title + - esql + responses: {} + summary: Upsert a query to a stream tags: - - Security Lists API - /api/lists/_find: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events: get: - description: >- - Get a paginated subset of value lists. By default, the first page is - returned, with 20 results per page. - operationId: FindLists + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events parameters: - - description: The page number to return. + - in: path + name: name + required: true + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - in: query + name: bucketSize + required: true + schema: + type: string + - description: Query string to filter significant events on metadata fields in: query - name: page + name: query required: false schema: - example: 1 - type: integer - - description: The number of value lists to return per page. + type: string + - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). Defaults to hybrid when inference is available.' in: query - name: per_page + name: searchMode required: false schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + enum: + - keyword + - semantic + - hybrid + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Read the significant events + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query - name: sort_field + name: connectorId + required: false + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - description: Number of sample documents to use for generation from the current data of stream + in: query + name: sampleDocsSize required: false schema: - example: name - format: nonempty - minLength: 1 + type: number + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Generate significant events + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events/_preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - in: query + name: bucketSize + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + required: + - esql + required: + - query + responses: {} + summary: Preview significant events + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{streamName}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-streamname-attachments + parameters: + - description: The name of the stream + in: path + name: streamName + required: true + schema: type: string - - description: Determines the sort order, which can be `desc` or `asc` + - description: Search query to filter attachments by title in: query - name: sort_order + name: query required: false schema: - enum: - - desc - - asc - example: asc type: string - - description: >- - Returns the lists that come after the last lists returned in the - previous call (use the `cursor` value returned in the previous - call). This parameter uses the `tie_breaker_id` field to ensure all - lists are sorted and returned correctly. + - description: Filter by attachment types (single value or array) in: query - name: cursor + name: attachmentTypes required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + items: + enum: + - dashboard + - rule + - slo + type: string + type: array + - description: Filter by tags (single value or array) in: query - name: filter + name: tags required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + items: + type: string + type: array + requestBody: + content: + application/json: + examples: + listAttachmentsExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ipList: - value: - cursor: >- - WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d - data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received nan' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + listAttachmentsResponse: value: - error: Forbidden - message: >- - API [GET /api/lists/_find?page=1&per_page=20] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + attachments: + - createdAt: '2023-02-23T16:15:47.275Z' + description: Dashboard for monitoring production services + id: dashboard-123 + streamNames: + - logs.awsfirehose + - logs.nginx + tags: + - monitoring + - production + title: My Dashboard + type: dashboard + updatedAt: '2023-03-24T14:39:17.636Z' + description: Successfully retrieved attachments + summary: Get stream attachments + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-streamname-attachments-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + bulkAttachmentsExample: + value: + operations: + - index: + id: dashboard-123 + type: dashboard + - delete: + id: rule-456 + type: rule + schema: + additionalProperties: false + type: object + properties: + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - delete + type: array + required: + - operations + responses: + '200': content: application/json: examples: - serverError: + bulkAttachmentsResponse: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists + acknowledged: true + description: Successfully performed bulk operations + summary: Bulk update attachments tags: - - Security Lists API - /api/lists/index: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: delete: - description: Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unlinkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - acknowledged: + unlinkAttachmentResponse: value: acknowledged: true - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Unable to delete value list data streams: invalid or - missing index metadata - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/index] is not authorized; lists-all - (or equivalent) is required to delete data streams - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: The value list data stream was not found in this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': + description: Successfully unlinked attachment + summary: Unlink an attachment from a stream + tags: + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + linkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - serverError: + linkAttachmentResponse: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams + acknowledged: true + description: Successfully linked attachment + summary: Link an attachment to a stream tags: - - Security Lists API + - streams + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/task_manager/_health: get: - description: Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health responses: '200': content: application/json: examples: - bothExist: - value: - list_index: true - list_item_index: true - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Unable to read value list data stream status for this - space - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/index] is not authorized; list read - permissions are required - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: Value list backing indices were not found for this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + taskManagerHealthResponse1: + $ref: '#/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless' schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless' + description: Indicates a successful call + summary: Get the task manager health tags: - - Security Lists API - post: - deprecated: true - description: > - **DEPRECATED.** `deprecated: true` is set on this operation. Value list - backing data streams for the space - - are now created as part of supported workflows; calling this explicitly - is rarely required. - - **WARNING:** Do not use for new integrations. Prefer the UI or the list - and list-item APIs after confirming + - task manager + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline: + delete: + description: |- + **Spaces method and path for this operation:** - indices exist with `GET /api/lists/index`. +
delete /s/{space_id}/api/timeline
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Creates the `.lists` and `.items` data streams in the current Kibana - space. - operationId: CreateListIndex + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json: + examples: + deleteByIds: + summary: Delete timelines by saved object id + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 + schema: + type: object + properties: + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete + items: + type: string + maxItems: 100 + type: array + searchIds: + description: Saved search IDs that should be deleted alongside the timelines + items: + type: string + maxItems: 100 + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true responses: '200': content: application/json: examples: - acknowledged: - value: - acknowledged: true + success: + summary: Success + value: {} schema: + additionalProperties: true type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Indices exist but the request could not be completed for - the current space. Check that Elasticsearch and Kibana - privileges allow index creation for lists. - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: > - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/index] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: >- - data stream: \".lists-default\" and \".items-default\" - already exists - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates tags: - - Security Lists API - /api/lists/items: - delete: - description: >- - Delete a value list item using its `id`, or its `list_id` and `value` - fields. - operationId: DeleteListItem - parameters: - - description: >- - Value list item's identifier. Required if `list_id` and `value` are - not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the Timeline template to retrieve. in: query - name: value - required: false + name: template_timeline_id schema: - example: 255.255.255.255 type: string - - description: >- - Determines when changes made by the request are made visible to - search. + - description: The `savedObjectId` of the Timeline to retrieve. in: query - name: refresh - required: false + name: id schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false type: string responses: '200': content: application/json: examples: - ip: + timelineDetail: + summary: Timeline detail value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: The version of the Timeline or Timeline template that you’re updating. + example: WzE0LDFd + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': content: application/json: examples: - badRequest: + patched: + summary: Updated timeline value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - unauthorized: + error: + summary: Error body value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + body: update timeline error + statusCode: 405 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + properties: + body: + description: The error message. + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true + responses: + '200': content: application/json: examples: - forbidden: + created: + summary: Created timeline value: - error: Forbidden - message: >- - API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - notFound: + error: + summary: Error body value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 + body: update timeline error + statusCode: 405 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + type: object + properties: + body: + description: The error message + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_copy: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json: + examples: + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: The `savedObjectId` of the timeline or template to duplicate. + type: string + required: + - timeline + - timelineIdToCopy + description: Source timeline id to copy plus timeline fields for the new saved object. + required: true + responses: + '200': content: application/json: examples: - serverError: + copied: + summary: Newly saved timeline value: - message: Internal Server Error - status_code: 500 + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Copies timeline or timeline template tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_draft: get: - description: Get the details of a value list item. - operationId: ReadListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines parameters: - - description: >- - Value list item identifier. Required if `list_id` and `value` are - not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Value list item list's `id` identfier. Required if `id` is not - specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + - description: Which draft to load (`default` investigation timeline or `template` timeline template). in: query - name: value - required: false + name: timelineType + required: true schema: - example: 127.0.0.2 - type: string + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: examples: - ip: + draftPayload: + summary: Draft timeline payload value: - _version: WzExLDFd - '@timestamp': 2025-01-08T05:16:25.882Z - created_at: 2025-01-08T05:16:25.882Z - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: 2025-01-08T05:16:25.882Z - updated_by: elastic - value: 127.0.0.2 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - badRequest: + forbidden: + summary: Permission denied value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + message: Forbidden + status_code: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + message: + type: string + status_code: + type: number + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - unauthorized: + conflict: + summary: Draft conflict value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + properties: + message: + type: string + status_code: + type: number + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + examples: + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: The type of Timeline to create. Valid values are `default` and `template`. + required: true + responses: + '200': content: application/json: examples: - forbidden: + draftResponse: + summary: Draft after reset or creation value: - error: Forbidden - message: >- - API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - notFound: + forbidden: + summary: Permission denied value: - message: 'list item id: \"foo\" not found' - status_code: 404 + message: Forbidden + status_code: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - serverError: + conflict: + summary: Draft conflict value: - message: Internal Server Error - status_code: 500 + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template tags: - - Security Lists API - patch: - description: >- - Update specific fields of an existing value list item using the item - `id`. - operationId: PatchListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string requestBody: content: application/json: examples: - changeValue: + exportIds: + summary: Export by timeline ids value: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - type: string + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson: + examples: + ndjsonLine: + summary: Single NDJSON line + value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates a successful call. + '400': + content: + application/ndjson: + examples: + badRequest: + summary: Export error + value: + body: Export limit exceeded + statusCode: 400 + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline/_favorite
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true required: - - id - description: Value list item's properties + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. required: true responses: '200': content: application/json: examples: - ipItem: - value: - _version: WzE5LDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:23:37.602Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] - failed to parse field [ip] of type [ip] in document with - id ip_item. Preview of fields value: - 2","caused_by":{"type":"illegal_argument_exception","reason":"2 - is not an IP string literal."}},"status":400}]} - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: + favoriteResponse: + summary: Favorite metadata updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates a successful call. '403': content: application/json: examples: forbidden: + summary: Forbidden value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] + body: Forbidden statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_import: post: - description: > - Create a value list item and associate it with the specified value list. - + description: |- + **Spaces method and path for this operation:** - All value list items in the same list must be the same type. For - example, each list item in an `ip` list must define a specific IP - address. +
post /s/{space_id}/api/timeline/_import
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Before creating a list item, you must create a list. - operationId: CreateListItem + Import Timelines. + operationId: ImportTimelines requestBody: content: application/json: examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) value: - list_id: keyword_list - value: zeek + file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' + isImmutable: 'false' schema: type: object properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. + file: {} + isImmutable: + description: Whether the Timeline should be immutable enum: - 'true' - 'false' - - wait_for - example: wait_for type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - list_id - - value - description: Value list item's properties + - file + description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:33:08.202Z - created_at: 2025-01-09T18:33:08.202Z - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: 2025-01-09T18:33:08.202Z - updated_by: elastic - value: 192.168.0.0/16 - keyword: + importSummary: + summary: Import summary value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:34:29.422Z - created_at: 2025-01-09T18:34:29.422Z - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: 2025-01-09T18:34:29.422Z - updated_by: elastic - value: zeek + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. '400': content: application/json: examples: badRequest: + summary: Invalid import value: - error: Bad Request - message: >- - uri [/api/lists/items] with method [post] exists but is - not available with the current configuration + body: Invalid file extension statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + type: object + properties: + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. '404': content: application/json: examples: - listNotFound: + notFound: + summary: Saved objects client missing value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 + body: Unable to find saved object client + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + type: object + properties: + body: + description: The error message + example: Unable to find saved object client + type: string + statusCode: + example: 404 + type: number + description: Not found response. '409': content: application/json: examples: - alreadyExists: - value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json: - examples: - serverError: + conflict: + summary: Import conflict value: - message: Internal Server Error - status_code: 500 + body: Could not import timelines + statusCode: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item + type: object + properties: + body: + description: The error message + example: Could not import timelines + type: string + statusCode: + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines tags: - - Security Lists API - put: - description: > - Update a value list item using the list item ID. The original list item - is replaced, and all unspecified fields are deleted. + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_prepackaged: + post: + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/timeline/_prepackaged
- > You cannot modify the `id` value. - operationId: UpdateListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: - fullReplace: + emptyArrays: + summary: Installer payload shape value: - id: ip_item - value: 255.255.255.255 + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] schema: - example: - id: ip_item - value: 255.255.255.255 type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + prepackagedTimelines: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array required: - - id - - value - description: Value list item's properties + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: + installResult: + summary: Install result counts value: - message: 'list item id: \"foo\" not found' - status_code: 404 + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. '500': content: application/json: examples: serverError: + summary: Server error value: - message: Internal Server Error - status_code: 500 + body: Internal error + statusCode: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines tags: - - Security Lists API - /api/lists/items/_export: - post: - description: Export list item values from the specified value list. - operationId: ExportListItems + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline parameters: - - description: Value list's `id` to export. + - description: The ID of the template timeline to resolve in: query - name: list_id - required: true + name: template_timeline_id schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string responses: '200': - content: - application/ndjson: - examples: - ipLines: - value: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': content: application/json: examples: - unauthorized: + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items/_export?list_id=ips.txt] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + badRequest: + summary: Bad request + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + additionalProperties: true + type: object + description: Bad Request response. '404': content: application/json: examples: notFound: - value: - message: 'list id: "unknown_list" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + summary: Not found + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template tags: - - Security Lists API - /api/lists/items/_find: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timelines: get: - description: Get all value list items in the specified list. - operationId: FindListItems + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timelines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines parameters: - - description: Parent value list's `id` to page through items for. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. + - description: If `true`, only Timelines that the current user has marked as favorite are returned. in: query - name: page - required: false + name: only_user_favorite schema: - example: 1 - type: integer - - description: The number of list items to return per page. + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: Restrict results to `default` investigation timelines or `template` timeline templates. in: query - name: per_page - required: false + name: timeline_type schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). in: query name: sort_field - required: false schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` in: query name: sort_order - required: false schema: enum: - - desc - asc - example: asc + - desc type: string - - description: > - Opaque cursor returned in a previous response; pass it to continue - listing from the next page. Omit on the first request. + - description: How many results should returned at once in: query - name: cursor - required: false + name: page_size schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + nullable: true + type: string + - description: How many pages should be skipped in: query - name: filter - required: false + name: page_index schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true responses: '200': content: application/json: examples: - ip: + timelineList: + summary: Example list response value: - cursor: >- - WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - page: 1 - per_page: 20 - total: 1 + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 schema: type: object properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer + totalCount: + description: The total amount of results + example: 100 + type: number required: - - data - - page - - per_page - - total - - cursor - description: Successful response + - timeline + - totalCount + description: Indicates a successful call. '400': content: application/json: examples: badRequest: + summary: Error response body value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + body: get timeline error + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates tags: - - Security Lists API - /api/lists/items/_import: - post: - description: > - Import value list items from a TXT or CSV file. The maximum file size is - 9 million bytes. - + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows: + delete: + description: |- + **Spaces method and path for this operation:** - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. +
delete /s/{space_id}/api/workflows
- Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false + Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: >- - Determines when changes made by the request are made visible to - search. + example: 'true' + type: string + - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. in: query - name: refresh + name: force required: false schema: - enum: - - 'true' - - 'false' - - wait_for - example: true - type: string + default: false + type: boolean requestBody: content: - multipart/form-data: + application/json: examples: - ipLinesFile: + bulkDeleteWorkflowsRequestExample: + description: Example request for deleting multiple workflows value: - file: list_values.txt + ids: + - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 + - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: + additionalProperties: false type: object properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true + ids: + description: Array of workflow IDs to delete. + items: + description: Workflow ID to delete. + type: string + maxItems: 1000 + type: array + required: + - ids responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items/_import?list_id=ip_list] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - notFound: - value: - message: >- - List with the specified list_id does not exist, create the - list or fix list_id to import to an existing one - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: + bulkDeleteWorkflowsResponseExample: + description: Example response after deleting multiple workflows value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items + deleted: 2 + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk delete workflows tags: - - Security Lists API - /api/lists/privileges: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - lang: Console + source: | + DELETE kbn://api/workflows + { + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Returns the caller's authentication state and the Elasticsearch - `cluster`, `index`, and `application` + description: |- + **Spaces method and path for this operation:** - privileges for `.lists` and `.items` data streams in the current Kibana - space. Use this to decide which list +
get /s/{space_id}/api/workflows
- APIs (`read` vs `all` operations) are available before you create or - import lists. - operationId: ReadListPrivileges + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows + parameters: + - description: Free-text search query. + in: query + name: query + required: false + schema: + type: string + - description: Number of results per page. + in: query + name: size + required: false + schema: + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Filter by enabled state. + in: query + name: enabled + required: false + schema: + items: + type: boolean + maxItems: 2 + type: array + - description: Filter by creator. + in: query + name: createdBy + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by tags. + in: query + name: tags + required: false + schema: + items: + type: string + maxItems: 1000 + type: array responses: '200': content: application/json: examples: - privileges: + getWorkflowsResponseExample: + description: Example response returning a paginated list of workflows value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': + page: 1 + results: + - createdAt: '2025-11-20T10:30:00.000Z' + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + history: + - duration: 5000 + finishedAt: '2025-11-20T12:00:05.000Z' + id: exec-001 + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowName: Example definition + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + tags: + - example + valid: true + size: 20 + total: 1 + description: Indicates a successful response + summary: Get workflows + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows?size=20&page=1 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. + operationId: post-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to overwrite existing workflows. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + bulkCreateWorkflowsRequestExample: + description: Example request for creating multiple workflows at once + value: + workflows: + - yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: | + name: Second workflow + enabled: false + description: Another workflow + triggers: + - type: manual + steps: + - name: log_step + type: console + with: + message: "Hello from second workflow" + schema: + additionalProperties: false + type: object + properties: + workflows: + items: + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + maxItems: 500 + type: array + required: + - workflows + responses: + '200': content: application/json: examples: - badRequest: + bulkCreateWorkflowsResponseExample: + description: Example response after creating multiple workflows value: - error: Bad Request - message: >- - Unable to resolve list privileges: invalid or missing - space context for this request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + created: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk create workflows + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + }' + - lang: Console + source: | + POST kbn://api/workflows?overwrite=false + { + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/aggs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/aggs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-aggs + parameters: + - description: Field or fields to aggregate on. + in: query + name: fields + required: true + schema: + description: Fields to aggregate on. + items: + description: Field name to aggregate. + type: string + maxItems: 25 + type: array + responses: + '200': content: application/json: examples: - unauthorized: + getAggsResponseExample: + description: Example response with tag and createdBy aggregations value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + createdBy: + - doc_count: 2 + key: elastic + tags: + - doc_count: 1 + key: reporting + - doc_count: 1 + key: security + - doc_count: 1 + key: triage + description: Indicates a successful response + summary: Get workflow aggregations + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/aggs?fields=tags&fields=createdBy + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-connectors + parameters: [] + responses: + '200': content: application/json: examples: - forbidden: + getConnectorsResponseExample: + description: Example response with available connector types and their instances value: - error: Forbidden - message: >- - API [GET /api/lists/privileges] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + connectorTypes: + .email: + actionTypeId: .email + displayName: Email + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: [] + minimumLicenseRequired: gold + subActions: + - displayName: Send + name: send + .slack_api: + actionTypeId: .slack_api + displayName: Slack + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: + - id: slack-connector-1 + isDeprecated: false + isPreconfigured: false + name: Team Notifications + minimumLicenseRequired: gold + subActions: + - displayName: Post Message + name: postMessage + totalConnectors: 1 + description: Indicates a successful response + summary: Get available connectors + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/connectors" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/connectors + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Include execution input data. + in: query + name: includeInput + required: false + schema: + default: false + type: boolean + - description: Include execution output data. + in: query + name: includeOutput + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - serverError: + getExecutionResponseExample: + description: Example response returning a workflow execution with step details value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges + duration: 3000 + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-a1b2c3d4-e5f6-7890 + input: + message: hello world + isTestRun: false + output: hello world + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + triggeredBy: manual + workflowDefinition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow execution tags: - - Security Lists API - /api/ml/saved_objects/sync: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-executions-executionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + responses: + '200': + description: Indicates a successful response + summary: Cancel a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/cancel + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/children: get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/children
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-children parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string responses: '200': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': + getChildrenExecutionsResponseExample: + description: Example response returning child workflow executions spawned by sub-workflow steps + value: + - executionId: child-exec-001 + parentStepExecutionId: step-exec-003 + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:07.000Z' + globalExecutionIndex: 0 + id: child-step-001 + isTestRun: false + scopeStack: [] + startedAt: '2025-11-20T12:00:06.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowRunId: child-exec-001 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowName: Child Workflow + description: Indicates a successful response + summary: Get child executions + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/children + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/logs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/logs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-logs + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Filter logs by a specific step execution ID. + in: query + name: stepExecutionId + required: false + schema: + type: string + - description: Number of log entries per page. + in: query + name: size + required: false + schema: + default: 100 + maximum: 100 + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: Field to sort by. + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order. + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space + getExecutionLogsResponseExample: + description: Example response returning paginated execution logs + value: + logs: + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 150 + id: log-001 + level: info + message: Workflow execution started + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:01.000Z' + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 200 + id: log-002 + level: info + message: Step completed successfully + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:02.000Z' + page: 1 + size: 100 + total: 2 + description: Indicates a successful response + summary: Get execution logs tags: - - ml - /api/ml/saved_objects/update_jobs_spaces: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/resume: post: - description: Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/resume
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. + operationId: post-workflows-executions-executionid-resume + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string requestBody: content: application/json: examples: - updateADJobSpacesRequest: - value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: + resumeExecutionRequestExample: + description: Example request to resume a paused workflow execution value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' + input: + approved: true + comment: Approved by analyst + schema: + additionalProperties: false + type: object + properties: + input: + additionalProperties: + nullable: true + description: Input data to resume the execution with. + type: object + required: + - input responses: '200': content: application/json: examples: - successADResponse: + resumeExecutionResponseExample: + description: Example response confirming the resume was scheduled value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: + executionId: exec-a1b2c3d4-e5f6-7890 + message: Workflow resume scheduled + success: true + description: Indicates a successful response + summary: Resume a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": { + "approved": true, + "comment": "Approved by analyst" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/resume + { + "input": { + "approved": true, + "comment": "Approved by analyst" + } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/step/{stepExecutionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-step-stepexecutionid + parameters: + - description: Workflow execution ID. + in: path + name: executionId + required: true + schema: + type: string + - description: Step execution ID. + in: path + name: stepExecutionId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getStepExecutionResponseExample: + description: Example response returning a single step execution value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces + error: null + executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + output: hello world + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + state: null + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Get a step execution tags: - - ml - /api/ml/saved_objects/update_trained_models_spaces: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/export: post: - description: >- - Update a list of trained models to add and/or remove them from given - spaces. - operationId: mlUpdateTrainedModelsSpaces + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateTrainedModelsSpacesRequest: + exportWorkflowsRequestExample: + description: Example request to export workflows value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + schema: + additionalProperties: false + type: object + properties: + ids: + description: Array of workflow IDs to export. + items: + description: Workflow ID to export. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + required: + - ids responses: '200': content: application/json: examples: - successTMResponse: + exportWorkflowsResponseExample: + description: Workflow entries with YAML content and export manifest value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces + entries: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: |- + name: My Workflow + steps: + - type: http.request + with: + url: https://example.com + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: |- + name: Another Workflow + steps: + - type: http.request + with: + url: https://example.com + manifest: + exportedAt: '2026-03-26T12:00:00.000Z' + exportedCount: 2 + version: '1' + description: JSON containing exported workflow YAML entries and manifest metadata + summary: Export workflows tags: - - ml - /api/note: - delete: - description: > - Deletes notes by saved object ID. Send either `noteId` (single ID) or - `noteIds` (array of IDs) in the JSON body. - + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + }' + - lang: Console + source: | + POST kbn://api/workflows/export + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/mget: + post: + description: |- + **Spaces method and path for this operation:** - The response has HTTP 200 with an empty body on success. +
post /s/{space_id}/api/workflows/mget
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote + Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-mget + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - deleteOne: - summary: Delete a single note by id + mgetWorkflowsRequestExample: + description: Example request to retrieve multiple workflows by their IDs value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + source: + - name + - enabled schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: - type: string - nullable: true - type: array - required: - - noteIds - description: > - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ - "noteIds": ["", ...] }` for bulk delete. - - `noteIds` may be null in some clients; prefer an empty array or omit - unused fields when possible. - required: true + additionalProperties: false + type: object + properties: + ids: + description: Array of workflow IDs to look up. + items: + description: Workflow ID. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + source: + description: Array of source fields to include. + items: + description: Source field. + maxLength: 255 + type: string + maxItems: 10 + minItems: 1 + type: array + required: + - ids responses: '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes + content: + application/json: + examples: + mgetWorkflowsResponseExample: + description: Example response returning the requested workflows with projected fields + value: + - enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + description: Indicates a successful response + summary: Get workflows by IDs tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/mget" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + }' + - lang: Console + source: | + POST kbn://api/workflows/mget + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/schema: get: - description: > - Returns Security Timeline notes as saved objects. - + description: |- + **Spaces method and path for this operation:** - **Query modes (mutually exclusive branches on the server):** +
get /s/{space_id}/api/workflows/schema
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the - given Elasticsearch document `_id` (single string or array). Pagination - query parameters (`page`, `perPage`, etc.) are **not** applied; the - server uses a fixed page size (up to 10000 notes). + Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-schema + parameters: + - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. + in: query + name: loose + required: true + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getSchemaResponseExample: + description: Example response returning the workflow JSON schema (truncated) + value: + $schema: http://json-schema.org/draft-07/schema# + type: object + properties: + description: + type: string + enabled: + default: true + type: boolean + name: + minLength: 1 + type: string + tags: + items: + type: string + type: array + version: + const: '1' + default: '1' + description: The version of the workflow schema + type: string + required: + - name + - triggers + - steps + description: Indicates a successful response + summary: Get workflow JSON schema + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/schema?loose=false + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/stats: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/workflows/stats
- 2. **`savedObjectIds` is set** — Returns notes linked to the given - Timeline saved object id(s). Same fixed cap as above; list-mode query - parameters are **not** applied. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows-stats + parameters: [] + responses: + '200': + content: + application/json: + examples: + getStatsResponseExample: + description: Example response with workflow counts and 30-day execution history + value: + executions: + - cancelled: 1 + completed: 45 + date: '2025-11-20' + failed: 2 + timestamp: '2025-11-20T00:00:00.000Z' + - cancelled: 0 + completed: 50 + date: '2025-11-21' + failed: 0 + timestamp: '2025-11-21T00:00:00.000Z' + workflows: + disabled: 3 + enabled: 12 + description: Indicates a successful response + summary: Get workflow statistics + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/stats" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/stats + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/step/test: + post: + description: |- + **Spaces method and path for this operation:** - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using - saved-objects find semantics: `page` (default 1), `perPage` (default - 10), optional `search`, `sortField`, `sortOrder`, `filter`, - `createdByFilter`, and `associatedFilter`. +
post /s/{space_id}/api/workflows/step/test
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes + Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-step-test parameters: - - description: > - Event document `_id` values to match against each note's `eventId`. - When this parameter is present, the response is all matching notes - (up to the server's hard limit), not a paged list using - `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: > - Timeline `savedObjectId` value(s). Returns notes that reference - those timelines. When present, list-mode pagination parameters are - not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: > - Page number for list mode (when `documentIds` and `savedObjectIds` - are omitted). Passed as a string; default 1. - example: '1' - in: query - name: page - schema: - nullable: true - type: string - - description: > - Page size for list mode (when `documentIds` and `savedObjectIds` are - omitted). Passed as a string; default 10. - example: '20' - in: query - name: perPage - schema: - nullable: true - type: string - - description: Search string for saved-objects find (list mode only). - in: query - name: search - schema: - nullable: true - type: string - - description: Field to sort by for saved-objects find (list mode only). - in: query - name: sortField - schema: - nullable: true - type: string - - description: >- - Sort order (`asc` or `desc`) for saved-objects find (list mode - only). - example: desc - in: query - name: sortOrder - schema: - nullable: true - type: string - - description: > - Kuery filter string combined with other list-mode filters (for - example `createdByFilter` or `associatedFilter`). Typed as a string - for API compatibility; interpreted by the saved-objects layer (list - mode only). - in: query - name: filter - schema: - nullable: true - type: string - - description: > - Kibana user profile **UID** (UUID). The server resolves the user's - display identifiers and returns notes whose `createdBy` matches any - of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 - in: query - name: createdByFilter + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - nullable: true + example: 'true' type: string - - description: > - Restricts notes by how they relate to a Timeline and/or an event - document (list mode only). Some values apply extra filtering after - the query. Ignored when `documentIds` or `savedObjectIds` is used. - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + requestBody: + content: + application/json: + examples: + testStepRequestExample: + description: Example request to test a single workflow step + value: + contextOverride: + inputs: + message: override message + stepId: hello_world_step + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + contextOverride: + additionalProperties: + nullable: true + description: Context overrides for the step execution. + type: object + executionContext: + additionalProperties: + nullable: true + description: Execution context for the step execution. + type: object + stepId: + description: ID of the step to test. + type: string + workflowId: + description: ID of the workflow containing the step. + type: string + workflowYaml: + description: YAML definition of the workflow containing the step. + type: string + required: + - stepId + - contextOverride + - workflowYaml responses: '200': content: application/json: examples: - notesPage: - summary: Paged notes for a timeline + testStepResponseExample: + description: Example response returning the step test execution ID value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 - schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes + workflowExecutionId: step-test-exec-a1b2c3d4 + description: Indicates a successful response + summary: Test a workflow step tags: - - Security Timeline API - - access:securitySolution - patch: - description: > - Creates a new note or updates an existing one. - - - **Create:** Send `note` and omit `noteId` to create a new saved object. - + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/step/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + }' + - lang: Console + source: | + POST kbn://api/workflows/step/test + { + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/test: + post: + description: |- + **Spaces method and path for this operation:** - **Update:** Send `note` with the changed fields and set `noteId` to the - note's saved object ID. Optionally include `version` for optimistic - concurrency when the client has it from a prior read. +
post /s/{space_id}/api/workflows/test
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: >- - https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute + Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - addNote: - summary: Add a note on an event + testWorkflowByIdRequestExample: + description: Example request to test a saved workflow by its ID value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + inputs: + message: test message + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + testWorkflowByYamlRequestExample: + description: Example request to test an unsaved workflow YAML draft + value: + inputs: + message: test message + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: >- - Note payload (timeline, text, optional event linkage, - metadata). - noteId: - description: >- - The `savedObjectId` of the note to update. Omit when - creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the test execution. + type: object + workflowId: + description: ID of an existing workflow to test. type: string - version: - description: >- - Saved object version string from a previous read; optional - on update. - example: WzQ2LDFd - nullable: true + workflowYaml: + description: YAML definition to test. type: string required: - - note - description: > - Body must include the `note` object. For updates, include `noteId` - (and optionally `version`). - - To attach a note to a specific event, set `note.eventId` to that - event's document `_id`; for a timeline-wide note, omit or clear - `eventId` per product rules. - required: true + - inputs responses: '200': content: application/json: examples: - persisted: - summary: Persisted note wrapper + testWorkflowResponseExample: + description: Example response returning the test execution ID value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note + workflowExecutionId: test-exec-a1b2c3d4-e5f6 + description: Indicates a successful response + summary: Test a workflow tags: - - Security Timeline API - - access:securitySolution - /api/observability_ai_assistant/chat/complete: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + }' + - lang: Console + source: | + POST kbn://api/workflows/test + { + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow: post: - description: > - Create a new chat completion by using the Observability AI Assistant. - - - The API returns the model's response based on the current conversation - context. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/workflows/workflow
- It also handles any tool requests within the conversation, which may - trigger multiple calls to the underlying large language model (LLM). + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: observability-ai-assistant-chat-complete + Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. + operationId: post-workflows-workflow + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - chatCompleteRequestExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample + createWorkflowRequestExample: + description: Example request for creating a workflow from a YAML definition + value: + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + createWorkflowWithIdRequestExample: + description: Example request for creating a workflow with a custom ID + value: + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - actions: - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Function - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: >- - A unique identifier for the conversation if you are - continuing an existing conversation. + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ type: string - disableFunctions: - description: >- - Flag indicating whether all function calls should be - disabled for the conversation. If true, no calls to - functions will be made. - type: boolean - instructions: - description: >- - An array of instruction objects, which can be either simple - strings or detailed objects. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Instruction - type: array - messages: - description: >- - An array of message objects containing the conversation - history. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Message - type: array - persist: - description: >- - Indicates whether the conversation should be saved to - storage. If true, the conversation will be saved and will be - available in Kibana. - type: boolean - title: - description: A title for the conversation. + yaml: + maxLength: 1048576 type: string required: - - messages - - connectorId - - persist + - yaml responses: '200': content: application/json: examples: - chatCompleteResponseExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample - schema: - type: object - description: Successful response - summary: Generate a chat completion + createWorkflowResponseExample: + description: Example response returning the created workflow + value: + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-20T10:30:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Create a workflow tags: - - observability_ai_assistant + - workflows x-codeSamples: - - lang: cURL - source: > - curl --request POST - 'localhost:5601/api/observability_ai_assistant/chat/complete' -u - : -H 'kbn-xsrf: true' -H "Content-Type: - application/json" --data ' - + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow { + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}: + delete: + description: |- + **Spaces method and path for this operation:** - "connectorId": "", - - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], +
delete /s/{space_id}/api/workflows/workflow/{id}
- "instructions": ["When the user asks about Elasticsearch cluster - health, use the get_cluster_health tool to retrieve cluster health, - then summarize the response in plain English."] + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - }' - x-state: Technical Preview - /api/osquery/history: - get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory + Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows-workflow-id parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - in: query - name: nextPage - required: false + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. type: string - - description: >- - A search string to filter history entries by pack name, query text, - or query ID. + - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. in: query - name: kuery + name: force required: false schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. + default: false + type: boolean + responses: + '200': + description: Indicates a successful response + summary: Delete a workflow + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/workflows/workflow/{id} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-workflow-id + parameters: + - description: Workflow ID + in: path + name: id + required: true + schema: type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false + responses: + '200': + content: + application/json: + examples: + getWorkflowResponseExample: + description: Example response returning a single workflow + value: + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-21T14:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{id} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. + operationId: put-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin + example: 'true' type: string - - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false + - description: Workflow ID + in: path + name: id + required: true schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false + requestBody: + content: + application/json: + examples: + updateWorkflowEnableExample: + description: Example request to enable a workflow and update its tags + value: + enabled: true + tags: + - production + updateWorkflowFullExample: + description: Example request to update multiple workflow fields + value: + description: Updated workflow description + enabled: true + name: Updated example + tags: + - example + - updated + yaml: | + name: Updated example + enabled: true + description: Updated workflow description + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + description: + type: string + enabled: + type: boolean + name: + type: string + tags: + items: + type: string + type: array + yaml: + type: string + responses: + '200': + content: + application/json: + examples: + updateWorkflowResponseExample: + description: Example response returning the updated workflow + value: + enabled: false + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2026-03-23T13:38:59.568Z' + lastUpdatedBy: elastic + valid: true + validationErrors: [] + description: Indicates a successful response + summary: Update a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "enabled": true, + "tags": ["production"] + }' + - lang: Console + source: | + PUT kbn://api/workflows/workflow/{id} + { + "enabled": true, + "tags": ["production"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}/clone: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/clone
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. + operationId: post-workflows-workflow-id-clone + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' + example: 'true' type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false + - description: Workflow ID + in: path + name: id + required: true schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' type: string responses: '200': content: application/json: examples: - unifiedHistoryExample: - summary: Example unified history response + cloneWorkflowResponseExample: + description: Example response returning the cloned workflow with a new ID value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse - description: Indicates a successful call. - summary: Get unified query history + createdAt: '2025-11-22T11:00:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: false + inputs: + - default: hello world + name: message + type: string + name: Example definition (copy) + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + lastUpdatedAt: '2025-11-22T11:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition (copy) + valid: true + yaml: | + name: Example definition (copy) + enabled: false + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Clone a workflow tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/live_queries: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/clone + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}/run: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/run
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-workflow-id-run + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + runWorkflowRequestExample: + description: Example request to execute a workflow with inputs + value: + inputs: + message: hello from the API + schema: + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the workflow execution. + type: object + metadata: + additionalProperties: + nullable: true + description: Optional metadata for the execution. + type: object + required: + - inputs + responses: + '200': + content: + application/json: + examples: + runWorkflowResponseExample: + description: Example response returning the execution ID + value: + workflowExecutionId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Run a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "inputs": { + "message": "hello from the API" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/run + { + "inputs": { + "message": "hello from the API" + } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions: get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions parameters: - - description: A KQL search string to filter live queries. + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by execution status. in: query - name: kuery + name: statuses required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. + items: + enum: + - pending + - waiting + - waiting_for_input + - running + - completed + - failed + - cancelled + - timed_out + - skipped + type: string + maxItems: 9 + type: array + - description: Filter by execution type. in: query - name: page + name: executionTypes required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. + items: + enum: + - test + - production + type: string + maxItems: 2 + type: array + - description: Filter by the user who triggered the execution. in: query - name: pageSize + name: executedBy required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + items: + type: string + maxItems: 100 + type: array + - description: Whether to exclude step-level execution data. in: query - name: sort + name: omitStepRuns required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + type: boolean + - description: Page number. in: query - name: sortOrder + name: page required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + minimum: 1 + type: number + - description: Number of results per page. + in: query + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryResponse - description: Indicates a successful call. - summary: Get live queries + examples: + getWorkflowExecutionsResponseExample: + description: Example response returning a paginated list of executions for a workflow + value: + page: 1 + results: + - duration: 3000 + error: null + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-001 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - duration: 2000 + error: + message: Step 'hello_world_step' failed + executedBy: elastic + finishedAt: '2025-11-20T13:00:02.000Z' + id: exec-002 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T13:00:00.000Z' + status: failed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + size: 20 + total: 2 + description: Indicates a successful response + summary: Get workflow executions tags: - - Security Osquery API + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions/cancel: post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody - required: true - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse - description: Indicates a successful call. - summary: Create a live query - tags: - - Security Osquery API - /api/osquery/live_queries/{id}: - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-workflow-workflowid-executions-cancel parameters: - - description: The ID of the live query. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: workflowId required: true schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse - description: Indicates a successful call. - summary: Get live query details + description: Indicates a successful response + summary: Cancel all active workflow executions tags: - - Security Osquery API - /api/osquery/live_queries/{id}/results/{actionId}: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{workflowId}/executions/cancel + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions/steps: get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions-steps parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - - description: The ID of the query action. + - description: Workflow ID in: path - name: actionId + name: workflowId required: true schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - - description: A KQL search string to filter results. + - description: Filter by step ID. in: query - name: kuery + name: stepId required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. + type: string + - description: Include step input data. in: query - name: page + name: includeInput required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. + type: boolean + - description: Include step output data. in: query - name: pageSize + name: includeOutput required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + type: boolean + - description: Page number for pagination. in: query - name: sort + name: page required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + minimum: 1 + type: number + - description: Number of results per page. in: query - name: sortOrder + name: size required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + maximum: 100 + minimum: 1 + type: number responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse - description: Indicates a successful call. - summary: Get live query results + examples: + getWorkflowStepExecutionsResponseExample: + description: Example response returning step execution records for a workflow + value: + results: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-001 + total: 1 + description: Indicates a successful response + summary: Get workflow step executions tags: - - Security Osquery API - /api/osquery/packs: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos: get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: findSlosOp parameters: - - description: The page number to return. + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 + example: 1 + in: query + name: size + schema: + default: 1 + type: integer + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. + in: query + name: searchAfter + schema: + items: + type: string + type: array + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 in: query name: page - required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 in: query - name: pageSize - required: false + name: perPage schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status in: query - name: sort - required: false + name: sortBy schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc in: query - name: sortOrder - required: false + name: sortDirection schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + default: asc + enum: + - asc + - desc + type: string + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings + in: query + name: hideStale + schema: + type: boolean responses: '200': content: application/json: + examples: + findSloResponse: + summary: A paginated list of SLOs + value: + page: 1 + perPage: 25 + results: + - budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + total: 42 schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs - tags: - - Security Osquery API - post: - description: Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true - responses: - '200': + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': content: application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''invalid'' supplied to: sortBy' + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' - description: Indicates a successful call. - summary: Create a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}: - delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - example: {} - type: object - properties: {} - description: Indicates a successful call. - summary: Delete a pack - tags: - - Security Osquery API - get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_read] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs tags: - - Security Osquery API - put: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: createSloOp parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: + examples: + createSloKqlExample: + summary: Create an SLO with a KQL indicator + value: + budgetingMethod: occurrences + description: Availability of my web service measured by successful HTTP responses + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + $ref: '#/components/schemas/SLOs_create_slo_request' required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}/copy: - post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks - parameters: - - description: The ID of the pack to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: - copyPackExample: - summary: Example response for copying a pack + createSloResponse: + summary: Create SLO response value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + id: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: Indicates a successful call. - summary: Copy a pack - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/saved_queries: - get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': content: application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryResponse - description: Indicates a successful call. - summary: Get saved queries - tags: - - Security Osquery API - post: - description: Create and save a query for later use. - operationId: OsqueryCreateSavedQuery - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse - description: Indicates a successful call. - summary: Create a saved query - tags: - - Security Osquery API - /api/osquery/saved_queries/{id}: - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: Indicates a successful call. - summary: Delete a saved query - tags: - - Security Osquery API - get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '409': content: application/json: + examples: + conflictExample: + summary: Conflict + value: + error: Conflict + message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + statusCode: 409 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse - description: Indicates a successful call. - summary: Get saved query details + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO tags: - - Security Osquery API - put: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete: + post: description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + operationId: bulkDeleteOp parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: + examples: + bulkDeleteRequest: + summary: Bulk delete two SLOs + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody + $ref: '#/components/schemas/SLOs_bulk_delete_request' required: true responses: '200': content: application/json: + examples: + bulkDeleteResponse: + summary: Bulk delete response with task ID + value: + taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse - description: Indicates a successful call. - summary: Update a saved query - tags: - - Security Osquery API - /api/osquery/saved_queries/{id}/copy: - post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - description: The ID of the saved query to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_bulk_delete_response' + description: Successful response + '400': content: application/json: examples: - copySavedQueryExample: - summary: Example response for copying a saved query + badRequestExample: + summary: Bad request value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CopySavedQueryResponse - description: Indicates a successful call. - summary: Copy a saved query - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - scheduledActionResultsExample: - summary: Example scheduled action results response + unauthorizedExample: + summary: Unauthorized value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse - description: Indicates a successful call. - summary: Get scheduled action results + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. + operationId: bulkDeleteStatusOp parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: The task id of the bulk delete operation in: path - name: executionCount + name: taskId required: true schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string responses: '200': content: application/json: examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response + bulkDeleteStatusComplete: + summary: Completed bulk deletion value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - id: d077e940-1515-11ee-9c50-9d096392f520 + success: true + bulkDeleteStatusPartialFailure: + summary: Completed with partial failure + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found + id: d077e940-1515-11ee-9c50-9d096392f520 + success: false schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse - description: Indicates a successful call. - summary: Get scheduled query results + $ref: '#/components/schemas/SLOs_bulk_delete_status_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: taskId' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Retrieve the status of the bulk deletion tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/pinned_event: - patch: - description: Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: + post: + description: | + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteRollupDataOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - pinEvent: - summary: Pin an event + purgeByAgeExample: + summary: Purge rollup data older than 7 days value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + purgePolicy: + age: 7d + purgeType: fixed-age + purgeByTimestampExample: + summary: Purge rollup data before a specific date + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 + purgePolicy: + purgeType: fixed-time + timestamp: '2024-12-31T00:00:00.000Z' schema: - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true - type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that you want this - pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' required: true responses: '200': content: application/json: examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response + bulkPurgeResponse: + summary: Bulk purge response with task ID value: - unpinned: true + taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - description: Indicates a successful call. - summary: Pin/unpin an event - tags: - - Security Timeline API - - access:securitySolution - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' + description: Successful request + '400': content: application/json: examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response + badRequestExample: + summary: Bad request value: - cleanup_successful: true + error: Bad Request + message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' + statusCode: 400 schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data tags: - - Security Entity Analytics API - /api/risk_score/engine/saved_object/configure: - patch: - description: Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object + deleteInstancesExample: + summary: Delete specific SLO instances value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d + list: + - instanceId: host-abc123 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + - instanceId: host-def456 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - type: object - properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: - items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter - type: array - range: - type: object - properties: - end: - type: string - start: - type: string + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' required: true responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response + badRequestExample: + summary: Bad request value: - risk_engine_saved_object_configured: true + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list/0/sloId' + statusCode: 400 schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse - description: Unexpected error - summary: Configure the Risk Engine Saved Object + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - description: >- - Schedule the risk scoring engine to run as soon as possible. You can use - this to recalculate entity risk scores after updating their asset - criticality. - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json: {} + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response + badRequestExample: + summary: Bad request value: - success: true - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Run the risk scoring engine - tags: - - Security Entity Analytics API - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json: - schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 - type: object - properties: - create: - description: Array of anonymization fields to create. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - description: >- - Object containing the query to filter anonymization fields - and/or an array of anonymization field IDs to delete. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: Array of anonymization fields to update. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: - example: - anonymization_fields_count: 5 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 1 - skipped: 1 - succeeded: 2 - total: 5 - message: Bulk action completed successfully - status_code: 200 - success: true + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: - example: - error: Bad Request - message: Invalid request body - statusCode: 400 + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. - type: string - statusCode: - description: Status code of the response. - type: number - description: Generic Error - summary: Apply a bulk action to anonymization fields + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/anonymization_fields/_find: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getSloOp parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - example: 'field: "user.name"' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde in: query - name: filter - required: false + name: instanceId schema: type: string - - description: Field to sort by - example: created_at - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - example: asc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: >- - If true, additionally fetch all anonymization fields, otherwise - fetch only the provided page - in: query - name: all_data - required: false - schema: - type: boolean responses: '200': content: application/json: - example: - aggregations: - anonymized: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 + examples: + getSloResponse: + summary: Get SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get anonymization fields - tags: - - Security AI Assistant API - - AnonymizationFields API - /api/security_ai_assistant/chat/complete: - post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete - parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - example: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: sk-abc123 - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Generic Error - summary: Create a model response - tags: - - Security AI Assistant API - - Chat Complete API - /api/security_ai_assistant/current_user/conversations: - delete: - description: This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations - requestBody: - content: - application/json: - schema: - type: object - properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 - items: - type: string - type: array - required: false - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: - example: - success: true + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_read] is unauthorized for user' + statusCode: 403 schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: >- - Indicates a successful call. The conversations were deleted - successfully. - '400': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete conversations + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO tags: - - Security AI Assistant API - - Conversation API - post: - description: >- - Create a new Security AI Assistant conversation. This endpoint allows - the user to initiate a conversation with the Security AI Assistant by - providing the required parameters. - operationId: CreateConversation + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion + examples: + updateSloNameExample: + summary: Update the SLO name and tags + value: + name: Updated Service Availability + tags: + - production + - updated + updateSloObjectiveExample: + summary: Update the SLO objective + value: + objective: + target: 0.995 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe + examples: + updateSloResponse: + summary: Update SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: Updated Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - updated + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was created - successfully. + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request '400': content: application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' - type: string - statusCode: - example: 400 - type: number - description: >- - Generic Error. This response indicates an issue with the request, - such as missing required parameters or incorrect data. - summary: Create a conversation - tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: >- - Get a list of all conversations for the current user. This endpoint - allows users to search, filter, sort, and paginate through their - conversations. - operationId: FindConversations - parameters: - - description: >- - A list of fields to include in the response. If omitted, all fields - are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: - type: string - type: array - - description: >- - A search query to filter the conversations. Can match against - titles, messages, or other conversation attributes. - in: query - name: filter - required: false - schema: - example: Security Issue - type: string - - description: >- - The field by which to sort the results. Valid fields are - `created_at`, `title`, and `updated_at`. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - example: created_at - - description: >- - The order in which to sort the results. Can be either `asc` for - ascending or `desc` for descending. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: The number of conversations to return per page. Default is 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - - description: >- - Whether to return conversations that the current user owns. If true, - only conversations owned by the user are returned. - in: query - name: is_owner - required: false - schema: - default: false - example: true - type: boolean - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - type: object - properties: - data: - description: A list of conversations. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: >- - The total number of conversations matching the filter - criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: >- - Successful response, returns a paginated list of conversations - matching the specified criteria. - '400': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid filter query parameter - type: string - statusCode: - example: 400 - type: number - description: >- - Generic Error. The request could not be processed due to an invalid - query parameter or other issue. - summary: Get conversations + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO tags: - - Security AI Assistant API - - Conversations API - /api/security_ai_assistant/current_user/conversations/{id}: - delete: - description: >- - Delete an existing conversation using the conversation ID. This endpoint - allows users to permanently delete a conversation. - operationId: DeleteConversation + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: resetSloOp parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe + examples: + resetSloResponse: + summary: Reset SLO response + value: + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was deleted - successfully. + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request '400': content: application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete a conversation - tags: - - Security AI Assistant API - - Conversation API - get: - description: >- - Get the details of an existing conversation using the conversation ID. - This allows users to fetch the specific conversation data by its unique - ID. - operationId: ReadConversation - parameters: - - description: >- - The conversation's `id` value, a unique identifier for the - conversation. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. The conversation details are returned. - '400': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. The request could not be processed due to an error. - summary: Get a conversation - tags: - - Security AI Assistant API - - Conversations API - put: - description: >- - Update an existing conversation using the conversation ID. This endpoint - allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps - required: true - responses: - '200': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was updated - successfully. + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request '400': content: application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required field: title' - type: string - statusCode: - example: 400 - type: number - description: >- - Generic Error. This response indicates an issue with the request, - such as missing required parameters or incorrect data. - summary: Update a conversation - tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/knowledge_base: - get: - description: Read a single KB - operationId: GetKnowledgeBase - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - KnowledgeBaseReadResponse200Example2: - summary: >- - A response that returns information about the knowledge - base. + unauthorizedExample: + summary: Unauthorized value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Read a KnowledgeBase + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO tags: - - Security AI Assistant API - - KnowledgeBase API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/enable: post: - operationId: PostKnowledgeBase + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: enableSloOp parameters: - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. + badRequestExample: + summary: Bad request value: - success: true + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - KnowledgeBaseResponse400Example2: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Create a KnowledgeBase - tags: - - Security AI Assistant API - - KnowledgeBase API - /api/security_ai_assistant/knowledge_base/{resource}: - get: - description: Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: - type: string - responses: - '200': + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - KnowledgeBaseReadResponse200Example1: - summary: >- - A response that returns information about the knowledge - base. + forbiddenExample: + summary: Forbidden value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Read a KnowledgeBase for a resource + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO tags: - - Security AI Assistant API - - KnowledgeBase API - post: - description: Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/internal/observability/slos/_definitions: + get: + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getDefinitionsOp parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: Indicates if the API returns only outdated SLO or all SLO definitions + in: query + name: includeOutdatedOnly + schema: + type: boolean + - description: Indicates if the API returns SLO health data with definitions + example: true + in: query + name: includeHealth + schema: + type: boolean + - description: Filters the SLOs by tag + in: query + name: tags schema: type: string - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 + - description: Filters the SLOs by name + example: my service availability in: query - name: modelId - required: false + name: search schema: type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 in: query - name: ignoreSecurityLabs - required: false + name: page schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - /api/security_ai_assistant/knowledge_base/entries: - post: - description: Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry - requestBody: - content: - application/json: - example: - content: >- - To reset your password, go to the settings page and click 'Reset - Password'. - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - required: true + type: number + - description: Number of SLOs returned by page + example: 100 + in: query + name: perPage + schema: + default: 100 + maximum: 1000 + type: integer responses: '200': content: application/json: - example: - content: >- - To reset your password, go to the settings page and click - 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning Knowledge Base Entries + $ref: '#/components/schemas/SLOs_find_slo_definitions_response' + description: Successful request '400': content: application/json: - example: - error: Invalid input - message: The 'title' field is required. schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as invalid input or missing required - fields. - summary: Create a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: - post: - description: >- - The bulk action is applied to all Knowledge Base Entries that match the - filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction - requestBody: - content: - application/json: - schema: - type: object - properties: - create: - description: List of Knowledge Base Entries to create. - example: - - content: This is the content of the new entry. - title: New Entry - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - content: Updated content. - id: '123' - title: Updated Entry - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps - type: array - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse - description: Successful bulk operation request - '400': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Generic Error - summary: Applies a bulk action to multiple Knowledge Base Entries + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Get the SLO definitions tags: - - Security AI Assistant API - - Knowledge Base Entries Bulk API - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: >- - A list of fields to include in the response. If not provided, all - fields will be included. - in: query - name: fields - required: false - schema: - example: - - title - - created_at - items: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name +components: + examples: + APM_UI_agent_configuration_environments_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. + value: + environments: + - alreadyConfigured: true + name: production + - alreadyConfigured: false + name: development + - alreadyConfigured: false + name: ALL_OPTION_VALUE + APM_UI_agent_configuration_intake_object_delete_200_response1: + description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. + value: + result: deleted + APM_UI_agent_configuration_intake_object_delete_request1: + description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. + value: + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_get_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. + value: + - '@timestamp': 1581934104843 + agent_name: go + applied_by_agent: false + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '200' + transaction_sample_rate: '1' + - '@timestamp': 1581934111727 + agent_name: go + applied_by_agent: false + etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 + service: + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '300' + transaction_sample_rate: '1' + - '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_put_200_response1: + description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. + value: {} + APM_UI_agent_configuration_intake_object_put_request1: + description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. + value: + agent_name: nodejs + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_configuration_intake_object_search_200_response1: + description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. + value: + _id: CIaqXXABmQCdPphWj8EJ + _index: .apm-agent-configuration + _score: 2 + _source: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_search_request1: + description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. + value: + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_view_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. + value: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: true + etag: 5080ed25785b7b19f32713681e79f46996801a5b + id: CIaqXXABmQCdPphWj8EJ + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_keys_object_post_200_response1: + description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. + value: + agentKey: + api_key: PjGloCGOTzaZr8ilUPvkjA + encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== + id: 3DCLmn0B3ZMhLUa7WBG9 + name: apm-key + APM_UI_agent_keys_object_post_request1: + description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. + value: + name: apm-key + privileges: + - event:write + - config_agent:read + APM_UI_annotation_object_post_200_response1: + description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. + value: + _id: Lc9I93EBh6DbmkeV7nFX + _index: observability-annotations + _primary_term: 1 + _seq_no: 12 + _source: + '@timestamp': '2020-05-08T10:31:30.452Z' + annotation: + type: deployment + event: + created: '2020-05-09T02:34:43.937Z' + message: Deployment 1.2 + service: + name: opbeans-java + version: '1.2' + tags: + - apm + - elastic.co + - customer + _version: 1 + found: true + APM_UI_annotation_object_post_request1: + description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. + value: + '@timestamp': '2024-01-15T12:00:00.000Z' + message: Deployment 1.2.0 + service: + environment: production + version: 1.2.0 + tags: + - apm + - deployment + APM_UI_fleet_apm_server_schema_200_response1: + description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. + value: {} + APM_UI_source_maps_delete_200_response1: + description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + value: {} + APM_UI_source_maps_get_200_response1: + description: A successful response from `GET /api/apm/sourcemaps`. + value: + artifacts: + - body: + bundleFilepath: /test/e2e/general-usecase/bundle.js + serviceName: foo + serviceVersion: 1.0.0 + sourceMap: + file: static/js/main.chunk.js + mappings: mapping + sourceRoot: '' + sources: + - fleet-source-map-client/src/index.css + - fleet-source-map-client/src/App.js + - webpack:///./src/index.css?bb0a + - fleet-source-map-client/src/index.js + - fleet-source-map-client/src/reportWebVitals.js + sourcesContent: + - content + version: 3 + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_200_response1: + description: A successful response from `POST /api/apm/sourcemaps`. + value: + body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: The get data view API returns a JSON object that contains information about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSync401Example: + summary: Two anomaly detection jobs required synchronization in this example. + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" + statusCode: 401 + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Observability_AI_Assistant_API_ChatCompleteRequestExample: + summary: Example of completing a chat interaction + value: | + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + } + Observability_AI_Assistant_API_ChatCompleteResponseExample: + summary: Get a chat completion from the Observability AI Assistant + value: | + data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} + + data: [DONE] + Security_Detections_API_SetAlertAssigneesBodyAdd: + value: + assignees: + add: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + remove: [] + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertAssigneesBodyRemove: + value: + assignees: + add: [] + remove: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertTagsBodyAdd: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: + - Duplicate + tags_to_remove: [] + Security_Detections_API_SetAlertTagsBodyRemove: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: [] + tags_to_remove: + - Duplicate + Task_manager_health_Serverless_APIs_health_200response_serverless: + description: A successful response from `GET api/task_manager/_health`. + value: |- + { + "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", + "timestamp": "2025-03-21T21:49:50.409Z", + "status": "OK", + "last_update": "2025-03-21T21:48:53.996Z", + "stats": { + "configuration": { + "timestamp": "2025-03-21T21:47:51.663Z", + "value": { + "request_capacity": 1000, + "monitored_aggregated_stats_refresh_rate": 60000, + "monitored_stats_running_average_window": 50, + "monitored_task_execution_thresholds": { + "custom": {}, + "default": { + "error_threshold": 90, + "warn_threshold": 80 + } + }, + "claim_strategy": "mget", + "poll_interval": 500, + "capacity": { + "config": 10, + "as_workers": 10, + "as_cost": 20 + } + }, + "status": "OK" + }, + "workload": { + "timestamp": "2025-03-21T21:48:53.996Z", + "value": { + "count": 21, + "cost": 42, + "task_types": { + "Fleet-Metrics-Task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Logger": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Sender": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "ML:saved-objects-sync": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions:connector_usage_reporting": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_health_check": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerts_invalidate_api_keys": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "cases-telemetry-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "dashboard_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:automatic-agent-upgrade-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:check-deleted-files-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:delete-unenrolled-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:sync-integrations-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:unenroll-inactive-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:upgrade-agentless-deployments-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "session_cleanup": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:delete_inactive_background_task_nodes": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + } + }, + "non_recurring": 1, + "non_recurring_cost": 2, + "schedule": [ + [ + "1m", + 2 + ], + [ + "5m", + 2 + ], + [ + "10m", + 1 + ], + [ + "15m", + 1 + ], + [ + "30m", + 1 + ], + [ + "1h", + 5 + ], + [ + "3600s", + 1 + ], + [ + "60m", + 1 + ], + [ + "720m", + 1 + ], + [ + "1d", + 4 + ], + [ + "1440m", + 1 + ] + ], + "overdue": 0, + "overdue_cost": 0, + "overdue_non_recurring": 0, + "estimated_schedule_density": [ + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "capacity_requirements": { + "per_minute": 2, + "per_hour": 43, + "per_day": 7 + } + }, + "status": "OK" + } + } + } + get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - id: .gen-ai + name: OpenAI + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .bedrock + name: AWS Bedrock + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .gemini + name: Google Gemini + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + is_system_action_type: false + get_connector_response: + summary: Get connector details. + value: + id: df770e30-8b8b-11ed-a780-3b746c987a81 + name: my_server_log_connector + config: {} + connector_type_id: .server-log + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + update_index_connector_request: + summary: Update an index connector. + value: + name: updated-connector + config: + index: updated-index + create_email_connector_request: + summary: Create an email connector. + value: + name: email-connector-1 + connector_type_id: .email + config: + from: tester@example.com + hasAuth: true + host: https://example.com + port: 1025 + secure: false + service: other + secrets: + user: username + password: password + create_index_connector_request: + summary: Create an index connector. + value: + name: my-connector + connector_type_id: .index + config: + index: test-index + create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + name: my-webhook-connector + connector_type_id: .webhook + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + name: my-xmatters-connector + connector_type_id: .xmatters + config: + usesBasic: false + secrets: + secretsUrl: https://example.com?apiKey=xxxxx + create_email_connector_response: + summary: A new email connector. + value: + id: 90a82c60-478f-11ee-a343-f98a117c727f + connector_type_id: .email + name: email-connector-1 + config: + from: tester@example.com + service: other + host: https://example.com + port: 1025 + secure: false + hasAuth: true + tenantId: null + clientId: null + oauthTokenUrl: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_index_connector_response: + summary: A new index connector. + value: + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + connector_type_id: .index + name: my-connector + config: + index: test-index + refresh: false + executionTimeField: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_webhook_connector_response: + summary: A new webhook connector. + value: + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + name: my-webhook-connector + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + verificationMode: full + headers: null + hasAuth: true + connector_type_id: .webhook + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + run_index_connector_request: + summary: Run an index connector. + value: + params: + documents: + - id: my_doc_id + name: my_doc_name + message: hello, world + run_jira_connector_request: + summary: Run a Jira connector to retrieve the list of issue types. + value: + params: + subAction: issueTypes + run_servicenow_itom_connector_request: + summary: Run a ServiceNow ITOM connector to retrieve the list of choices. + value: + params: + subAction: getChoices + subActionParams: + fields: + - severity + - urgency + run_slack_api_connector_request: + summary: Run a Slack connector that uses the web API method to post a message on a channel. + value: + params: + subAction: postMessage + subActionParams: + channelIds: + - C123ABC456 + text: A test message. + run_swimlane_connector_request: + summary: Run a Swimlane connector to create an incident. + value: + params: + subAction: pushToService + subActionParams: + comments: + - commentId: 1 + comment: A comment about the incident. + incident: + caseId: '1000' + caseName: Case name + description: Description of the incident. + run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok + run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok + run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok + run_servicenow_itom_connector_response: + summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok + run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + status: ok + data: + ok: true + channel: C123ABC456 + ts: '1234567890.123456' + message: + bot_id: B12BCDEFGHI + type: message + text: A test message + user: U12A345BC6D + ts: '1234567890.123456' + app_id: A01BC2D34EF + blocks: + - type: rich_text + block_id: /NXe + elements: + - type: rich_text_section + elements: + - type: text + text: A test message. + team: T01ABCDE2F + bot_profile: + id: B12BCDEFGHI + app_id: A01BC2D34EF + name: test + icons: + image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png + deleted: false + updated: 1672169705 + team_id: T01ABCDE2F + connector_id: .slack_api + run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. + value: + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 + data: + id: aKPmBHWzmdRQtx6Mx + title: TEST-457 + url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + comments: + - commentId: 1 + pushedDate: '2022-09-08T16:52:27.865Z' + status: ok + get_connectors_response: + summary: A list of connectors + value: + - id: preconfigured-email-connector + name: my-preconfigured-email-notification + connector_type_id: .email + is_preconfigured: true + is_deprecated: false + referenced_by_count: 0 + is_system_action: false + - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + name: my-index-connector + config: + index: test-index + refresh: false + executionTimeField: null + connector_type_id: .index + is_preconfigured: false + is_deprecated: false + referenced_by_count: 2 + is_missing_secrets: false + is_system_action: false + get_spaces_response1: + summary: Get all spaces + description: Get all spaces without specifying any options. + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUr": '' + solution: oblt + get_spaces_response2: + summary: Get all spaces with custom options + description: | + The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUrl: '' + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: false + findSavedObjects: true + shareSavedObjectsIntoSpace: false + create_space_request: + summary: Create a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== + get_space_response: + summary: Get details about a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + solution: es + update_space_request: + summary: Update a marketing space + description: Update the marketing space to remove the imageUrl. + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + parameters: + APM_UI_elastic_api_version: + description: The version of the API to use + in: header + name: elastic-api-version + required: true + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + APM_UI_kbn_xsrf: + description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + APM_UI_400_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: + type: object + properties: + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' - type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Generic Error indicating an issue with the request. - summary: Finds Knowledge Base Entries that match the given query. - tags: - - Security AI Assistant API - - Knowledge Base Entries API - /api/security_ai_assistant/knowledge_base/entries/{id}: - delete: - description: Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields - description: >- - Successful request returning the `id` of the deleted Knowledge Base - Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as an invalid `id` or the entry not - being found. - summary: Deletes a single Knowledge Base Entry using the `id` field - tags: - - Security AI Assistant API - - Knowledge Base Entries API - get: - description: Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry - parameters: - - description: >- - The unique identifier (`id`) of the Knowledge Base Entry to - retrieve. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - content: >- - To reset your password, go to the settings page and click - 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as an invalid `id` or the entry not - being found. - summary: Read a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - put: - description: Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - example: - content: >- - To reset your password, go to the settings page, click 'Reset - Password', and follow the instructions. - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps - required: true - responses: - '200': - content: - application/json: - example: - content: >- - To reset your password, go to the settings page, click 'Reset - Password', and follow the instructions. - id: '12345' - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the updated Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Invalid input - message: The 'content' field cannot be empty. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as invalid input or the entry not - being found. - summary: Update a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json: - example: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 - schema: - type: object - properties: - create: - description: List of prompts to be created. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - description: Criteria for deleting prompts in bulk. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. - type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Indicates a generic error due to a bad request. - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/prompts/_find: - get: - description: >- - Get a list of all prompts based on optional filters, sorting, and - pagination. - operationId: FindPrompts - parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: + type: array + required: + - name + - privileges + APM_UI_agent_keys_response: + type: object + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false - schema: - example: error handling + version: + description: The version of the service. + type: string + required: + - version + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: >- - The list of prompts returned based on the search query, - sorting, and pagination. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. - type: string - statusCode: - description: HTTP status code for the error. - example: 400 - type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts - tags: - - Security AI Assistant API - - Prompts API - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health - responses: - '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: >- - #/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless - schema: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless - description: Indicates a successful call - summary: Get the task manager health - tags: - - task manager - /api/timeline: - delete: - description: Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: type: object properties: - savedObjectIds: - description: >- - The list of IDs of the Timelines or Timeline templates to - delete - items: - type: string - maxItems: 100 - type: array - searchIds: - description: >- - Saved search IDs that should be deleted alongside the - timelines - items: - type: string - maxItems: 100 - type: array - required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true - responses: - '200': - content: - application/json: - examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates - tags: - - Security Timeline API - - access:securitySolution - get: - description: Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline - parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. - in: query - name: template_timeline_id - schema: - type: string - - description: The `savedObjectId` of the Timeline to retrieve. - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - timelineDetail: - summary: Timeline detail - value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details - tags: - - Security Timeline API - - access:securitySolution - patch: - description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. - operationId: PatchTimeline - requestBody: - content: - application/json: - examples: - patchTitle: - summary: Update title - value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd - schema: + title: + type: string + type: + type: string + event: type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: >- - The timeline object of the Timeline or Timeline template - that you’re updating. - timelineId: - description: >- - The `savedObjectId` of the Timeline or Timeline template - that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: >- - The version of the Timeline or Timeline template that you’re - updating. - example: WzE0LDFd - nullable: true + created: type: string - required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true - responses: - '200': - content: - application/json: - examples: - patched: - summary: Updated timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: >- - Indicates that the user does not have the required access to create - a Timeline. - summary: Update a Timeline - tags: - - Security Timeline API - - access:securitySolution - post: - description: Create a new Timeline or Timeline template. - operationId: CreateTimelines - requestBody: - content: - application/json: - examples: - createDefault: - summary: Create a default timeline - value: - timeline: - status: active - timelineType: default - title: Malware containment - schema: + message: + type: string + service: type: object properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + environment: type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + name: type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true version: - nullable: true type: string - required: - - timeline - description: >- - The required Timeline fields used to create a new Timeline, along with - optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: | + If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. + This is useful for cases where the agent configuration was not applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object properties: body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_copy: - post: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json: - examples: - copyWithTitle: - summary: Copy with a new title - value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: + type: object + properties: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: + type: object + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: >- - The `savedObjectId` of the timeline or template to - duplicate. - type: string - required: - - timeline - - timelineIdToCopy - description: >- - Source timeline id to copy plus timeline fields for the new saved - object. - required: true - responses: - '200': - content: - application/json: - examples: - copied: - summary: Newly saved timeline - value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_draft: - get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. - operationId: GetDraftTimelines - parameters: - - description: >- - Which draft to load (`default` investigation timeline or `template` - timeline template). - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json: - examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft Timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft Timeline was not found and - we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details - tags: - - Security Timeline API - - access:securitySolution - post: - description: > - Create a clean draft Timeline or Timeline template for the current user. - - > info - - > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: >- - The type of Timeline to create. Valid values are `default` and - `template`. - required: true - responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_export: - post: - description: Export Timelines as an NDJSON file. - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: type: string - requestBody: - content: - application/json: - examples: - exportIds: - summary: Export by timeline ids - value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object - properties: - ids: - items: - type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true - responses: - '200': - content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: - examples: - badRequest: - summary: Export error - value: - body: Export limit exceeded - statusCode: 400 - schema: + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: - body: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_favorite: - patch: - description: Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute - requestBody: - content: - application/json: - examples: - favoriteDefault: - summary: Favorite a default timeline - value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true - responses: - '200': - content: - application/json: - examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden - value: - body: Forbidden - statusCode: 403 - schema: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false type: object properties: - body: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Favorite a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_import: - post: - description: Import Timelines. - operationId: ImportTimelines - requestBody: - content: - application/json: - examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) - value: - file: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n - isImmutable: 'false' - schema: - type: object - properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The Timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json: - examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message - example: Invalid file extension + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing - value: - body: Unable to find saved object client - statusCode: 404 - schema: + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object - properties: - body: - description: The error message - example: Unable to find saved object client - type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': - content: - application/json: - examples: - conflict: - summary: Import conflict - value: - body: Could not import timelines - statusCode: 409 - schema: + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - body: - description: The error message - example: Could not import timelines + id: type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_prepackaged: - post: - description: Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json: - examples: - emptyArrays: - summary: Installer payload shape - value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array + blob: + maxLength: 10000 + type: string required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true - responses: - '200': - content: - application/json: - examples: - installResult: - summary: Install result counts - value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '500': - content: - application/json: - examples: - serverError: - summary: Server error - value: - body: Internal error - statusCode: 500 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged Timelines was - unsuccessful. - summary: Install prepackaged Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/resolve: - get: - description: >- - Resolve a Timeline or Timeline template, surfacing outcomes such as - `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been - remapped during upgrades or imports. Provide **either** `id` for default - Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome - value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timelines: - get: - description: Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines - parameters: - - description: >- - If `true`, only Timelines that the current user has marked as - favorite are returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true - type: string - - description: >- - Restrict results to `default` investigation timelines or `template` - timeline templates. - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: >- - Field used to sort the list (`title`, `description`, `updated`, or - `created`). - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` - in: query - name: sort_order - schema: - enum: - - asc - - desc - type: string - - description: How many results should returned at once - in: query - name: page_size - schema: - nullable: true - type: string - - description: How many pages should be skipped - in: query - name: page_index - schema: - nullable: true - type: string - - description: Allows to search for timelines by their title - in: query - name: search - schema: - nullable: true + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. + properties: + anomalyDetectorTypes: + description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. + items: + enum: + - txLatency + - txThroughput + - txFailureRate + type: string + minItems: 1 + type: array + anomalySeverityType: + description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: The environment from APM. + type: string + serviceName: + description: The service name from APM. + type: string + transactionType: + description: The transaction type from APM. + type: string + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + title: APM Anomaly Rule Params + type: object + rule_type_id: + enum: + - apm.anomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: >- - Filter by timeline lifecycle state (`active`, `draft`, or - `immutable`). - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json: - examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: APM anomaly + type: object + Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body - value: - body: get timeline error - statusCode: 400 - schema: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false type: object properties: - body: - description: The error message. - example: get timeline error + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates - tags: - - Security Timeline API - - access:securitySolution - /s/{spaceId}/api/observability/slos: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: >- - The page size to use for cursor-based pagination, must be greater or - equal than 1 - example: 1 - in: query - name: size - schema: - default: 1 - type: integer - - description: >- - The cursor to use for fetching the results from, when using a - cursor-base pagination. - in: query - name: searchAfter - schema: - items: - type: string - type: array - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - findSloResponse: - summary: A paginated list of SLOs - value: - page: 1 - perPage: 25 - results: - - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name - : "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - total: 42 - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''invalid'' supplied to: sortBy' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - createSloKqlExample: - summary: Create an SLO with a KQL indicator - value: - budgetingMethod: occurrences - description: >- - Availability of my web service measured by successful HTTP - responses - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - createSloResponse: - summary: Create SLO response - value: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '409': - content: - application/json: - examples: - conflictExample: - summary: Conflict - value: - error: Conflict - message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - statusCode: 409 - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - summary: Create an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_delete: - post: - description: > - Bulk delete SLO definitions and their associated summary and rollup - data. This endpoint initiates a bulk deletion operation for SLOs, which - may take some time to complete. The status of the operation can be - checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. - operationId: bulkDeleteOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - bulkDeleteRequest: - summary: Bulk delete two SLOs - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkDeleteResponse: - summary: Bulk delete response with task ID - value: - taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: >- - Bulk delete SLO definitions and their associated summary and rollup - data. - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: - get: - description: > - Retrieve the status of the bulk deletion operation for SLOs. This - endpoint returns the status of the bulk deletion operation, including - whether it is completed and the results of the operation. - operationId: bulkDeleteStatusOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: The task id of the bulk delete operation - in: path - name: taskId - required: true - schema: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. + type: string + threshold: + description: The number of errors, which is the threshold for alerts. + type: number + useKqlFilter: + description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. + type: boolean + windowSize: + description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Error Count Rule Params + type: object + rule_type_id: + enum: + - apm.error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - responses: - '200': - content: - application/json: - examples: - bulkDeleteStatusComplete: - summary: Completed bulk deletion - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - id: d077e940-1515-11ee-9c50-9d096392f520 - success: true - bulkDeleteStatusPartialFailure: - summary: Completed with partial failure - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found - id: d077e940-1515-11ee-9c50-9d096392f520 - success: false - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_status_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: taskId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Retrieve the status of the bulk deletion - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: - post: - description: > - The deletion occurs for the specified list of `sloId`. You must have - `all` privileges for the **SLOs** feature in the **Observability** - section of the Kibana feature privileges. - operationId: deleteRollupDataOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - purgeByAgeExample: - summary: Purge rollup data older than 7 days - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - purgePolicy: - age: 7d - purgeType: fixed-age - purgeByTimestampExample: - summary: Purge rollup data before a specific date - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - purgePolicy: - purgeType: fixed-time - timestamp: '2024-12-31T00:00:00.000Z' - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkPurgeResponse: - summary: Bulk purge response with task ID - value: - taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - /s/{spaceId}/api/observability/slos/_delete_instances: - post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - deleteInstancesExample: - summary: Delete specific SLO instances - value: - list: - - instanceId: host-abc123 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - - instanceId: host-def456 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list/0/sloId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Error rate + type: object + Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + useKqlFilter: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: boolean + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window. For example: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - aggregationType + - environment + title: Transaction Duration Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_duration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - responses: - '200': - content: - application/json: - examples: - getSloResponse: - summary: Get SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json: - examples: - updateSloNameExample: - summary: Update the SLO name and tags - value: - name: Updated Service Availability - tags: - - production - - updated - updateSloObjectiveExample: - summary: Update the SLO objective - value: - objective: - target: 0.995 - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - updateSloResponse: - summary: Update SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: Updated Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - updated - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/_reset: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - content: - application/json: - examples: - resetSloResponse: - summary: Reset SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/disable: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/enable: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo - /s/{spaceId}/internal/observability/slos/_definitions: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getDefinitionsOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: >- - Indicates if the API returns only outdated SLO or all SLO - definitions - in: query - name: includeOutdatedOnly - schema: - type: boolean - - description: Indicates if the API returns SLO health data with definitions - example: true - in: query - name: includeHealth - schema: - type: boolean - - description: Filters the SLOs by tag - in: query - name: tags - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction duration + type: object + Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. + properties: + environment: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + type: string + threshold: + type: number + transactionName: + type: string + transactionType: + type: string + useKqlFilter: + type: boolean + windowSize: + type: number + windowUnit: + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Transaction Error Rate Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction error rate + type: object + Kibana_HTTP_APIs_ClassicFieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_ClassicStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - classic + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_Condition: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' + - additionalProperties: false + description: A logical AND that groups multiple conditions. + type: object + properties: + and: + description: An array of conditions. All sub-conditions must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - and + - additionalProperties: false + description: A logical OR that groups multiple conditions. + type: object + properties: + or: + description: An array of conditions. At least one sub-condition must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - or + - additionalProperties: false + description: A logical NOT that negates a condition. + type: object + properties: + not: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: A condition that negates another condition. + required: + - not + - additionalProperties: false + description: A condition that always evaluates to false. + type: object + properties: + never: + additionalProperties: false + description: An empty object. This condition never matches. + type: object + properties: {} + required: + - never + - additionalProperties: false + description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. + type: object + properties: + always: + additionalProperties: false + description: An empty object. This condition always matches. + type: object + properties: {} + required: + - always + description: The root condition object. It can be a simple filter or a combination of other conditions. + Kibana_HTTP_APIs_ConditionWithSteps: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + - additionalProperties: false + type: object + properties: + else: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + required: + - steps + Kibana_HTTP_APIs_ContentPackIncludedObjects: + anyOf: + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + all: + additionalProperties: false + type: object + properties: {} + required: + - all + required: + - objects + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + mappings: + type: boolean + queries: + items: + type: object + properties: + id: + type: string + required: + - id + type: array + routing: + items: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + - type: object + properties: + destination: + type: string + required: + - destination + type: array + required: + - mappings + - queries + - routing + required: + - objects + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + title: core_status_redactedResponse + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + http: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + title: core_status_response + type: object + Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. + properties: + comparator: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + index: + type: string + required: + - index + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - timeUnit + - timeSize + - threshold + - comparator + - searchConfiguration + title: Degraded Docs Rule Params + type: object + rule_type_id: + enum: + - datasetQuality.degradedDocs + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Degraded docs + type: object + Kibana_HTTP_APIs_es-query-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + esqlQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition in Elasticsearch Query Language. + nullable: true + oneOf: + - additionalProperties: false + type: object + properties: + esql: + minLength: 1 + type: string + required: + - esql + - not: {} + esQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - minLength: 1 + type: string + - not: {} + excludeHitsFromPreviousRun: + default: true + description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. + type: string + index: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The indices to query. + nullable: true + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - not: {} + searchConfiguration: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + nullable: true + oneOf: + - additionalProperties: true + type: object + properties: {} + - not: {} + searchType: + default: esQuery + description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' + enum: + - searchSource + - esQuery + - esqlQuery + type: string + size: + description: The number of documents to pass to the configured actions when the threshold condition is met. + maximum: 10000 + minimum: 0 + type: number + sourceFields: + description: The sourceFields param is ignored. + items: + additionalProperties: false + type: object + properties: + label: + type: string + searchPath: + type: string + required: + - label + - searchPath + maxItems: 5 + type: array + termField: + anyOf: + - minLength: 1 + type: string + - items: + type: string + maxItems: 4 + minItems: 2 + type: array + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The field that is used to calculate the time window. + nullable: true + oneOf: + - minLength: 1 + type: string + - minLength: 1 + type: string + x-oas-optional: true + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - size + - timeWindowSize + - timeWindowUnit + - threshold + - thresholdComparator + - timeField + - searchConfiguration + - esQuery + - index + - esqlQuery + title: ES Query Rule Params + type: object + rule_type_id: + enum: + - .es-query + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: ES query + type: object + Kibana_HTTP_APIs_FailureStore: + anyOf: + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + - additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + enabled: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + required: + - enabled + required: + - lifecycle + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + required: + - lifecycle + Kibana_HTTP_APIs_FieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_FieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + format: + not: {} + type: + not: {} + required: + - description + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_FilterCondition: + anyOf: + - additionalProperties: false + description: A condition that compares a field to a value or range using an operator as the key. + type: object + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + description: Contains comparison value. + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Ends-with comparison value. + eq: + anyOf: + - type: string + - type: number + - type: boolean + description: Equality comparison value. + field: + description: The document field to filter on. + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than comparison value. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than-or-equal comparison value. + includes: + anyOf: + - type: string + - type: number + - type: boolean + description: Checks if multivalue field includes the value. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than comparison value. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than-or-equal comparison value. + neq: + anyOf: + - type: string + - type: number + - type: boolean + description: Inequality comparison value. + range: + additionalProperties: false + description: Range comparison values. + type: object + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Starts-with comparison value. + required: + - field + - additionalProperties: false + description: A condition that checks for the existence or non-existence of a field. + type: object + properties: + exists: + description: Indicates whether the field exists or not. + type: boolean + field: + description: The document field to check. + minLength: 1 + type: string + required: + - field + description: A basic filter condition, either unary or binary. + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + filterKuery: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: string + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + type: string + index: + anyOf: + - minLength: 1 + type: string + - items: + minLength: 1 + type: string + minItems: 1 + type: array + description: The indices to query. + termField: + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + minLength: 1 + type: string + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + description: The field that is used to calculate the time window. + minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - index + - timeField + - timeWindowSize + - timeWindowUnit + - thresholdComparator + - threshold + title: Index Threshold Rule Params + type: object + rule_type_id: + enum: + - .index-threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Index threshold + type: object + Kibana_HTTP_APIs_IngestStreamLifecycle: + anyOf: + - additionalProperties: false + type: object + properties: + dsl: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + downsample: + items: + type: object + properties: + after: + description: A non-empty string. + minLength: 1 + type: string + fixed_interval: + description: A non-empty string. + minLength: 1 + type: string + required: + - after + - fixed_interval + type: array + required: + - dsl + - additionalProperties: false + type: object + properties: + ilm: + additionalProperties: false + type: object + properties: + policy: + description: A non-empty string. + minLength: 1 + type: string + required: + - policy + required: + - ilm + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + anyOf: + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. + title: Log Threshold Rule Params + rule_type_id: + enum: + - logs.alert.document.count + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Log threshold + type: object + Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. + properties: + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + type: string + customMetric: + additionalProperties: false + type: object + properties: + aggregation: + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + required: + - type + - id + - field + - aggregation + metric: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + warningComparator: + type: string + warningThreshold: + items: + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + type: array + filterQuery: + type: string + nodeType: + type: string + schema: + type: string + sourceId: + type: string + required: + - criteria + - nodeType + - sourceId + title: Metric Inventory Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.inventory.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: Filters the SLOs by name - example: my service availability - in: query - name: search - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric inventory threshold + type: object + Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. + properties: + alertOnGroupDisappear: + description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + comparator: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - additionalProperties: false + type: object + properties: + aggType: + type: string + comparator: + type: string + metric: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + - aggType + - additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + customMetrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + equation: + type: string + label: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - customMetrics + type: array + filterQuery: + description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' + sourceId: + type: string + required: + - criteria + - sourceId + title: Metric Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric threshold + type: object + Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Cluster Health Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cluster_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Cluster health + type: object + Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CPU Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cpu_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - type: number - - description: Number of SLOs returned by page - example: 100 - in: query - name: perPage - schema: - default: 100 - maximum: 1000 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_find_slo_definitions_response' - description: Successful request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Get the SLO definitions - tags: - - slo -components: - examples: - APM_UI_agent_configuration_environments_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/environments`. - value: - environments: - - alreadyConfigured: true - name: production - - alreadyConfigured: false - name: development - - alreadyConfigured: false - name: ALL_OPTION_VALUE - APM_UI_agent_configuration_intake_object_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/settings/agent-configuration`. - value: - result: deleted - APM_UI_agent_configuration_intake_object_delete_request1: - description: >- - Run `DELETE /api/apm/settings/agent-configuration` to delete a - configuration. - value: - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration`. - value: - - '@timestamp': 1581934104843 - agent_name: go - applied_by_agent: false - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '200' - transaction_sample_rate: '1' - - '@timestamp': 1581934111727 - agent_name: go - applied_by_agent: false - etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 - service: - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '300' - transaction_sample_rate: '1' - - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_put_200_response1: - description: >- - An example of a successful response from `PUT - /api/apm/settings/agent-configuration`. The response body is - intentionally empty. - value: {} - APM_UI_agent_configuration_intake_object_put_request1: - description: >- - Run `PUT /api/apm/settings/agent-configuration` to create or update - configuration details. - value: - agent_name: nodejs - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_configuration_intake_object_search_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/settings/agent-configuration/search`. - value: - _id: CIaqXXABmQCdPphWj8EJ - _index: .apm-agent-configuration - _score: 2 - _source: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_search_request1: - description: >- - Run `POST /api/apm/settings/agent-configuration/search` to search - configuration details. - value: - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_view_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/view`. - value: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: true - etag: 5080ed25785b7b19f32713681e79f46996801a5b - id: CIaqXXABmQCdPphWj8EJ - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_keys_object_post_200_response1: - description: >- - An example of a successful response from `POST /api/apm/agent_keys`, - which creates an APM agent API key. - value: - agentKey: - api_key: PjGloCGOTzaZr8ilUPvkjA - encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== - id: 3DCLmn0B3ZMhLUa7WBG9 - name: apm-key - APM_UI_agent_keys_object_post_request1: - description: >- - Run `POST /api/apm/agent_keys` to create an APM agent API key with the - specified privileges. - value: - name: apm-key - privileges: - - event:write - - config_agent:read - APM_UI_annotation_object_post_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/services/opbeans-java/annotation`, which creates an annotation - for a service named `opbeans-java`. - value: - _id: Lc9I93EBh6DbmkeV7nFX - _index: observability-annotations - _primary_term: 1 - _seq_no: 12 - _source: - '@timestamp': '2020-05-08T10:31:30.452Z' - annotation: - type: deployment - event: - created: '2020-05-09T02:34:43.937Z' - message: Deployment 1.2 - service: - name: opbeans-java - version: '1.2' - tags: - - apm - - elastic.co - - customer - _version: 1 - found: true - APM_UI_annotation_object_post_request1: - description: >- - Run `POST /api/apm/services/{serviceName}/annotation` to create a - deployment annotation for a service. - value: - '@timestamp': '2024-01-15T12:00:00.000Z' - message: Deployment 1.2.0 - service: - environment: production - version: 1.2.0 + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CPU usage + type: object + Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Disk Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_disk_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - - apm - - deployment - APM_UI_fleet_apm_server_schema_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/fleet/apm_server_schema`. The response body is intentionally - empty. - value: {} - APM_UI_source_maps_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/sourcemaps/{id}`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_get_200_response1: - description: A successful response from `GET /api/apm/sourcemaps`. - value: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Disk usage + type: object + Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active artifacts: - - body: - bundleFilepath: /test/e2e/general-usecase/bundle.js - serviceName: foo - serviceVersion: 1.0.0 - sourceMap: - file: static/js/main.chunk.js - mappings: mapping - sourceRoot: '' - sources: - - fleet-source-map-client/src/index.css - - fleet-source-map-client/src/App.js - - webpack:///./src/index.css?bb0a - - fleet-source-map-client/src/index.js - - fleet-source-map-client/src/reportWebVitals.js - sourcesContent: - - content - version: 3 - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_200_response1: - description: A successful response from `POST /api/apm/sourcemaps`. - value: - body: >- - eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_get_data_view_response: - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: ES Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_elasticsearch_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Elasticsearch version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - products.base_unit_price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Memory Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_jvm_memory_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: JVM memory usage + type: object + Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - products.min_price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Kibana Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_kibana_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Kibana version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - products.price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: License Expiration Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_license_expiration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: License expiration + type: object + Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - products.taxful_price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Logstash Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_logstash_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Logstash version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - products.taxless_price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Missing Monitoring Data Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_missing_monitoring_data + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Missing monitoring data + type: object + Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - taxful_total_price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Nodes Changed Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_nodes_changed + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Nodes changed + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.[00] - taxless_total_price: - id: number + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Search Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_search_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool search rejections + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - pattern: $0,0.00 - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. + properties: + duration: type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false + filterQueryText: + type: string + threshold: type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: Thread Pool Write Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_write_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool write rejections + type: object + Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. + properties: + duration: type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CCR Read Exceptions Rule Params + type: object + rule_type_id: + enum: + - monitoring_ccr_read_exceptions + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CCR read exceptions + type: object + Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. + properties: + duration: type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name + filterQuery: type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name + indexPattern: type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + limit: + type: string + threshold: + type: number + required: + - duration + - indexPattern + title: Large Shard Size Rule Params + type: object + rule_type_id: + enum: + - monitoring_shard_size + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Large shard size + type: object + Kibana_HTTP_APIs_new_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_elasticsearch + type: object + Kibana_HTTP_APIs_new_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: false + type: object + properties: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: new_output_kafka + type: object + Kibana_HTTP_APIs_new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: new_output_logstash + type: object + Kibana_HTTP_APIs_new_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. + properties: + alertOnGroupDisappear: + type: boolean + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + equation: + type: string + label: + type: string + metrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - threshold + - comparator + - timeUnit + - timeSize + - metrics + type: array + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + noDataBehavior: + enum: + - recover + - remainActive + - alertOnNoData type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + searchConfiguration: + additionalProperties: false + type: object + properties: + filter: + items: + additionalProperties: false + type: object + properties: + meta: + additionalProperties: + nullable: true + type: object + query: + additionalProperties: + nullable: true + type: object + required: + - meta + type: array + index: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + allowHidden: + type: boolean + allowNoIndex: + type: boolean + fieldAttrs: + additionalProperties: + additionalProperties: false + type: object + properties: + count: + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + type: object + fieldFormats: + additionalProperties: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + type: object + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + aggregatable: + type: boolean + count: + minimum: 0 + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + esTypes: + items: + type: string + type: array + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + name: + maxLength: 1000 + type: string + readFromDocValues: + type: boolean + runtimeField: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + script: + maxLength: 1000000 + type: string + scripted: + type: boolean + searchable: + type: boolean + shortDotsEnable: + type: boolean + subType: + additionalProperties: false + type: object + properties: + multi: + additionalProperties: false + type: object + properties: + parent: + type: string + required: + - parent + nested: + additionalProperties: false + type: object + properties: + path: + type: string + required: + - path + type: + default: string + maxLength: 1000 + type: string + required: + - name + type: object + id: + type: string + managed: + type: boolean + name: + type: string + namespaces: + items: + type: string + type: array + runtimeFieldMap: + additionalProperties: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + type: object + sourceFilters: + items: + additionalProperties: false + type: object + properties: + clientId: + anyOf: + - type: string + - type: number + value: + type: string + required: + - value + type: array + timeFieldName: + type: string + title: + type: string + type: + type: string + typeMeta: + additionalProperties: true + type: object + properties: {} + version: + type: string + required: + - title + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + type: string + required: + - language + - query + required: + - index + - query + required: + - criteria + - searchConfiguration + title: Custom Threshold Rule Params + type: object + rule_type_id: + enum: + - observability.rules.custom_threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Custom threshold + type: object + Kibana_HTTP_APIs_output_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_elasticsearch + type: object + Kibana_HTTP_APIs_output_kafka: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: true + type: object + properties: + hash: type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name + random: + type: boolean + headers: + items: + additionalProperties: true + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: true + type: object + properties: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: true + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: true + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + secrets: + additionalProperties: true + type: object + properties: + password: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: output_kafka + type: object + Kibana_HTTP_APIs_output_logstash: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: output_logstash + type: object + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true + properties: + compression_level: + nullable: true + type: number + disk_queue_compression_enabled: + nullable: true + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true + type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper + type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + title: output_ssl + type: object + Kibana_HTTP_APIs_QueryStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + view: + type: string + required: + - view + - esql + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - query type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - description + - type + - query + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_RecursiveRecord: + additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + type: array + - items: {} + type: array + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + type: object + Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer - type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. + properties: + dependencies: + items: + additionalProperties: false + type: object + properties: + actionGroupsToSuppressOn: + items: + type: string + type: array + ruleId: + type: string + required: + - ruleId + - actionGroupsToSuppressOn + type: array + sloId: type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id + windows: + items: + additionalProperties: false + type: object + properties: + actionGroup: + type: string + burnRateThreshold: + type: number + id: + type: string + longWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + maxBurnRateThreshold: + nullable: true + type: number + shortWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + required: + - id + - burnRateThreshold + - maxBurnRateThreshold + - longWindow + - shortWindow + - actionGroup + type: array + required: + - sloId + - windows + title: SLO Burn Rate Rule Params + type: object + rule_type_id: + enum: + - slo.rules.burnRate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: SLO burn rate + type: object + Kibana_HTTP_APIs_StreamlangConditionBlock: + additionalProperties: false + type: object + properties: + condition: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' + customIdentifier: + type: string + required: + - condition + Kibana_HTTP_APIs_StreamlangStep: + anyOf: + - anyOf: + - additionalProperties: false + description: Grok processor - Extract fields from text using grok patterns + type: object + properties: + action: + enum: + - grok + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with grok patterns + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + description: Grok patterns applied in order to extract fields + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser + type: object + properties: + action: + enum: + - dissect + type: string + append_separator: + description: Separator inserted when target fields are concatenated + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with dissect pattern + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern: + description: Dissect pattern describing field boundaries + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - additionalProperties: false + description: Date processor - Parse dates from strings using one or more expected formats + type: object + properties: + action: + enum: + - date + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + formats: + description: Accepted input date formats, tried in order + items: + description: A non-empty string. + minLength: 1 + type: string + type: array + from: + description: Source field containing the date/time text + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + locale: + description: Optional locale for date parsing + minLength: 1 + type: string + output_format: + description: Optional output format for storing the parsed date as text + minLength: 1 + type: string + timezone: + description: Optional timezone for date parsing + minLength: 1 + type: string + to: + description: Target field for the parsed date (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - formats + - additionalProperties: false + type: object + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - additionalProperties: false + type: object + properties: + action: + enum: + - math + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: A non-empty string. + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - to + - additionalProperties: false + description: Rename processor - Change a field name and optionally its location + type: object + properties: + action: + enum: + - rename + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Existing source field to rename or move + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip when source field is missing + type: boolean + override: + description: Allow overwriting the target field if it already exists + type: boolean + to: + description: New field name or destination path + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - additionalProperties: false + description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) + type: object + properties: + action: + enum: + - set + type: string + copy_from: + description: Copy value from another field instead of providing a literal + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + override: + description: Allow overwriting an existing target field + type: boolean + to: + description: Target field to set or create + minLength: 1 + type: string + value: + description: Literal value to assign to the target field + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - additionalProperties: false + description: Append processor - Append one or more values to an existing or new array field + type: object + properties: + action: + enum: + - append + type: string + allow_duplicates: + description: If true, do not deduplicate appended values + type: boolean + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + to: + description: Array field to append values to + minLength: 1 + type: string + value: + description: Values to append (must be literal, no templates) + items: {} + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - value + - additionalProperties: false + description: Remove by prefix processor - Remove a field and all nested fields matching the prefix + type: object + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove along with all its nested fields + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + required: + - action + - from + - additionalProperties: false + description: Remove processor - Delete one or more fields from the document + type: object + properties: + action: + enum: + - remove + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove from the document + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - replace + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + replacement: + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - replacement + - additionalProperties: false + description: Redact processor - Mask sensitive data using Grok patterns + type: object + properties: + action: + enum: + - redact + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to redact sensitive data from + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing (defaults to true) + type: boolean + pattern_definitions: + additionalProperties: + type: string + description: Custom pattern definitions to use in the patterns + type: object + patterns: + description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + prefix: + description: Prefix to prepend to the redacted pattern name (defaults to "<") + type: string + suffix: + description: Suffix to append to the redacted pattern name (defaults to ">") + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + type: object + properties: + action: + enum: + - uppercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - lowercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - trim + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - join + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + delimiter: + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + minLength: 1 + type: string + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - delimiter + - to + - additionalProperties: false + description: Split processor - Split a field value into an array using a separator + type: object + properties: + action: + enum: + - split + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to split into an array + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + preserve_trailing: + description: Preserve empty trailing fields in the split result + type: boolean + separator: + description: Regex separator used to split the field value into an array + minLength: 1 + type: string + to: + description: Target field for the split array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - separator + - additionalProperties: false + type: object + properties: + action: + enum: + - sort + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Array field to sort + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + order: + description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" + enum: + - asc + - desc + type: string + to: + description: Target field for the sorted array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) + type: object + properties: + action: + enum: + - convert + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to convert to a different data type + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + to: + description: Target field for the converted value (defaults to source) + minLength: 1 + type: string + type: + description: 'Target data type: integer, long, double, boolean, or string' + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - type + - additionalProperties: false + type: object + properties: + action: + enum: + - concat + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + anyOf: + - type: object + properties: + type: + enum: + - field + type: string + value: + minLength: 1 + type: string + required: + - type + - value + - type: object + properties: + type: + enum: + - literal + type: string + value: + type: string + required: + - type + - value + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - allOf: + - additionalProperties: false + type: object + properties: + action: + enum: + - network_direction + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + destination_ip: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + source_ip: + minLength: 1 + type: string + target_field: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - source_ip + - destination_ip + - anyOf: + - additionalProperties: false + type: object + properties: + internal_networks: + items: + type: string + type: array + required: + - internal_networks + - additionalProperties: false + type: object + properties: + internal_networks_field: + minLength: 1 + type: string + required: + - internal_networks_field + - additionalProperties: false + description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors + type: object + properties: + action: + enum: + - json_extract + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + extractions: + description: List of extraction specifications + items: + description: A single extraction specification + type: object + properties: + selector: + description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") + minLength: 1 + type: string + target_field: + description: Target field to store the extracted value + minLength: 1 + type: string + type: + description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. + enum: + - keyword + - integer + - long + - double + - boolean + type: string + required: + - selector + - target_field + minItems: 1 + type: array + field: + description: Source field containing the JSON string to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - field + - extractions + - additionalProperties: false + type: object + properties: + action: + enum: + - enrich + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + policy_name: + description: A non-empty string. + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - policy_name + - to + - additionalProperties: false + description: Manual ingest pipeline wrapper around native Elasticsearch processors + type: object + properties: + action: + description: Manual ingest pipeline - executes raw Elasticsearch ingest processors + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + on_failure: + description: Fallback processors to run when a processor fails + items: + additionalProperties: {} + type: object + type: array + processors: + description: List of raw Elasticsearch ingest processors to run + items: + additionalProperties: {} + type: object + type: array + tag: + description: Optional ingest processor tag for Elasticsearch + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - processors + - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' + Kibana_HTTP_APIs_StreamUpsertRequest: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' + Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. + properties: + excludeTransforms: + default: [] + items: + type: string + nullable: true + type: array + includeTransforms: + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: false + type: boolean + healthCheck: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + notStarted: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - notStarted + - errorMessages + - healthCheck + required: + - includeTransforms + - testsConfig + title: Transform Health Rule Params + type: object + rule_type_id: + enum: + - transform_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transform health + type: object + Kibana_HTTP_APIs_update_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_elasticsearch + type: object + Kibana_HTTP_APIs_update_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: false + type: object + properties: + group_events: type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + title: update_output_kafka + type: object + Kibana_HTTP_APIs_update_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + title: update_output_logstash + type: object + Kibana_HTTP_APIs_update_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_WiredStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer + ingest: + additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - wired type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. + properties: + includeInterim: + default: true + type: boolean + jobSelection: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + kqlQueryString: + nullable: true type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name + lookbackInterval: + nullable: true type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + resultType: + enum: + - record + - bucket + - influencer type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + severity: + maximum: 100 + minimum: 0 type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + topNBuckets: + minimum: 1 + nullable: true type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - jobSelection + - severity + - resultType + - lookbackInterval + - topNBuckets + - kqlQueryString + title: Anomaly Detection Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_alert + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection + type: object + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. + properties: + excludeJobs: + additionalProperties: false + nullable: true + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + includeJobs: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + behindRealtime: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - timeInterval + datafeed: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + delayedData: + additionalProperties: false + nullable: true + type: object + properties: + docsCount: + minimum: 1 + nullable: true + type: number + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - docsCount + - timeInterval + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + mml: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - datafeed + - mml + - delayedData + - behindRealtime + - errorMessages + required: + - includeJobs + - excludeJobs + - testsConfig + title: Anomaly Detection Jobs Health Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_jobs_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection jobs health + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. + properties: + condition: + additionalProperties: false + type: object + properties: + alertOnNoData: + type: boolean + downThreshold: + type: number + groupBy: + type: string + includeRetests: + type: boolean + locationsThreshold: + type: number + recoveryStrategy: + enum: + - firstUp + - conditionNotMet + type: string + window: + anyOf: + - additionalProperties: false + type: object + properties: + time: + additionalProperties: false + type: object + properties: + size: + default: 5 + type: number + unit: + default: m + enum: + - s + - m + - h + - d + type: string + required: + - time + - additionalProperties: false + type: object + properties: + numberOfChecks: + default: 5 + maximum: 100 + minimum: 1 + type: number + required: + - window + kqlQuery: type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + tags: + items: + type: string + type: array + title: Synthetics Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics monitor status + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + kqlQuery: type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + search: type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + tags: + items: + type: string + type: array + title: Synthetics TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.tls + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics TLS + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. + properties: + monitorId: type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + severity: + type: number + stackVersion: type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - monitorId + - severity + title: Uptime Duration Anomaly Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.durationAnomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime duration anomaly + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. + properties: + availability: + additionalProperties: false + type: object + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + required: + - range + - rangeUnit + - threshold + filters: + anyOf: + - additionalProperties: false + type: object + properties: + monitor.type: + items: + type: string + type: array + observer.geo.name: + items: + type: string + type: array + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + - type: string + isAutoGenerated: type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + locations: + items: + type: string + type: array + numTimes: type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + search: type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + stackVersion: type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false + timerange: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + required: + - from + - to + timerangeCount: type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + timerangeUnit: type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + title: Uptime Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSync401Example: - summary: Two anomaly detection jobs required synchronization in this example. - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" - statusCode: 401 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Observability_AI_Assistant_API_ChatCompleteRequestExample: - summary: Example of completing a chat interaction - value: | - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - } - Observability_AI_Assistant_API_ChatCompleteResponseExample: - summary: Get a chat completion from the Observability AI Assistant - value: > - data: - {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - - - data: [DONE] - Security_Detections_API_SetAlertAssigneesBodyAdd: - value: - assignees: - add: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - remove: [] - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertAssigneesBodyRemove: - value: - assignees: - add: [] - remove: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertTagsBodyAdd: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + required: + - interval tags: - tags_to_add: - - Duplicate - tags_to_remove: [] - Security_Detections_API_SetAlertTagsBodyRemove: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime monitor status + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + stackVersion: + type: string + title: Uptime TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.tlsCertificate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - tags_to_add: [] - tags_to_remove: - - Duplicate - Task_manager_health_Serverless_APIs_health_200response_serverless: - description: A successful response from `GET api/task_manager/_health`. - value: |- - { - "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", - "timestamp": "2025-03-21T21:49:50.409Z", - "status": "OK", - "last_update": "2025-03-21T21:48:53.996Z", - "stats": { - "configuration": { - "timestamp": "2025-03-21T21:47:51.663Z", - "value": { - "request_capacity": 1000, - "monitored_aggregated_stats_refresh_rate": 60000, - "monitored_stats_running_average_window": 50, - "monitored_task_execution_thresholds": { - "custom": {}, - "default": { - "error_threshold": 90, - "warn_threshold": 80 - } - }, - "claim_strategy": "mget", - "poll_interval": 500, - "capacity": { - "config": 10, - "as_workers": 10, - "as_cost": 20 - } - }, - "status": "OK" - }, - "workload": { - "timestamp": "2025-03-21T21:48:53.996Z", - "value": { - "count": 21, - "cost": 42, - "task_types": { - "Fleet-Metrics-Task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "Fleet-Usage-Logger": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "Fleet-Usage-Sender": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "ML:saved-objects-sync": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "actions:connector_usage_reporting": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "actions_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerting_health_check": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerting_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerts_invalidate_api_keys": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "cases-telemetry-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "dashboard_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:automatic-agent-upgrade-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:check-deleted-files-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:delete-unenrolled-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:sync-integrations-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:unenroll-inactive-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:upgrade-agentless-deployments-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "session_cleanup": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "task_manager:delete_inactive_background_task_nodes": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - } - }, - "non_recurring": 1, - "non_recurring_cost": 2, - "schedule": [ - [ - "1m", - 2 - ], - [ - "5m", - 2 - ], - [ - "10m", - 1 - ], - [ - "15m", - 1 - ], - [ - "30m", - 1 - ], - [ - "1h", - 5 - ], - [ - "3600s", - 1 - ], - [ - "60m", - 1 - ], - [ - "720m", - 1 - ], - [ - "1d", - 4 - ], - [ - "1440m", - 1 - ] - ], - "overdue": 0, - "overdue_cost": 0, - "overdue_non_recurring": 0, - "estimated_schedule_density": [ - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0 - ], - "capacity_requirements": { - "per_minute": 2, - "per_hour": 43, - "per_day": 7 - } - }, - "status": "OK" - } - } - } - parameters: - APM_UI_elastic_api_version: - description: The version of the API to use - in: header - name: elastic-api-version - required: true - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - APM_UI_kbn_xsrf: - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - APM_UI_400_response: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime TLS certificate + type: object + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. + type: object + savedObjectsCreated: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' + savedObjectsDeleted: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' + title: Successful sync API response + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. + type: object + data-frame-analytics: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. + type: object + trained-model: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If saved objects are missing for trained models, they are created. + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. + type: object + title: Sync API response for deleted saved objects type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: - error: - description: Error type - example: Not Found + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Observability_AI_Assistant_API_Function: + type: object + properties: + description: + description: The description of the function. type: string - message: - description: Error message - example: Not Found + name: + description: The name of the function. type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: + parameters: + description: The parameters of the function. + type: object + Observability_AI_Assistant_API_FunctionCall: + description: Details of the function call within the message. type: object properties: - error: - description: Error type - example: Unauthorized + arguments: + description: The arguments for the function call. type: string - message: - description: Error message + name: + description: The name of the function. type: string - statusCode: - description: Error status code - example: 401 - type: number - APM_UI_403_response: + trigger: + description: The trigger of the function call. + enum: + - assistant + - user + - elastic + type: string + required: + - name + - trigger + Observability_AI_Assistant_API_Instruction: + oneOf: + - description: A simple instruction represented as a string. + type: string + - description: A detailed instruction with an ID and text. + type: object + properties: + id: + description: A unique identifier for the instruction. + type: string + text: + description: The text of the instruction. + type: string + required: + - id + - text + Observability_AI_Assistant_API_Message: + name: Message type: object properties: - error: - description: Error type - example: Forbidden + '@timestamp': + description: The timestamp when the message was created. type: string message: - description: Error message + description: The main content of the message. + type: object + properties: + content: + description: The content of the message. + type: string + data: + description: Additional data associated with the message. + type: string + event: + description: The event related to the message. + type: string + function_call: + $ref: '#/components/schemas/Observability_AI_Assistant_API_FunctionCall' + name: + description: The name associated with the message. + type: string + role: + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' + required: + - role + required: + - '@timestamp' + - message + Observability_AI_Assistant_API_MessageRoleEnum: + description: The role of the message sender. + enum: + - system + - assistant + - function + - user + - elastic + type: string + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + example: true + type: boolean + anonymized: + description: Whether this field should be anonymized. + example: false + type: boolean + field: + description: Name of the anonymization field to create. + example: host.name type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: + required: + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: type: object properties: - error: - description: Error type - example: Not Found + id: + description: The ID of the anonymization field. + example: field12 type: string - message: - description: Error message - example: Not Found + name: + description: Name of the anonymization field. + example: host.name type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: type: object properties: - error: - description: Error type - example: Internal Server Error + allowed: + description: Whether this field is allowed to be sent to the model. + example: true + type: boolean + anonymized: + description: Whether this field should be anonymized. + example: false + type: boolean + createdAt: + description: Timestamp of when the anonymization field was created. + example: '2023-10-31T12:00:00Z' type: string - message: - description: Error message + createdBy: + description: Username of the person who created the anonymization field. + example: user1 type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: + field: + description: Name of the anonymization field. + example: url.domain + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The ID of the anonymization field. + namespace: + description: Kibana space in which this anonymization field exists. + example: default + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + description: Timestamp when the anonymization field was initially created. + updatedAt: + description: Timestamp of the last update. + example: '2023-10-31T12:00:00Z' + type: string + updatedBy: + description: Username of the person who last updated the field. + example: user1 + type: string + required: + - id + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + description: Reason why the anonymization field was not modified. + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: type: object properties: - error: - description: Error type - example: Not Implemented + id: + description: The ID of the anonymization field that was not modified. + example: field4 + type: string + name: + description: Name of the anonymization field that was not modified. + example: user.name type: string + skip_reason: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' + description: Reason why the anonymization field was not modified. + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + description: Total number of anonymization fields processed. + example: 5 + type: integer + attributes: + type: object + properties: + errors: + description: List of errors that occurred during the bulk operation. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' + type: array + results: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + required: + - results + - summary message: - description: Error message - example: Not Implemented + description: Message providing information about the bulk action result. + example: Bulk action completed successfully type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: + status_code: + description: HTTP status code returned. + example: 200 + type: integer + success: + description: Indicates if the bulk action was successful. + example: true + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + description: List of anonymization fields successfully created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + deleted: + items: + description: Array of IDs of anonymization fields that were deleted. + example: field3 + type: string + type: array + skipped: + description: List of anonymization fields that were skipped during the operation. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' + type: array + updated: + description: List of anonymization fields successfully updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + example: true + type: boolean + anonymized: + description: Whether this field should be anonymized. + example: false + type: boolean + id: + description: The ID of the anonymization field to update. + example: field8 + type: string + required: + - id + Security_AI_Assistant_API_ApiConfig: + type: object + properties: + actionTypeId: + description: Action type ID + example: actionType456 + type: string + connectorId: + description: Connector ID + example: connector123 + type: string + defaultSystemPromptId: + description: Default system prompt ID + example: systemPrompt001 + type: string + model: + description: Model + example: gpt-4 + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + example: OpenAI + required: + - connectorId + - actionTypeId + Security_AI_Assistant_API_BaseContentReference: + description: The basis of a content reference + type: object + properties: + id: + description: Id of the content reference + example: content123 + type: string + type: + description: Type of the content reference + example: SecurityAlert + type: string + required: + - id + - type + Security_AI_Assistant_API_BaseInterruptResumeValue: + description: The basis of an interrupt resume value + type: object + properties: + type: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' + description: Type of the resume value + example: SELECT_OPTION + required: + - type + Security_AI_Assistant_API_BaseInterruptValue: + description: The basis of an agent interrupt + type: object + properties: + expired: + description: Whether the interrupt has expired and can no longer be resumed. + example: false + type: boolean + threadId: + description: Thread ID of the graph execution that produced this message. + example: + type: string + type: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' + description: Type of the interrupt + example: SELECT_OPTION + required: + - type + - threadId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + description: The number of failed actions. + example: 0 + type: integer + skipped: + description: The number of skipped actions. + example: 1 + type: integer + succeeded: + description: The number of successfully performed actions. + example: 10 + type: integer + total: + description: The total number of actions attempted. + example: 12 + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + description: The request payload for creating a chat completion. + example: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: sk-abc123 + langSmithProject: security_ai_project + messages: + - content: How do I detect ransomware on my endpoints? + data: + device_id: device-567 + fields_to_anonymize: + - device.name + - file.path + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + type: object + properties: + connectorId: + description: Required connector identifier to route the request. + example: conn-001 + type: string + conversationId: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: Existing conversation ID to continue. + isStream: + description: If true, the response will be streamed in chunks. + example: true + type: boolean + langSmithApiKey: + description: API key for LangSmith integration. + example: sk-abc123 + type: string + langSmithProject: + description: LangSmith project name for tracing. + example: security_ai_project + type: string + messages: + description: List of chat messages exchanged so far. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + description: Model ID or name to use for the response. + example: gpt-4 + type: string + persist: + description: Whether to persist the chat and response to storage. + example: true + type: boolean + promptId: + description: Prompt template identifier. + example: prompt_001 + type: string + responseLanguage: + description: ISO language code for the assistant's response. + example: en + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: A message exchanged within the AI chat conversation. + type: object + properties: + content: + description: The textual content of the message. + example: What security incidents have been reported today? + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: Metadata to attach to the context of the message. + fields_to_anonymize: + description: List of field names within the data object that should be anonymized. + example: + - user.name + - source.ip + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: The sender role of the message. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: The role associated with the message in the chat. + enum: + - system + - user + - assistant + example: user + type: string + Security_AI_Assistant_API_ContentReferences: + additionalProperties: + oneOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' + additionalProperties: false + description: A union of all content reference types + type: object + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + example: assistant + type: string + Security_AI_Assistant_API_ConversationCreateProps: type: object properties: - agent_name: - description: >- - The agent name is used by the UI to determine which settings to - display. + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + example: assistant + excludeFromLastConversationStorage: + description: Exclude from last conversation storage. + type: boolean + id: + description: The conversation id. + example: conversation123 + type: string + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + example: Security AI Assistant Setup type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration + - title + Security_AI_Assistant_API_ConversationResponse: type: object properties: - '@timestamp': - description: Timestamp - example: 1730194190636 - type: number - agent_name: - description: Agent name + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + example: assistant + createdAt: + description: The time conversation was created. + example: '2025-04-30T14:00:00Z' type: string - applied_by_agent: - description: Applied by agent - example: true + createdBy: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + description: The user who created the conversation. + excludeFromLastConversationStorage: + description: Exclude from last conversation storage. type: boolean - etag: - description: > - `etag` is sent by the APM agent to indicate the `etag` of the last - successfully applied configuration. If the `etag` matches an - existing configuration its `applied_by_agent` property will be set - to `true`. Every time a configuration is edited `applied_by_agent` - is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + example: default type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + title: + description: The conversation title. + example: Security AI Assistant Setup + type: string + updatedAt: + description: The last time conversation was updated. + example: '2025-04-30T16:30:00Z' + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: + - id + - title + - createdAt + - createdBy + - users + - namespace + - category + Security_AI_Assistant_API_ConversationUpdateProps: type: object properties: - configurations: - description: Agent configuration + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + example: assistant + excludeFromLastConversationStorage: + description: Exclude from last conversation storage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array - APM_UI_agent_keys_object: - type: object - properties: - name: - description: The name of the APM agent key. + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + example: Updated Security AI Assistant Setup type: string - privileges: - description: > - The APM agent key privileges. It can take one or more of the - following values: - - * `event:write`, which is required for ingesting APM agent events. * - `config_agent:read`, which is required for APM agents to read agent - configuration remotely. + users: items: - enum: - - event:write - - config_agent:read - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - - name - - privileges - APM_UI_agent_keys_response: + - id + Security_AI_Assistant_API_DeleteResponseFields: type: object properties: - agentKey: - description: Agent key - type: object + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + required: + - id + Security_AI_Assistant_API_DocumentEntry: + allOf: + - type: object properties: - api_key: - type: string - encoded: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + example: false + type: boolean + name: + description: Name of the Knowledge Base Entry. + example: Example Entry type: string - expiration: - format: int64 - type: integer - id: + namespace: + description: Kibana Space, defaults to 'default' space. + example: default type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + - namespace + - global + - users + - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' + Security_AI_Assistant_API_DocumentEntryCreateFields: + allOf: + - type: object + properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + example: false + type: boolean name: + description: Name of the Knowledge Base Entry. + example: Example Entry + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + example: default type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array required: - - id - name - - api_key - - encoded - APM_UI_annotation_search_response: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: - annotations: - description: Annotations - items: - type: object - properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version - type: string - type: array - APM_UI_base_source_map_object: + required: + description: Whether this resource should always be included, defaults to false. + example: false + type: boolean + vector: + $ref: '#/components/schemas/Security_AI_Assistant_API_Vector' + Security_AI_Assistant_API_DocumentEntryRequiredFields: type: object properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier - type: string - packageName: - description: Package name + kbResource: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource' + source: + description: Source document name or filepath. + example: /documents/example.txt type: string - relative_url: - description: Relative URL + text: + description: Knowledge Base Entry content. + example: This is the content of the document. type: string type: - description: Type - type: string - APM_UI_create_annotation_object: - type: object - properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. - type: string - message: - description: >- - The message displayed in the annotation. It defaults to - `service.version`. + description: Entry type. + enum: + - document + example: document type: string - service: - description: The service that identifies the configuration to create or update. - type: object + required: + - type + - kbResource + - source + - text + Security_AI_Assistant_API_DocumentEntryResponseFields: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + Security_AI_Assistant_API_DocumentEntryUpdateFields: + allOf: + - type: object properties: - environment: - description: The environment of the service. + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + example: false + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + name: + description: Name of the Knowledge Base Entry. + example: Example Entry type: string - version: - description: The version of the service. + namespace: + description: Kibana Space, defaults to 'default' space. + example: default type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array required: - - version - tags: - description: > - Tags are used by the Applications UI to distinguish APM annotations - from other annotations. Tags may have additional functionality in - future releases. It defaults to `[apm]`. While you can add - additional tags, you cannot remove the `apm` tag. - items: - type: string - type: array - required: - - '@timestamp' - - service - APM_UI_create_annotation_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _source: - description: Response - type: object + - id + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + Security_AI_Assistant_API_EsqlContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - type: object properties: - '@timestamp': + label: + description: Label of the query + example: High Severity Alerts type: string - annotation: - type: object - properties: - title: - type: string - type: - type: string - event: - type: object - properties: - created: - type: string - message: + query: + description: An ESQL query + example: SELECT * FROM alerts WHERE severity = "high" type: string - service: + timerange: + description: Time range to select in the time picker. type: object properties: - environment: - type: string - name: + from: + example: '2025-04-01T00:00:00Z' type: string - version: + to: + example: '2025-04-30T23:59:59Z' type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result - type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: > - If provided, the agent configuration will be marked as error and - `applied_by_agent` will be set to `false`. - - This is useful for cases where the agent configuration was not - applied successfully. - type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - mark_as_applied_by_agent: - description: > - `markAsAppliedByAgent=true` means "force setting it to true - regardless of etag". - - This is needed for Jaeger agent that doesn't have etags - type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs - type: string - APM_UI_service_environment_object: - type: object - properties: - alreadyConfigured: - description: Already configured - type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE - type: string - APM_UI_service_environments_response: - type: object - properties: - environments: - description: Service environment list - items: - $ref: '#/components/schemas/APM_UI_service_environment_object' - type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod - type: string - name: - description: The name of the service. - example: node - type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: + required: + - from + - to + type: + enum: + - EsqlQuery + example: EsqlQuery + type: string + required: + - type + - query + - label + description: References an ESQL query + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. + enum: + - created_at + - title + - updated_at + example: created_at + type: string + Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField: + description: Fields available for sorting Knowledge Base Entries. + enum: + - created_at + - is_default + - title + - updated_at + example: title + type: string + Security_AI_Assistant_API_FindPromptsSortField: + description: Field by which to sort the prompts. + enum: + - created_at + - is_default + - name + - updated_at + example: created_at + type: string + Security_AI_Assistant_API_HrefContentReference: allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: - id: + href: + description: URL to the external resource + type: string + label: + description: Label of the query + type: string + type: + enum: + - Href type: string required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: + - type + - href + description: References an external URL + Security_AI_Assistant_API_IndexEntry: + allOf: + - type: object + properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + example: false + type: boolean + name: + description: Name of the Knowledge Base Entry. + example: Example Entry + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + example: default + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + - namespace + - global + - users + - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' + Security_AI_Assistant_API_IndexEntryCreateFields: + allOf: + - type: object + properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + example: false + type: boolean + name: + description: Name of the Knowledge Base Entry. + example: Example Entry + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + example: default + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: - artifacts: - description: Artifacts + inputSchema: + $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' + outputFields: + description: Fields to extract from the query result, defaults to all fields if not provided or empty. + example: + - title + - author items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: string type: array - APM_UI_upload_source_map_object: + Security_AI_Assistant_API_IndexEntryRequiredFields: type: object properties: - bundle_filepath: - description: >- - The absolute path of the final bundle as used in the web - application. + description: + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. + example: Query this index for general knowledge base content. type: string - service_name: - description: The name of the service that the service map should apply to. + field: + description: Field to query for Knowledge Base content. + example: content type: string - service_version: - description: The version of the service that the service map should apply to. + index: + description: Index or Data Stream to query for Knowledge Base content. + example: knowledge_base_index type: string - sourcemap: - description: > - The source map. It can be a string or file upload. It must follow - the - - [source map format specification](https://tc39.es/ecma426/). - format: binary + queryDescription: + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. + example: Search for documents containing the specified keywords. + type: string + type: + description: Entry type. + enum: + - index + example: index type: string required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: + - type + - index + - field + - description + - queryDescription + Security_AI_Assistant_API_IndexEntryResponseFields: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: - enum: - - Not Found - example: Not Found - type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found - type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: >- - Allows the data view saved object to exist before the data is available. - Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request - type: object - properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + example: false + type: boolean id: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: - description: The data view name. + description: Name of the Knowledge Base Entry. + example: Example Entry type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' + namespace: + description: Kibana Space, defaults to 'default' space. + example: default + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + Security_AI_Assistant_API_InputSchema: + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. + items: + type: object + properties: + description: + description: Description of the field. + example: The title of the document. + type: string + fieldName: + description: Name of the field. + example: title + type: string + fieldType: + description: Type of the field. + example: string + type: string + required: + - fieldName + - fieldType + - description + type: array + Security_AI_Assistant_API_InputTextInterruptResumeValue: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - type: object + properties: type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: + enum: + - INPUT_TEXT + example: INPUT_TEXT + type: string + value: + description: Text value used to resume the graph execution with. + example: .logs* type: string required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. - type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object + - value + - type + description: A resume value for input text + Security_AI_Assistant_API_InputTextInterruptValue: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' + - type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + description: + description: Description of action required + example: What is the index you would like to use for the query. type: string - name: - description: The data view name. + placeholder: + description: Placeholder text for the input field + example: Enter index pattern here... type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd + type: + enum: + - INPUT_TEXT + example: INPUT_TEXT type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. + required: + - type + description: Interrupt that requests user to provide text input + Security_AI_Assistant_API_InterruptResumeValue: + description: Union of the interrupt resume values + oneOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' + additionalProperties: false + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' + additionalProperties: false + Security_AI_Assistant_API_InterruptType: + description: The type of interrupt + enum: + - SELECT_OPTION + - INPUT_TEXT + type: string + Security_AI_Assistant_API_InterruptValue: + description: Union of the interrupt values + oneOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' + additionalProperties: false + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' + additionalProperties: false + Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: + description: Reason why a Knowledge Base Entry was skipped during the bulk action. + enum: + - KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED + type: string + Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult: type: object properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 + id: + description: ID of the skipped Knowledge Base Entry. + example: '123' type: string - customLabel: - description: Custom label for the field. + name: + description: Name of the skipped Knowledge Base Entry. + example: Skipped Entry type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. + skip_reason: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' + required: + - id + - skip_reason + Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse: type: object properties: - script: + attributes: type: object properties: - source: - description: Script for the runtime field. - type: string - type: - description: Mapping type of the runtime field. - type: string - required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request - type: object - properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string + errors: + description: List of errors encountered during the bulk action. + example: + - err_code: UPDATE_FAILED + knowledgeBaseEntries: + - id: '456' + name: Error Entry + message: Failed to update entry. + statusCode: 400 + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. - type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. - type: string - toId: - description: New saved object reference value to replace the old value. + results: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' + required: + - results + - summary + knowledgeBaseEntriesCount: + description: Total number of Knowledge Base Entries processed. + example: 8 + type: integer + message: + description: Message describing the result of the bulk action. + example: Bulk action completed successfully. type: string + statusCode: + description: HTTP status code of the response. + example: 200 + type: integer + success: + description: Indicates whether the bulk action was successful. + example: true + type: boolean required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true + - attributes + Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults: type: object properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request + created: + description: List of Knowledge Base Entries that were successfully created. + example: + - content: This is the content of the new entry. + id: '456' + title: New Entry + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + deleted: + description: List of IDs of Knowledge Base Entries that were successfully deleted. + example: + - '789' + items: + type: string + type: array + skipped: + description: List of Knowledge Base Entries that were skipped during the bulk action. + example: + - id: '123' + name: Skipped Entry + skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' + type: array + updated: + description: List of Knowledge Base Entries that were successfully updated. + example: + - content: Updated content. + id: '123' + title: Updated Entry + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary: type: object properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object + failed: + description: Number of Knowledge Base Entries that failed during the bulk action. + example: 2 + type: integer + skipped: + description: Number of Knowledge Base Entries that were skipped during the bulk action. + example: 1 + type: integer + succeeded: + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. + example: 5 + type: integer + total: + description: Total number of Knowledge Base Entries involved in the bulk action. + example: 8 + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_KnowledgeBaseEntryContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: + knowledgeBaseEntryId: + description: Id of the Knowledge Base Entry + example: kbentry456 + type: string + knowledgeBaseEntryName: + description: Name of the knowledge base entry + example: Network Security Best Practices type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Machine_learning_APIs_mlSync200Response: + enum: + - KnowledgeBaseEntry + example: KnowledgeBaseEntry + type: string + required: + - type + - knowledgeBaseEntryId + - knowledgeBaseEntryName + description: References a knowledge base entry + Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + discriminator: + mapping: + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + propertyName: type + Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: + type: object properties: - datafeedsAdded: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. - type: object - datafeedsRemoved: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. - type: object - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - title: Successful sync API response + id: + description: ID of the Knowledge Base Entry that encountered an error. + example: '456' + type: string + name: + description: Name of the Knowledge Base Entry that encountered an error. + example: Error Entry + type: string + required: + - id + Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema: + additionalProperties: false type: object - Machine_learning_APIs_mlSync4xxResponse: properties: error: - example: Unauthorized + description: Error type or category. + example: Not Found type: string message: + description: Detailed error message. + example: The requested Knowledge Base Entry was not found. type: string statusCode: - example: 401 - type: integer - title: Unsuccessful sync API response + description: HTTP status code of the error. + example: 404 + type: number + required: + - statusCode + - error + - message + Security_AI_Assistant_API_KnowledgeBaseEntryResponse: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' + discriminator: + mapping: + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' + propertyName: type + Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + discriminator: + mapping: + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + propertyName: type + Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + discriminator: + mapping: + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + propertyName: type + Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for anomaly detection jobs + defend_insights_exists: + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. + example: true + type: boolean + elser_exists: + description: Indicates if the ELSER model exists for the KnowledgeBase. + example: true + type: boolean + is_setup_available: + description: Indicates if the setup process is available for the KnowledgeBase. + example: true + type: boolean + is_setup_in_progress: + description: Indicates if the setup process is currently in progress. + example: false + type: boolean + product_documentation_status: + description: The status of the product documentation in the KnowledgeBase. + example: complete + type: string + security_labs_exists: + description: Indicates if Security Labs documentation exists in the KnowledgeBase. + example: true + type: boolean + user_data_exists: + description: Indicates if user data exists in the KnowledgeBase. + example: false + type: boolean + Security_AI_Assistant_API_KnowledgeBaseResource: + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. + enum: + - security_labs + - defend_insights + - user + example: security_labs + type: string + Security_AI_Assistant_API_KnowledgeBaseResponse: + description: AI assistant KnowledgeBase. type: object - Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. properties: success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for datafeeds + description: Identify the success of the method execution. + example: true + type: boolean + Security_AI_Assistant_API_KnowledgeBaseResponse400: type: object - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for data frame analytics jobs + error: + description: A short description of the error. + example: Bad Request + type: string + message: + description: A detailed error message. + example: Invalid resource ID provided. + type: string + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: If saved objects are missing for trained models, they are created. - type: object - title: Sync API response for created saved objects + content: + description: Message content. + example: Hello, how can I assist you today? + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: Message id + isError: + description: Is error message. + example: false + type: boolean + metadata: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata' + description: Metadata + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + refusal: + description: Refusal reason returned by the model when content is filtered. + type: string + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + example: assistant + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + description: The timestamp message was sent or received. + example: '2025-04-30T15:30:00Z' + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: Trace data + user: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + description: The user who sent the message. + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + description: ECS-style metadata attached to the message. + example: + alert_id: alert-456 + user_id: abc123 type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - type: object - title: Sync API response for deleted saved objects + Security_AI_Assistant_API_MessageMetadata: + description: Message metadata type: object - Machine_learning_APIs_mlSyncResponseSuccess: - description: The success or failure of the synchronization. - type: boolean - Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for trained models - type: object - Observability_AI_Assistant_API_Function: + contentReferences: + $ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences' + description: Data referred to by the message content. + interruptResumeValue: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. + interruptValue: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + example: assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that does not contain only whitespace characters. + example: I am a string + format: nonempty + minLength: 1 + type: string + Security_AI_Assistant_API_NonEmptyTimestamp: + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + example: '2023-10-31T12:00:00Z' + format: nonempty + minLength: 1 + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: type: object properties: - description: - description: The description of the function. + anonymization_fields: + description: Array of anonymization fields that caused the error. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' + type: array + err_code: + description: Error code indicating the type of failure. + example: UPDATE_FAILED type: string - name: - description: The name of the function. + message: + description: Error message. + example: Failed to update anonymization field. type: string - parameters: - description: The parameters of the function. - type: object - Observability_AI_Assistant_API_FunctionCall: - description: Details of the function call within the message. + status_code: + description: Status code of the response. + example: 400 + type: integer + required: + - message + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError: type: object properties: - arguments: - description: The arguments for the function call. - type: string - name: - description: The name of the function. + err_code: + description: Specific error code for the issue. + example: UPDATE_FAILED type: string - trigger: - description: The trigger of the function call. - enum: - - assistant - - user - - elastic + knowledgeBaseEntries: + description: List of Knowledge Base Entries that encountered the error. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' + type: array + message: + description: Error message describing the issue. + example: Failed to update entry. type: string + statusCode: + description: HTTP status code associated with the error. + example: 400 + type: integer required: - - name - - trigger - Observability_AI_Assistant_API_Instruction: - oneOf: - - description: A simple instruction represented as a string. - type: string - - description: A detailed instruction with an ID and text. - type: object - properties: - id: - description: A unique identifier for the instruction. - type: string - text: - description: The text of the instruction. - type: string - required: - - id - - text - Observability_AI_Assistant_API_Message: - name: Message + - message + - statusCode + - knowledgeBaseEntries + Security_AI_Assistant_API_NormalizedPromptError: type: object properties: - '@timestamp': - description: The timestamp when the message was created. + err_code: + description: A code representing the error type. type: string message: - description: The main content of the message. - type: object + description: A message describing the error encountered. + type: string + prompts: + description: List of prompts that encountered errors. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' + type: array + status_code: + description: The HTTP status code associated with the error. + type: integer + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_ProductDocumentationContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - type: object properties: - content: - description: The content of the message. - type: string - data: - description: Additional data associated with the message. + title: + description: Title of the documentation + example: Getting Started with Security AI Assistant type: string - event: - description: The event related to the message. + type: + enum: + - ProductDocumentation + example: ProductDocumentation type: string - function_call: - $ref: '#/components/schemas/Observability_AI_Assistant_API_FunctionCall' - name: - description: The name associated with the message. + url: + description: URL to the documentation + example: https://docs.example.com/security-ai-assistant type: string - role: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum required: - - role - required: - - '@timestamp' - - message - Observability_AI_Assistant_API_MessageRoleEnum: - description: The role of the message sender. - enum: - - system - - assistant - - function - - user - - elastic - type: string - Security_AI_Assistant_API_AnonymizationFieldCreateProps: + - type + - title + - url + description: References the product documentation + Security_AI_Assistant_API_PromptCreateProps: type: object properties: - allowed: - description: Whether this field is allowed to be sent to the model. - example: true - type: boolean - anonymized: - description: Whether this field should be anonymized. + categories: + description: List of categories for the prompt. + example: + - security + - verification + items: + type: string + type: array + color: + description: The color associated with the prompt. + example: blue + type: string + consumer: + description: The consumer associated with the prompt. + example: admin + type: string + content: + description: The content of the prompt. + example: Please verify the security settings. + type: string + isDefault: + description: Whether this prompt should be the default. example: false type: boolean - field: - description: Name of the anonymization field to create. - example: host.name + isNewConversationDefault: + description: Whether this prompt should be the default for new conversations. + example: true + type: boolean + name: + description: The name of the prompt. + example: New Security Prompt type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + description: The type of the prompt. + example: system required: - - field - Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: type: object properties: id: - description: The ID of the anonymization field. - example: field12 + description: The ID of the prompt that encountered an error. type: string name: - description: Name of the anonymization field. - example: host.name + description: The name of the prompt that encountered an error. type: string required: - id - Security_AI_Assistant_API_AnonymizationFieldResponse: + Security_AI_Assistant_API_PromptResponse: type: object properties: - allowed: - description: Whether this field is allowed to be sent to the model. - example: true - type: boolean - anonymized: - description: Whether this field should be anonymized. - example: false - type: boolean + categories: + description: Categories associated with the prompt. + items: + type: string + type: array + color: + description: The color associated with the prompt. + type: string + consumer: + description: The consumer that the prompt is associated with. + type: string + content: + description: The content of the prompt. + type: string createdAt: - description: Timestamp of when the anonymization field was created. - example: '2023-10-31T12:00:00Z' + description: The timestamp of when the prompt was created. type: string createdBy: - description: Username of the person who created the anonymization field. - example: user1 - type: string - field: - description: Name of the anonymization field. - example: url.domain + description: The user who created the prompt. type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: The ID of the anonymization field. + isDefault: + description: Whether this prompt is the default. + type: boolean + isNewConversationDefault: + description: Whether this prompt is the default for new conversations. + type: boolean + name: + description: The name of the prompt. + type: string namespace: - description: Kibana space in which this anonymization field exists. - example: default + description: Kibana space where the prompt is located. type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + description: The type of the prompt. timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' - description: Timestamp when the anonymization field was initially created. updatedAt: - description: Timestamp of the last update. - example: '2023-10-31T12:00:00Z' + description: The timestamp of when the prompt was last updated. type: string updatedBy: - description: Username of the person who last updated the field. - example: user1 + description: The user who last updated the prompt. type: string + users: + description: List of users associated with the prompt. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array required: - id - - field - Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: - description: Reason why the anonymization field was not modified. + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + description: Reason why a prompt was skipped during the bulk action. enum: - - ANONYMIZATION_FIELD_NOT_MODIFIED + - PROMPT_FIELD_NOT_MODIFIED type: string - Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + Security_AI_Assistant_API_PromptsBulkActionSkipResult: type: object properties: id: - description: The ID of the anonymization field that was not modified. - example: field4 + description: The ID of the prompt that was skipped. type: string name: - description: Name of the anonymization field that was not modified. - example: user.name + description: The name of the prompt that was skipped. type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason - description: Reason why the anonymization field was not modified. + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' + description: The reason for skipping the prompt. required: - id - skip_reason - Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: type: object properties: - anonymization_fields_count: - description: Total number of anonymization fields processed. - example: 5 - type: integer attributes: type: object properties: errors: - description: List of errors that occurred during the bulk operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: - description: Message providing information about the bulk action result. - example: Bulk action completed successfully + description: A message describing the result of the bulk action. + example: Bulk action completed successfully. type: string + prompts_count: + description: The number of prompts processed in the bulk action. + example: 6 + type: integer status_code: - description: HTTP status code returned. + description: The HTTP status code of the response. example: 200 type: integer success: @@ -26563,3538 +100067,3231 @@ components: type: boolean required: - attributes - Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + Security_AI_Assistant_API_PromptsBulkCrudActionResults: type: object properties: created: - description: List of anonymization fields successfully created. + description: List of prompts that were created. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array deleted: + description: List of IDs of prompts that were deleted. items: - description: Array of IDs of anonymization fields that were deleted. - example: field3 type: string type: array skipped: - description: List of anonymization fields that were skipped during the operation. + description: List of prompts that were skipped. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: - description: List of anonymization fields successfully updated. + description: List of prompts that were updated. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array required: - updated - created - deleted - skipped - Security_AI_Assistant_API_AnonymizationFieldUpdateProps: - type: object - properties: - allowed: - description: Whether this field is allowed to be sent to the model. - example: true - type: boolean - anonymized: - description: Whether this field should be anonymized. - example: false - type: boolean - id: - description: The ID of the anonymization field to update. - example: field8 - type: string - required: - - id - Security_AI_Assistant_API_ApiConfig: - type: object - properties: - actionTypeId: - description: Action type ID - example: actionType456 - type: string - connectorId: - description: Connector ID - example: connector123 - type: string - defaultSystemPromptId: - description: Default system prompt ID - example: systemPrompt001 - type: string - model: - description: Model - example: gpt-4 - type: string - provider: - $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' - description: Provider - example: OpenAI - required: - - connectorId - - actionTypeId - Security_AI_Assistant_API_BaseContentReference: - description: The basis of a content reference - type: object - properties: - id: - description: Id of the content reference - example: content123 - type: string - type: - description: Type of the content reference - example: SecurityAlert - type: string - required: - - id - - type - Security_AI_Assistant_API_BaseInterruptResumeValue: - description: The basis of an interrupt resume value - type: object - properties: - type: - $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' - description: Type of the resume value - example: SELECT_OPTION - required: - - type - Security_AI_Assistant_API_BaseInterruptValue: - description: The basis of an agent interrupt - type: object - properties: - expired: - description: Whether the interrupt has expired and can no longer be resumed. - example: false - type: boolean - threadId: - description: Thread ID of the graph execution that produced this message. - example: - type: string - type: - $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' - description: Type of the interrupt - example: SELECT_OPTION - required: - - type - - threadId - Security_AI_Assistant_API_BulkCrudActionSummary: - type: object - properties: - failed: - description: The number of failed actions. - example: 0 - type: integer - skipped: - description: The number of skipped actions. - example: 1 - type: integer - succeeded: - description: The number of successfully performed actions. - example: 10 - type: integer - total: - description: The total number of actions attempted. - example: 12 - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_AI_Assistant_API_ChatCompleteProps: - description: The request payload for creating a chat completion. - example: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: sk-abc123 - langSmithProject: security_ai_project - messages: - - content: How do I detect ransomware on my endpoints? - data: - device_id: device-567 - fields_to_anonymize: - - device.name - - file.path - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en - type: object - properties: - connectorId: - description: Required connector identifier to route the request. - example: conn-001 - type: string - conversationId: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: Existing conversation ID to continue. - isStream: - description: If true, the response will be streamed in chunks. - example: true - type: boolean - langSmithApiKey: - description: API key for LangSmith integration. - example: sk-abc123 - type: string - langSmithProject: - description: LangSmith project name for tracing. - example: security_ai_project - type: string - messages: - description: List of chat messages exchanged so far. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' - type: array - model: - description: Model ID or name to use for the response. - example: gpt-4 - type: string - persist: - description: Whether to persist the chat and response to storage. - example: true - type: boolean - promptId: - description: Prompt template identifier. - example: prompt_001 - type: string - responseLanguage: - description: ISO language code for the assistant's response. - example: en - type: string - required: - - messages - - persist - - connectorId - Security_AI_Assistant_API_ChatMessage: - description: A message exchanged within the AI chat conversation. - type: object - properties: - content: - description: The textual content of the message. - example: What security incidents have been reported today? - type: string - data: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' - description: Metadata to attach to the context of the message. - fields_to_anonymize: - description: >- - List of field names within the data object that should be - anonymized. - example: - - user.name - - source.ip - items: - type: string - type: array - role: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' - description: The sender role of the message. - required: - - role - Security_AI_Assistant_API_ChatMessageRole: - description: The role associated with the message in the chat. - enum: - - system - - user - - assistant - example: user - type: string - Security_AI_Assistant_API_ContentReferences: - additionalProperties: - oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_EsqlContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_HrefContentReference - additionalProperties: false - description: A union of all content reference types - type: object - Security_AI_Assistant_API_ConversationCategory: - description: The conversation category. - enum: - - assistant - - insights - example: assistant - type: string - Security_AI_Assistant_API_ConversationCreateProps: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - example: assistant - excludeFromLastConversationStorage: - description: Exclude from last conversation storage. - type: boolean - id: - description: The conversation id. - example: conversation123 - type: string - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - title: - description: The conversation title. - example: Security AI Assistant Setup - type: string - required: - - title - Security_AI_Assistant_API_ConversationResponse: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - example: assistant - createdAt: - description: The time conversation was created. - example: '2025-04-30T14:00:00Z' - type: string - createdBy: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - description: The user who created the conversation. - excludeFromLastConversationStorage: - description: Exclude from last conversation storage. - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - namespace: - description: Kibana space - example: default - type: string - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' - title: - description: The conversation title. - example: Security AI Assistant Setup - type: string - updatedAt: - description: The last time conversation was updated. - example: '2025-04-30T16:30:00Z' - type: string - users: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - title - - createdAt - - createdBy - - users - - namespace - - category - Security_AI_Assistant_API_ConversationUpdateProps: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - example: assistant - excludeFromLastConversationStorage: - description: Exclude from last conversation storage. - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - title: - description: The conversation title. - example: Updated Security AI Assistant Setup - type: string - users: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - Security_AI_Assistant_API_DeleteResponseFields: - type: object - properties: - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - required: - - id - Security_AI_Assistant_API_DocumentEntry: - allOf: - - type: object - properties: - global: - description: Whether this Knowledge Base Entry is global, defaults to false. - example: false - type: boolean - name: - description: Name of the Knowledge Base Entry. - example: Example Entry - type: string - namespace: - description: Kibana Space, defaults to 'default' space. - example: default - type: string - users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - name - - namespace - - global - - users - - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields - Security_AI_Assistant_API_DocumentEntryCreateFields: - allOf: - - type: object - properties: - global: - description: Whether this Knowledge Base Entry is global, defaults to false. - example: false - type: boolean - name: - description: Name of the Knowledge Base Entry. - example: Example Entry - type: string - namespace: - description: Kibana Space, defaults to 'default' space. - example: default - type: string - users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields - Security_AI_Assistant_API_DocumentEntryOptionalFields: + Security_AI_Assistant_API_PromptType: + description: Type of the prompt (either system or quick). + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: type: object properties: - required: - description: Whether this resource should always be included, defaults to false. + categories: + description: The updated categories for the prompt. + example: + - security + - alert + items: + type: string + type: array + color: + description: The updated color associated with the prompt. + example: green + type: string + consumer: + description: The updated consumer for the prompt. + example: user123 + type: string + content: + description: The updated content for the prompt. + example: Updated content for security prompt. + type: string + id: + description: The ID of the prompt to update. + example: prompt123 + type: string + isDefault: + description: Whether this prompt should be the default. + example: true + type: boolean + isNewConversationDefault: + description: Whether the prompt should be the default for new conversations. example: false type: boolean - vector: - $ref: '#/components/schemas/Security_AI_Assistant_API_Vector' - Security_AI_Assistant_API_DocumentEntryRequiredFields: + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + - Other + example: OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanonymize messages + type: object + Security_AI_Assistant_API_ResponseFields: type: object properties: - kbResource: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource' - source: - description: Source document name or filepath. - example: /documents/example.txt + createdAt: + description: Time the Knowledge Base Entry was created. + example: '2023-01-01T12:00:00Z' type: string - text: - description: Knowledge Base Entry content. - example: This is the content of the document. + createdBy: + description: User who created the Knowledge Base Entry. + example: admin type: string - type: - description: Entry type. - enum: - - document - example: document + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + description: Time the Knowledge Base Entry was last updated. + example: '2023-01-02T12:00:00Z' + type: string + updatedBy: + description: User who last updated the Knowledge Base Entry. + example: editor type: string required: - - type - - kbResource - - source - - text - Security_AI_Assistant_API_DocumentEntryResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields - Security_AI_Assistant_API_DocumentEntryUpdateFields: - allOf: - - type: object - properties: - global: - description: Whether this Knowledge Base Entry is global, defaults to false. - example: false - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - name: - description: Name of the Knowledge Base Entry. - example: Example Entry - type: string - namespace: - description: Kibana Space, defaults to 'default' space. - example: default - type: string - users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - Security_AI_Assistant_API_EsqlContentReference: + - id + - createdAt + - createdBy + - updatedAt + - updatedBy + Security_AI_Assistant_API_SecurityAlertContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: - label: - description: Label of the query - example: High Severity Alerts - type: string - query: - description: An ESQL query - example: SELECT * FROM alerts WHERE severity = "high" + alertId: + description: ID of the Alert + example: alert789 type: string - timerange: - description: Time range to select in the time picker. - type: object - properties: - from: - example: '2025-04-01T00:00:00Z' - type: string - to: - example: '2025-04-30T23:59:59Z' - type: string - required: - - from - - to type: enum: - - EsqlQuery - example: EsqlQuery + - SecurityAlert + example: SecurityAlert type: string required: - type - - query - - label - description: References an ESQL query - Security_AI_Assistant_API_FindAnonymizationFieldsSortField: - enum: - - created_at - - anonymized - - allowed - - field - - updated_at - type: string - Security_AI_Assistant_API_FindConversationsSortField: - description: >- - The field by which to sort the conversations. Possible values are - `created_at`, `title`, and `updated_at`. - enum: - - created_at - - title - - updated_at - example: created_at - type: string - Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField: - description: Fields available for sorting Knowledge Base Entries. - enum: - - created_at - - is_default - - title - - updated_at - example: title - type: string - Security_AI_Assistant_API_FindPromptsSortField: - description: Field by which to sort the prompts. - enum: - - created_at - - is_default - - name - - updated_at - example: created_at - type: string - Security_AI_Assistant_API_HrefContentReference: + - alertId + description: References a security alert + Security_AI_Assistant_API_SecurityAlertsPageContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: - href: - description: URL to the external resource - type: string - label: - description: Label of the query - type: string type: enum: - - Href + - SecurityAlertsPage + example: SecurityAlertsPage type: string required: - type - - href - description: References an external URL - Security_AI_Assistant_API_IndexEntry: - allOf: - - type: object - properties: - global: - description: Whether this Knowledge Base Entry is global, defaults to false. - example: false - type: boolean - name: - description: Name of the Knowledge Base Entry. - example: Example Entry - type: string - namespace: - description: Kibana Space, defaults to 'default' space. - example: default - type: string - users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - name - - namespace - - global - - users - - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields - Security_AI_Assistant_API_IndexEntryCreateFields: - allOf: - - type: object - properties: - global: - description: Whether this Knowledge Base Entry is global, defaults to false. - example: false - type: boolean - name: - description: Name of the Knowledge Base Entry. - example: Example Entry - type: string - namespace: - description: Kibana Space, defaults to 'default' space. - example: default - type: string - users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields - Security_AI_Assistant_API_IndexEntryOptionalFields: - type: object - properties: - inputSchema: - $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' - outputFields: - description: >- - Fields to extract from the query result, defaults to all fields if - not provided or empty. - example: - - title - - author - items: - type: string - type: array - Security_AI_Assistant_API_IndexEntryRequiredFields: + description: References the security alerts page + Security_AI_Assistant_API_SelectOptionInterruptOption: + description: A request approval option type: object properties: - description: - description: >- - Description for when this index or data stream should be queried for - Knowledge Base content. Passed to the LLM as a tool description. - example: Query this index for general knowledge base content. - type: string - field: - description: Field to query for Knowledge Base content. - example: content - type: string - index: - description: Index or Data Stream to query for Knowledge Base content. - example: knowledge_base_index + buttonColor: + enum: + - text + - accent + - accentSecondary + - primary + - success + - warning + - danger + - neutral + - risk + example: danger type: string - queryDescription: - description: >- - Description of query field used to fetch Knowledge Base content. - Passed to the LLM as part of the tool input schema. - example: Search for documents containing the specified keywords. + label: + example: Option 1 type: string - type: - description: Entry type. - enum: - - index - example: index + value: + example: option_1 type: string required: - - type - - index - - field - - description - - queryDescription - Security_AI_Assistant_API_IndexEntryResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields - Security_AI_Assistant_API_IndexEntryUpdateFields: - allOf: - - type: object - properties: - global: - description: Whether this Knowledge Base Entry is global, defaults to false. - example: false - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - name: - description: Name of the Knowledge Base Entry. - example: Example Entry - type: string - namespace: - description: Kibana Space, defaults to 'default' space. - example: default - type: string - users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields - Security_AI_Assistant_API_InputSchema: - description: >- - Array of objects defining the input schema, allowing the LLM to extract - structured data to be used in retrieval. - items: - type: object - properties: - description: - description: Description of the field. - example: The title of the document. - type: string - fieldName: - description: Name of the field. - example: title - type: string - fieldType: - description: Type of the field. - example: string - type: string - required: - - fieldName - - fieldType - - description - type: array - Security_AI_Assistant_API_InputTextInterruptResumeValue: + - label + - value + Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: enum: - - INPUT_TEXT - example: INPUT_TEXT + - SELECT_OPTION + example: SELECT_OPTION type: string value: - description: Text value used to resume the graph execution with. - example: .logs* + description: The value of the selected option to resume the graph execution with + example: option_1 type: string required: - value - type - description: A resume value for input text - Security_AI_Assistant_API_InputTextInterruptValue: + description: A request approval resume schema + Security_AI_Assistant_API_SelectOptionInterruptValue: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' - type: object properties: description: description: Description of action required - example: What is the index you would like to use for the query. - type: string - placeholder: - description: Placeholder text for the input field - example: Enter index pattern here... + example: Select one of the options type: string + options: + description: List of actions to choose from + example: + - label: Option 1 + - label: Option 2 + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' + type: array type: enum: - - INPUT_TEXT - example: INPUT_TEXT + - SELECT_OPTION + example: SELECT_OPTION type: string required: - type - description: Interrupt that requests user to provide text input - Security_AI_Assistant_API_InterruptResumeValue: - description: Union of the interrupt resume values - oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue - additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue - additionalProperties: false - Security_AI_Assistant_API_InterruptType: - description: The type of interrupt - enum: - - SELECT_OPTION - - INPUT_TEXT - type: string - Security_AI_Assistant_API_InterruptValue: - description: Union of the interrupt values - oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue - additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue - additionalProperties: false - Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: - description: Reason why a Knowledge Base Entry was skipped during the bulk action. + - description + - options + description: Interrupt that requests user to select one of the provided options + Security_AI_Assistant_API_SortOrder: + description: The order in which results are sorted. enum: - - KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED + - asc + - desc + example: asc type: string - Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult: + Security_AI_Assistant_API_TraceData: + description: Trace Data + type: object + properties: + traceId: + description: Could be any string, not necessarily a UUID + example: d9876543-f0a1-2345-6789-abcdef123456 + type: string + transactionId: + description: Could be any string, not necessarily a UUID + example: a1234567-bc89-0def-1234-56789abcdef0 + type: string + Security_AI_Assistant_API_User: + description: Could be any string, not necessarily a UUID. type: object properties: id: - description: ID of the skipped Knowledge Base Entry. - example: '123' + description: User id. + example: user123 type: string name: - description: Name of the skipped Knowledge Base Entry. - example: Skipped Entry + description: User name. + example: John Doe type: string - skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason - required: - - id - - skip_reason - Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse: + Security_AI_Assistant_API_Vector: + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: - attributes: + modelId: + description: ID of the model used to create the embeddings. + example: bert-base-uncased + type: string + tokens: + additionalProperties: + type: number + description: Tokens with their corresponding values. + example: + token1: 0.123 + token2: 0.456 type: object - properties: - errors: - description: List of errors encountered during the bulk action. - example: - - err_code: UPDATE_FAILED - knowledgeBaseEntries: - - id: '456' - name: Error Entry - message: Failed to update entry. - statusCode: 400 - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError - type: array - results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults - summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary - required: - - results - - summary - knowledgeBaseEntriesCount: - description: Total number of Knowledge Base Entries processed. - example: 8 - type: integer - message: - description: Message describing the result of the bulk action. - example: Bulk action completed successfully. + required: + - modelId + - tokens + Security_Attack_discovery_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + example: true + type: boolean + anonymized: + description: Whether this field should be anonymized. + example: false + type: boolean + createdAt: + description: Timestamp of when the anonymization field was created. + example: '2023-10-31T12:00:00Z' + type: string + createdBy: + description: Username of the person who created the anonymization field. + example: user1 + type: string + field: + description: Name of the anonymization field. + example: url.domain + type: string + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The ID of the anonymization field. + namespace: + description: Kibana space in which this anonymization field exists. + example: default + type: string + timestamp: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' + description: Timestamp when the anonymization field was initially created. + updatedAt: + description: Timestamp of the last update. + example: '2023-10-31T12:00:00Z' + type: string + updatedBy: + description: Username of the person who last updated the field. + example: user1 type: string - statusCode: - description: HTTP status code of the response. - example: 200 - type: integer - success: - description: Indicates whether the bulk action was successful. - example: true - type: boolean required: - - attributes - Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults: + - id + - field + Security_Attack_discovery_API_ApiConfig: type: object properties: - created: - description: List of Knowledge Base Entries that were successfully created. - example: - - content: This is the content of the new entry. - id: '456' - title: New Entry + actionTypeId: + description: Action type ID + example: actionType456 + type: string + connectorId: + description: Connector ID + example: connector123 + type: string + defaultSystemPromptId: + description: Default system prompt ID + example: systemPrompt001 + type: string + model: + description: Model + example: gpt-4 + type: string + provider: + $ref: '#/components/schemas/Security_Attack_discovery_API_Provider' + description: Provider + example: OpenAI + required: + - connectorId + - actionTypeId + Security_Attack_discovery_API_AttackDiscoveryApiAlert: + description: An attack discovery that's also an alert (Public API with snake_case) + type: object + properties: + alert_ids: + description: The alert IDs that the attack discovery is based on items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + type: string type: array - deleted: - description: >- - List of IDs of Knowledge Base Entries that were successfully - deleted. - example: - - '789' + alert_rule_uuid: + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) + type: string + alert_start: + description: The optional time the attack discovery alert was created + type: string + alert_updated_at: + description: The optional time the attack discovery alert was last updated + type: string + alert_updated_by_user_id: + description: The optional id of the user who last updated the attack discovery alert + type: string + alert_updated_by_user_name: + description: The optional username of the user who updated the attack discovery alert + type: string + alert_workflow_status: + description: The optional kibana.alert.workflow_status of this attack discovery + type: string + alert_workflow_status_updated_at: + description: The optional time the attack discovery alert workflow status was last updated + type: string + assignees: + description: The optional array of user-IDs who have been assigned the attack items: type: string type: array - skipped: - description: >- - List of Knowledge Base Entries that were skipped during the bulk - action. - example: - - id: '123' - name: Skipped Entry - skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED + connector_id: + description: The ID of the connector that generated the attack discovery + type: string + connector_name: + description: The (human readable) name of the connector that generated the attack discovery + type: string + details_markdown: + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. + type: string + entity_summary_markdown: + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax + type: string + generation_uuid: + description: The generation ID of the run that created the attack discovery + type: string + id: + description: The unique ID of the attack discovery + type: string + index: + description: The concrete Elasticsearch index where this attack discovery is stored + type: string + mitre_attack_tactics: + description: An optional array of MITRE ATT&CK tactic for the attack discovery items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult + type: string type: array - updated: - description: List of Knowledge Base Entries that were successfully updated. - example: - - content: Updated content. - id: '123' - title: Updated Entry + replacements: + $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' + description: Key-value pairs that are used to replace placeholders in the markdown fields + risk_score: + description: The optional, (but typically populated after generation) risk score of the alert + type: integer + summary_markdown: + description: A markdown summary of attack discovery, using the same syntax + type: string + tags: + description: The optional array of tags assigned the attack items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + type: string + type: array + timestamp: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' + description: The time the attack discovery was generated + title: + description: A title for the attack discovery, in plain text + type: string + user_id: + description: The optional id of the user who generated the attack discovery + type: string + user_name: + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) + type: string + users: + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array required: - - updated - - created - - deleted - - skipped - Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary: - type: object - properties: - failed: - description: Number of Knowledge Base Entries that failed during the bulk action. - example: 2 - type: integer - skipped: - description: >- - Number of Knowledge Base Entries that were skipped during the bulk - action. - example: 1 - type: integer - succeeded: - description: >- - Number of Knowledge Base Entries that were successfully processed - during the bulk action. - example: 5 - type: integer - total: - description: Total number of Knowledge Base Entries involved in the bulk action. - example: 8 - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_AI_Assistant_API_KnowledgeBaseEntryContentReference: - allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - - type: object - properties: - knowledgeBaseEntryId: - description: Id of the Knowledge Base Entry - example: kbentry456 - type: string - knowledgeBaseEntryName: - description: Name of the knowledge base entry - example: Network Security Best Practices - type: string - type: - enum: - - KnowledgeBaseEntry - example: KnowledgeBaseEntry - type: string - required: - - type - - knowledgeBaseEntryId - - knowledgeBaseEntryName - description: References a knowledge base entry - Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: - anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields - discriminator: - mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields - propertyName: type - Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: + - alert_ids + - connector_id + - connector_name + - details_markdown + - generation_uuid + - id + - summary_markdown + - timestamp + - title + Security_Attack_discovery_API_AttackDiscoveryApiSchedule: + description: An Attack Discovery schedule type: object properties: + actions: + description: The Attack Discovery schedule actions + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + type: array + created_at: + description: The date the schedule was created + format: date-time + type: string + created_by: + description: The name of the user that created the schedule + type: string + enabled: + description: Indicates whether the schedule is enabled + type: boolean id: - description: ID of the Knowledge Base Entry that encountered an error. - example: '456' + description: UUID of Attack Discovery schedule type: string + last_execution: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' + description: The Attack Discovery schedule last execution summary name: - description: Name of the Knowledge Base Entry that encountered an error. - example: Error Entry + description: The name of the schedule type: string - required: - - id - Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema: - additionalProperties: false - type: object - properties: - error: - description: Error type or category. - example: Not Found + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + description: The Attack Discovery schedule configuration parameters + schedule: + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + description: The Attack Discovery schedule interval + updated_at: + description: The date the schedule was updated + format: date-time type: string - message: - description: Detailed error message. - example: The requested Knowledge Base Entry was not found. + updated_by: + description: The name of the user that updated the schedule type: string - statusCode: - description: HTTP status code of the error. - example: 404 - type: number required: - - statusCode - - error - - message - Security_AI_Assistant_API_KnowledgeBaseEntryResponse: - anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' - discriminator: - mapping: - document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' - index: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' - propertyName: type - Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: - anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields - discriminator: - mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields - propertyName: type - Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: - anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields - discriminator: - mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields - propertyName: type - Security_AI_Assistant_API_KnowledgeBaseReadResponse200: + - id + - name + - created_by + - updated_by + - created_at + - updated_at + - enabled + - params + - schedule + - actions + Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: + oneOf: + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: + additionalProperties: true + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: - defend_insights_exists: - description: >- - Indicates if Defend Insights documentation exists in the - KnowledgeBase. - example: true - type: boolean - elser_exists: - description: Indicates if the ELSER model exists for the KnowledgeBase. - example: true - type: boolean - is_setup_available: - description: Indicates if the setup process is available for the KnowledgeBase. - example: true - type: boolean - is_setup_in_progress: - description: Indicates if the setup process is currently in progress. - example: false - type: boolean - product_documentation_status: - description: The status of the product documentation in the KnowledgeBase. - example: complete - type: string - security_labs_exists: - description: >- - Indicates if Security Labs documentation exists in the - KnowledgeBase. - example: true - type: boolean - user_data_exists: - description: Indicates if user data exists in the KnowledgeBase. - example: false + notify_when: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' + summary: + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean - Security_AI_Assistant_API_KnowledgeBaseResource: - description: >- - Knowledge Base resource name for grouping entries, e.g. 'security_labs', - 'user', etc. + throttle: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' + nullable: true + required: + - summary + - notify_when + - throttle + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup: + description: Groups actions by use cases. Use `default` for alert notifications. + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId: + description: The connector ID. + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - - security_labs - - defend_insights - - user - example: security_labs + - onActiveAlert + - onThrottleInterval + - onActionGroupChange type: string - Security_AI_Assistant_API_KnowledgeBaseResponse: - description: AI assistant KnowledgeBase. + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: + additionalProperties: true + description: Object containing the allowed connector fields, which varies according to the connector type. + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps: + description: An Attack Discovery schedule create properties type: object properties: - success: - description: Identify the success of the method execution. - example: true + actions: + description: The Attack Discovery schedule actions + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + type: array + enabled: + description: Indicates whether the schedule is enabled type: boolean - Security_AI_Assistant_API_KnowledgeBaseResponse400: + name: + description: The name of the schedule + type: string + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + description: The Attack Discovery schedule configuration parameters + schedule: + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + description: The Attack Discovery schedule interval + required: + - name + - params + - schedule + Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution: + description: An Attack Discovery schedule execution information type: object properties: - error: - description: A short description of the error. - example: Bad Request + date: + description: Date of the execution + format: date-time type: string + duration: + description: Duration of the execution + type: number message: - description: A detailed error message. - example: Invalid resource ID provided. type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - Security_AI_Assistant_API_Message: - description: AI assistant conversation message. + status: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' + description: Status of the execution + required: + - date + - status + - last_duration + Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus: + description: An Attack Discovery schedule execution status + enum: + - ok + - active + - error + - unknown + - warning + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction: type: object properties: - content: - description: Message content. - example: Hello, how can I assist you today? + action_type_id: + description: The action type used for sending notifications. type: string + alerts_filter: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' + group: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: Message id - isError: - description: Is error message. - example: false - type: boolean - metadata: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata' - description: Metadata - reader: - $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' - description: Message content. - refusal: - description: Refusal reason returned by the model when content is filtered. - type: string - role: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' - description: Message role. - example: assistant - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' - description: The timestamp message was sent or received. - example: '2025-04-30T15:30:00Z' - traceData: - $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' - description: Trace data - user: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - description: The user who sent the message. + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: - - timestamp - - content - - role - Security_AI_Assistant_API_MessageData: - additionalProperties: true - description: ECS-style metadata attached to the message. - example: - alert_id: alert-456 - user_id: abc123 - type: object - Security_AI_Assistant_API_MessageMetadata: - description: Message metadata - type: object - properties: - contentReferences: - $ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences' - description: Data referred to by the message content. - interruptResumeValue: - $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: >- - When the agent is resumed after an interrupt, this field is - populated with the details of the resume value. - interruptValue: - $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: >- - When the agent is interrupted (for example, when user input is - required), this field is populated with the details of the - interrupt. Messages containing interruptValues in the metadata are - excluded from the LLM context. - Security_AI_Assistant_API_MessageRole: - description: Message role. - enum: - - system - - user - - assistant - example: assistant - type: string - Security_AI_Assistant_API_NonEmptyString: - description: A string that does not contain only whitespace characters. - example: I am a string - format: nonempty - minLength: 1 - type: string - Security_AI_Assistant_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. - example: '2023-10-31T12:00:00Z' - format: nonempty - minLength: 1 - type: string - Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + - action_type_id + - group + - id + - params + Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams: + description: An Attack Discovery schedule params type: object properties: - anonymization_fields: - description: Array of anonymization fields that caused the error. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError - type: array - err_code: - description: Error code indicating the type of failure. - example: UPDATE_FAILED + alerts_index_pattern: + description: The index pattern to get alerts from + type: string + api_config: + allOf: + - $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' + - type: object + properties: + name: + description: The name of the connector + type: string + required: + - name + description: LLM API configuration. + combined_filter: + additionalProperties: true + type: object + end: type: string - message: - description: Error message. - example: Failed to update anonymization field. + filters: + $ref: '#/components/schemas/Security_Attack_discovery_API_Filters' + query: + $ref: '#/components/schemas/Security_Attack_discovery_API_Query' + size: + type: number + start: type: string - status_code: - description: Status code of the response. - example: 400 - type: integer required: - - message - - status_code - - anonymization_fields - Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError: + - alerts_index_pattern + - api_config + - size + Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction: type: object properties: - err_code: - description: Specific error code for the issue. - example: UPDATE_FAILED - type: string - knowledgeBaseEntries: - description: List of Knowledge Base Entries that encountered the error. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError - type: array - message: - description: Error message describing the issue. - example: Failed to update entry. + action_type_id: + description: The action type used for sending notifications. type: string - statusCode: - description: HTTP status code associated with the error. - example: 400 - type: integer + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: - - message - - statusCode - - knowledgeBaseEntries - Security_AI_Assistant_API_NormalizedPromptError: + - action_type_id + - id + - params + Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps: + description: An Attack Discovery schedule update properties type: object properties: - err_code: - description: A code representing the error type. - type: string - message: - description: A message describing the error encountered. - type: string - prompts: - description: List of prompts that encountered errors. + actions: + description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array - status_code: - description: The HTTP status code associated with the error. - type: integer + name: + description: The name of the schedule + type: string + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + description: The Attack Discovery schedule configuration parameters + schedule: + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + description: The Attack Discovery schedule interval required: - - message - - status_code - - prompts - Security_AI_Assistant_API_ProductDocumentationContentReference: - allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - - type: object - properties: - title: - description: Title of the documentation - example: Getting Started with Security AI Assistant - type: string - type: - enum: - - ProductDocumentation - example: ProductDocumentation - type: string - url: - description: URL to the documentation - example: https://docs.example.com/security-ai-assistant - type: string - required: - - type - - title - - url - description: References the product documentation - Security_AI_Assistant_API_PromptCreateProps: + - name + - params + - schedule + - actions + Security_Attack_discovery_API_AttackDiscoveryFindSortField: + description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. + enum: + - '@timestamp' + type: string + Security_Attack_discovery_API_AttackDiscoveryGeneration: type: object properties: - categories: - description: List of categories for the prompt. - example: - - security - - verification - items: - type: string - type: array - color: - description: The color associated with the prompt. - example: blue + alerts_context_count: + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation + type: number + connector_id: + description: The connector id (event.dataset) for this generation type: string - consumer: - description: The consumer associated with the prompt. - example: admin + connector_stats: + description: Stats applicable to the connector for this generation + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user + type: number + successful_generations: + description: The number of successful generations for the same connector id, for the current user + type: number + discoveries: + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation + type: number + end: + description: When generation ended (max event.end) type: string - content: - description: The content of the prompt. - example: Please verify the security settings. + execution_uuid: + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string - isDefault: - description: Whether this prompt should be the default. - example: false - type: boolean - isNewConversationDefault: - description: Whether this prompt should be the default for new conversations. - example: true - type: boolean - name: - description: The name of the prompt. - example: New Security Prompt + loading_message: + description: Generation loading message (kibana.alert.rule.execution.status) type: string - promptType: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' - description: The type of the prompt. - example: system - required: - - name - - content - - promptType - Security_AI_Assistant_API_PromptDetailsInError: - type: object - properties: - id: - description: The ID of the prompt that encountered an error. + reason: + description: Reason for failed generations (event.reason) type: string - name: - description: The name of the prompt that encountered an error. + start: + description: When generation started (min event.start) + type: string + status: + description: The status of the attack discovery generation + enum: + - canceled + - dismissed + - failed + - started + - succeeded type: string required: - - id - Security_AI_Assistant_API_PromptResponse: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + Security_Attack_discovery_API_AttackDiscoveryGenerationConfig: type: object properties: - categories: - description: Categories associated with the prompt. + alertsIndexPattern: + description: | + The (space specific) index pattern that contains the alerts to use as + context for the attack discovery. + Example: .alerts-security.alerts-default + type: string + anonymizationFields: + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: - type: string + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array - color: - description: The color associated with the prompt. - type: string - consumer: - description: The consumer that the prompt is associated with. + apiConfig: + $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' + description: LLM API configuration. + connectorName: type: string - content: - description: The content of the prompt. + end: type: string - createdAt: - description: The timestamp of when the prompt was created. + filter: + additionalProperties: true + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: + ```json { + "filter": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "should": [ + { + "term": { + "user.name": { "value": "james" } + } + } + ], + "minimum_should_match": 1 + } + } + ], + "should": [], + "must_not": [] + } + } + } ``` + type: object + model: type: string - createdBy: - description: The user who created the prompt. + replacements: + $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' + size: + type: number + start: type: string - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - isDefault: - description: Whether this prompt is the default. - type: boolean - isNewConversationDefault: - description: Whether this prompt is the default for new conversations. - type: boolean - name: - description: The name of the prompt. + subAction: + enum: + - invokeAI + - invokeStream type: string - namespace: - description: Kibana space where the prompt is located. + required: + - apiConfig + - alertsIndexPattern + - anonymizationFields + - size + - subAction + Security_Attack_discovery_API_AttackDiscoveryGenericError: + description: Generic error response for Attack Discovery schedule operations + type: object + properties: + error: + description: Error type + example: Bad Request type: string - promptType: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' - description: The type of the prompt. - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' - updatedAt: - description: The timestamp of when the prompt was last updated. + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. type: string - updatedBy: - description: The user who last updated the prompt. + status_code: + description: HTTP status code + example: 400 + type: number + Security_Attack_discovery_API_Filters: + description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. + items: {} + type: array + Security_Attack_discovery_API_IntervalApiSchedule: + type: object + properties: + interval: + description: The schedule interval type: string - users: - description: List of users associated with the prompt. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array required: - - id - - name - - promptType - - content - Security_AI_Assistant_API_PromptsBulkActionSkipReason: - description: Reason why a prompt was skipped during the bulk action. + - interval + Security_Attack_discovery_API_NonEmptyString: + description: A string that does not contain only whitespace characters. + example: I am a string + format: nonempty + minLength: 1 + type: string + Security_Attack_discovery_API_NonEmptyTimestamp: + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + example: '2023-10-31T12:00:00Z' + format: nonempty + minLength: 1 + type: string + Security_Attack_discovery_API_Provider: + description: Provider enum: - - PROMPT_FIELD_NOT_MODIFIED + - OpenAI + - Azure OpenAI + - Other + example: OpenAI type: string - Security_AI_Assistant_API_PromptsBulkActionSkipResult: + Security_Attack_discovery_API_Query: + description: An query condition to filter alerts type: object properties: - id: - description: The ID of the prompt that was skipped. - type: string - name: - description: The name of the prompt that was skipped. + language: type: string - skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason - description: The reason for skipping the prompt. + query: + oneOf: + - type: string + - additionalProperties: true + type: object required: - - id - - skip_reason - Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + - query + - language + Security_Attack_discovery_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanonymize messages + type: object + Security_Attack_discovery_API_SortOrder: + description: The order in which results are sorted. + enum: + - asc + - desc + example: asc + type: string + Security_Attack_discovery_API_User: + description: Could be any string, not necessarily a UUID. type: object properties: - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError - type: array - results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults - summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary - required: - - results - - summary - message: - description: A message describing the result of the bulk action. - example: Bulk action completed successfully. + id: + description: User id. + example: user123 type: string - prompts_count: - description: The number of prompts processed in the bulk action. - example: 6 - type: integer - status_code: - description: The HTTP status code of the response. - example: 200 - type: integer - success: - description: Indicates if the bulk action was successful. - example: true - type: boolean - required: - - attributes - Security_AI_Assistant_API_PromptsBulkCrudActionResults: + name: + description: User name. + example: John Doe + type: string + Security_Detections_API_AlertAssignees: type: object properties: - created: - description: List of prompts that were created. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - deleted: - description: List of IDs of prompts that were deleted. + add: items: + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. + format: nonempty + minLength: 1 type: string type: array - skipped: - description: List of prompts that were skipped. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult - type: array - updated: - description: List of prompts that were updated. + remove: items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. + format: nonempty + minLength: 1 + type: string type: array required: - - updated - - created - - deleted - - skipped - Security_AI_Assistant_API_PromptType: - description: Type of the prompt (either system or quick). + - add + - remove + Security_Detections_API_AlertIds: + description: A list of alerts `id`s. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + Security_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Detections_API_AlertsSort: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + - items: + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + type: array + Security_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Detections_API_AlertStatusExceptClosed: + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - - system - - quick + - open + - acknowledged + - in-progress type: string - Security_AI_Assistant_API_PromptUpdateProps: + Security_Detections_API_AlertSuppression: + description: Defines alert suppression configuration. type: object properties: - categories: - description: The updated categories for the prompt. - example: - - security - - alert - items: - type: string - type: array - color: - description: The updated color associated with the prompt. - example: green - type: string - consumer: - description: The updated consumer for the prompt. - example: user123 - type: string - content: - description: The updated content for the prompt. - example: Updated content for security prompt. - type: string - id: - description: The ID of the prompt to update. - example: prompt123 - type: string - isDefault: - description: Whether this prompt should be the default. - example: true - type: boolean - isNewConversationDefault: - description: Whether the prompt should be the default for new conversations. - example: false - type: boolean + duration: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + group_by: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' + missing_fields_strategy: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' + required: + - group_by + Security_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' + value: + minimum: 1 + type: integer required: - - id - Security_AI_Assistant_API_Provider: - description: Provider + - value + - unit + Security_Detections_API_AlertSuppressionDurationUnit: + description: Time unit enum: - - OpenAI - - Azure OpenAI - - Other - example: OpenAI + - s + - m + - h type: string - Security_AI_Assistant_API_Reader: - additionalProperties: true - type: object - Security_AI_Assistant_API_Replacements: - additionalProperties: + Security_Detections_API_AlertSuppressionGroupBy: + items: type: string - description: Replacements object used to anonymize/deanonymize messages - type: object - Security_AI_Assistant_API_ResponseFields: + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: + doNotSuppress - per each document a separate alert will be created + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Detections_API_AlertTag: + description: Use alert tags to organize related alerts into categories that you can filter and group. + format: nonempty + minLength: 1 + type: string + Security_Detections_API_AlertTags: + description: List of keywords to organize related alerts into categories that you can filter and group. + items: + $ref: '#/components/schemas/Security_Detections_API_AlertTag' + type: array + Security_Detections_API_AnomalyThreshold: + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. + minimum: 0 + type: integer + Security_Detections_API_BuildingBlockType: + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + type: string + Security_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' + Security_Detections_API_BulkActionEditPayloadAlertSuppression: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' + Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: - createdAt: - description: Time the Knowledge Base Entry was created. - example: '2023-01-01T12:00:00Z' - type: string - createdBy: - description: User who created the Knowledge Base Entry. - example: admin - type: string - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - updatedAt: - description: Time the Knowledge Base Entry was last updated. - example: '2023-01-02T12:00:00Z' - type: string - updatedBy: - description: User who last updated the Knowledge Base Entry. - example: editor + type: + enum: + - delete_alert_suppression type: string required: - - id - - createdAt - - createdBy - - updatedAt - - updatedBy - Security_AI_Assistant_API_SecurityAlertContentReference: - allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - - type: object - properties: - alertId: - description: ID of the Alert - example: alert789 - type: string - type: - enum: - - SecurityAlert - example: SecurityAlert - type: string - required: - - type - - alertId - description: References a security alert - Security_AI_Assistant_API_SecurityAlertsPageContentReference: - allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - - type: object - properties: - type: - enum: - - SecurityAlertsPage - example: SecurityAlertsPage - type: string - required: - - type - description: References the security alerts page - Security_AI_Assistant_API_SelectOptionInterruptOption: - description: A request approval option + - type + Security_Detections_API_BulkActionEditPayloadIndexPatterns: + description: | + Edits index patterns of rulesClient. + + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: - buttonColor: + overwrite_data_views: + description: Resets the data view for the rule. + type: boolean + type: enum: - - text - - accent - - accentSecondary - - primary - - success - - warning - - danger - - neutral - - risk - example: danger - type: string - label: - example: Option 1 + - add_index_patterns + - delete_index_patterns + - set_index_patterns type: string value: - example: option_1 + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadInvestigationFields: + description: | + Edits investigation fields of rules. + + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields type: string + value: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' required: - - label + - type - value - Security_AI_Assistant_API_SelectOptionInterruptResumeValue: - allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue - - type: object + Security_Detections_API_BulkActionEditPayloadRuleActions: + description: | + Edits rule actions of rules. + + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. + type: object + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + type: object properties: - type: - enum: - - SELECT_OPTION - example: SELECT_OPTION - type: string - value: - description: >- - The value of the selected option to resume the graph execution - with - example: option_1 - type: string + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' + type: array + throttle: + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - - value - - type - description: A request approval resume schema - Security_AI_Assistant_API_SelectOptionInterruptValue: - allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' - - type: object + - actions + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadSchedule: + description: | + Overwrites schedule of rules. + + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" + type: object + properties: + type: + enum: + - set_schedule + type: string + value: + type: object properties: - description: - description: Description of action required - example: Select one of the options + interval: + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ type: string - options: - description: List of actions to choose from - example: - - label: Option 1 - - label: Option 2 - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption - type: array - type: - enum: - - SELECT_OPTION - example: SELECT_OPTION + lookback: + description: | + Lookback time for the rules. + + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. + example: 1h + pattern: ^[1-9]\d*[smh]$ type: string required: - - type - - description - - options - description: Interrupt that requests user to select one of the provided options - Security_AI_Assistant_API_SortOrder: - description: The order in which results are sorted. - enum: - - asc - - desc - example: asc - type: string - Security_AI_Assistant_API_TraceData: - description: Trace Data + - interval + - lookback + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadSetAlertSuppression: type: object properties: - traceId: - description: Could be any string, not necessarily a UUID - example: d9876543-f0a1-2345-6789-abcdef123456 - type: string - transactionId: - description: Could be any string, not necessarily a UUID - example: a1234567-bc89-0def-1234-56789abcdef0 + type: + enum: + - set_alert_suppression type: string - Security_AI_Assistant_API_User: - description: Could be any string, not necessarily a UUID. + value: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold: type: object properties: - id: - description: User id. - example: user123 + type: + enum: + - set_alert_suppression_for_threshold type: string - name: - description: User name. - example: John Doe + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadTags: + description: | + Edits tags of rules. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + type: object + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags type: string - Security_AI_Assistant_API_Vector: - description: >- - Object containing Knowledge Base Entry text embeddings and modelId used - to create the embeddings. + value: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadTimeline: + description: | + Edits timeline of rules. + + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: - modelId: - description: ID of the model used to create the embeddings. - example: bert-base-uncased + type: + enum: + - set_timeline type: string - tokens: - additionalProperties: - type: number - description: Tokens with their corresponding values. - example: - token1: 0.123 - token2: 0.456 + value: type: object + properties: + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + required: + - timeline_id + - timeline_title required: - - modelId - - tokens - Security_Attack_discovery_API_AnonymizationFieldResponse: + - type + - value + Security_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - PREBUILT_CUSTOMIZATION_LICENSE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + - THRESHOLD_RULE_TYPE_IN_SUPPRESSION + - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD + - RULE_FILL_GAPS_DISABLED_RULE + - USER_INSUFFICIENT_RULE_PRIVILEGES + type: string + Security_Detections_API_BulkActionSkipResult: type: object properties: - allowed: - description: Whether this field is allowed to be sent to the model. - example: true - type: boolean - anonymized: - description: Whether this field should be anonymized. - example: false - type: boolean - createdAt: - description: Timestamp of when the anonymization field was created. - example: '2023-10-31T12:00:00Z' - type: string - createdBy: - description: Username of the person who created the anonymization field. - example: user1 - type: string - field: - description: Name of the anonymization field. - example: url.domain - type: string id: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: The ID of the anonymization field. - namespace: - description: Kibana space in which this anonymization field exists. - example: default - type: string - timestamp: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' - description: Timestamp when the anonymization field was initially created. - updatedAt: - description: Timestamp of the last update. - example: '2023-10-31T12:00:00Z' type: string - updatedBy: - description: Username of the person who last updated the field. - example: user1 + name: type: string + skip_reason: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - - field - Security_Attack_discovery_API_ApiConfig: + - skip_reason + Security_Detections_API_BulkDeleteRules: type: object properties: - actionTypeId: - description: Action type ID - example: actionType456 - type: string - connectorId: - description: Connector ID - example: connector123 - type: string - defaultSystemPromptId: - description: Default system prompt ID - example: systemPrompt001 + action: + enum: + - delete type: string - model: - description: Model - example: gpt-4 + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string - provider: - $ref: '#/components/schemas/Security_Attack_discovery_API_Provider' - description: Provider - example: OpenAI - required: - - connectorId - - actionTypeId - Security_Attack_discovery_API_AttackDiscoveryApiAlert: - description: An attack discovery that's also an alert (Public API with snake_case) - type: object - properties: - alert_ids: - description: The alert IDs that the attack discovery is based on + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: - type: string + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array - alert_rule_uuid: - description: >- - The optional kibana.alert.rule.uuid of the rule that generated this - attack discovery (not applicable to ad hock runs) - type: string - alert_start: - description: The optional time the attack discovery alert was created - type: string - alert_updated_at: - description: The optional time the attack discovery alert was last updated - type: string - alert_updated_by_user_id: - description: >- - The optional id of the user who last updated the attack discovery - alert - type: string - alert_updated_by_user_name: - description: >- - The optional username of the user who updated the attack discovery - alert - type: string - alert_workflow_status: - description: The optional kibana.alert.workflow_status of this attack discovery + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string - alert_workflow_status_updated_at: - description: >- - The optional time the attack discovery alert workflow status was - last updated + gaps_range_start: + description: Gaps range start, valid only when query is provided type: string - assignees: - description: The optional array of user-IDs who have been assigned the attack + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string + minItems: 1 type: array - connector_id: - description: The ID of the connector that generated the attack discovery - type: string - connector_name: - description: >- - The (human readable) name of the connector that generated the attack - discovery - type: string - details_markdown: - description: >- - Details of the attack with bulleted markdown that always uses - special syntax for field names and values from the source data. + query: + description: Query to filter rules. type: string - entity_summary_markdown: - description: >- - An optional, short (no more than a sentence) summary of the attack - discovery featuring only the host.name and user.name fields (when - they are applicable), using the same syntax + required: + - action + Security_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable type: string - generation_uuid: - description: The generation ID of the run that created the attack discovery + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string - id: - description: The unique ID of the attack discovery + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string - index: - description: >- - The concrete Elasticsearch index where this attack discovery is - stored + gaps_range_start: + description: Gaps range start, valid only when query is provided type: string - mitre_attack_tactics: - description: An optional array of MITRE ATT&CK tactic for the attack discovery + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. items: type: string + minItems: 1 type: array - replacements: - $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: >- - Key-value pairs that are used to replace placeholders in the - markdown fields - risk_score: - description: >- - The optional, (but typically populated after generation) risk score - of the alert - type: integer - summary_markdown: - description: A markdown summary of attack discovery, using the same syntax + query: + description: Query to filter rules. + type: string + required: + - action + Security_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate + type: string + duplicate: + description: Duplicate object that describes applying an update action. + type: object + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string - tags: - description: The optional array of tags assigned the attack + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: - type: string + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array - timestamp: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' - description: The time the attack discovery was generated - title: - description: A title for the attack discovery, in plain text - type: string - user_id: - description: The optional id of the user who generated the attack discovery + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string - user_name: - description: >- - The optional username of the user who generated the attack - discovery, (not applicable to attack discoveries generated by rules) + gaps_range_start: + description: Gaps range start, valid only when query is provided type: string - users: - description: >- - The optional array of users who may view the attack discovery. When - empty, (or not present), all users may view the attack discovery. + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. items: - $ref: '#/components/schemas/Security_Attack_discovery_API_User' + type: string + minItems: 1 type: array + query: + description: Query to filter rules. + type: string required: - - alert_ids - - connector_id - - connector_name - - details_markdown - - generation_uuid - - id - - summary_markdown - - timestamp - - title - Security_Attack_discovery_API_AttackDiscoveryApiSchedule: - description: An Attack Discovery schedule + - action + Security_Detections_API_BulkEditActionResponse: type: object properties: - actions: - description: The Attack Discovery schedule actions - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction - type: array - created_at: - description: The date the schedule was created - format: date-time - type: string - created_by: - description: The name of the user that created the schedule + attributes: + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' + type: array + results: + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' + summary: + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' + required: + - results + - summary + message: type: string - enabled: - description: Indicates whether the schedule is enabled + rules_count: + type: integer + status_code: + type: integer + success: type: boolean - id: - description: UUID of Attack Discovery schedule - type: string - last_execution: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution - description: The Attack Discovery schedule last execution summary - name: - description: The name of the schedule - type: string - params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams - description: The Attack Discovery schedule configuration parameters - schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule - description: The Attack Discovery schedule interval - updated_at: - description: The date the schedule was updated - format: date-time - type: string - updated_by: - description: The name of the user that updated the schedule - type: string required: - - id - - name - - created_by - - updated_by - - created_at - - updated_at - - enabled - - params - - schedule - - actions - Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: - oneOf: - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: - additionalProperties: true - type: object - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - schedule execution or at specific time intervals). + - attributes + Security_Detections_API_BulkEditActionResults: type: object properties: - notify_when: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen - summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert - type: boolean - throttle: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle - nullable: true + created: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' + type: array + updated: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array required: - - summary - - notify_when - - throttle - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup: - description: Groups actions by use cases. Use `default` for alert notifications. - type: string - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId: - description: The connector ID. - type: string - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` - enum: - - onActiveAlert - - onThrottleInterval - - onActionGroupChange - type: string - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: - additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. + - updated + - created + - deleted + - skipped + Security_Detections_API_BulkEditActionSummary: + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object - Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: >- - Defines how often schedule actions are taken. Time interval in seconds, - minutes, hours, or days. - example: 1h - pattern: ^[1-9]\d*[smhd]$ - type: string - Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps: - description: An Attack Discovery schedule create properties + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Detections_API_BulkEditRules: type: object properties: - actions: - description: The Attack Discovery schedule actions + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' + minItems: 1 type: array - enabled: - description: Indicates whether the schedule is enabled - type: boolean - name: - description: The name of the schedule + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string - params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams - description: The Attack Discovery schedule configuration parameters - schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule - description: The Attack Discovery schedule interval - required: - - name - - params - - schedule - Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution: - description: An Attack Discovery schedule execution information - type: object - properties: - date: - description: Date of the execution - format: date-time + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string - duration: - description: Duration of the execution - type: number - message: + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. type: string - status: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus - description: Status of the execution required: - - date - - status - - last_duration - Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus: - description: An Attack Discovery schedule execution status + - action + - edit + Security_Detections_API_BulkEditSkipReason: enum: - - ok - - active - - error - - unknown - - warning + - RULE_NOT_MODIFIED type: string - Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction: + Security_Detections_API_BulkEnableRules: type: object properties: - action_type_id: - description: The action type used for sending notifications. + action: + enum: + - enable type: string - alerts_filter: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter - frequency: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency - group: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId - params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams - uuid: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - required: - - action_type_id - - group - - id - - params - Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams: - description: An Attack Discovery schedule params - type: object - properties: - alerts_index_pattern: - description: The index pattern to get alerts from + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string - api_config: - allOf: - - $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' - - type: object - properties: - name: - description: The name of the connector - type: string - required: - - name - description: LLM API configuration. - combined_filter: - additionalProperties: true - type: object - end: + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string - filters: - $ref: '#/components/schemas/Security_Attack_discovery_API_Filters' + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array query: - $ref: '#/components/schemas/Security_Attack_discovery_API_Query' - size: - type: number - start: + description: Query to filter rules. type: string required: - - alerts_index_pattern - - api_config - - size - Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction: + - action + Security_Detections_API_BulkExportActionResponse: + type: string + Security_Detections_API_BulkExportRules: type: object properties: - action_type_id: - description: The action type used for sending notifications. + action: + enum: + - export type: string - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId - params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams - uuid: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - required: - - action_type_id - - id - - params - Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps: - description: An Attack Discovery schedule update properties - type: object - properties: - actions: - description: The Attack Discovery schedule actions + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules + type: string + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array - name: - description: The name of the schedule + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. type: string - params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams - description: The Attack Discovery schedule configuration parameters - schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule - description: The Attack Discovery schedule interval required: - - name - - params - - schedule - - actions - Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: >- - Allowed field names to sort Attack Discovery results by. Clients should - only pass one of the listed values. + - action + Security_Detections_API_BulkGapsFillingSkipReason: enum: - - '@timestamp' + - NO_GAPS_TO_FILL type: string - Security_Attack_discovery_API_AttackDiscoveryGeneration: + Security_Detections_API_BulkManualRuleFillGaps: type: object properties: - alerts_context_count: - description: >- - The number of alerts sent as context (max - kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM - for the generation - type: number - connector_id: - description: The connector id (event.dataset) for this generation + action: + enum: + - fill_gaps type: string - connector_stats: - description: Stats applicable to the connector for this generation + fill_gaps: + description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: - average_successful_duration_nanoseconds: - description: >- - The average duration (avg event.duration) in nanoseconds of - successful generations for the same connector id, for the - current user - type: number - successful_generations: - description: >- - The number of successful generations for the same connector id, - for the current user - type: number - discoveries: - description: >- - The number of new Attack discovery alerts (max - kibana.alert.rule.execution.metrics.alert_counts.new) for this - generation - type: number - end: - description: When generation ended (max event.end) - type: string - execution_uuid: - description: >- - The unique identifier (kibana.alert.rule.execution.uuid) for the - generation + end_date: + description: End date of the manual gap fill + type: string + start_date: + description: Start date of the manual gap fill + type: string + required: + - start_date + - end_date + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string - loading_message: - description: Generation loading message (kibana.alert.rule.execution.status) + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string - reason: - description: Reason for failed generations (event.reason) + gaps_range_start: + description: Gaps range start, valid only when query is provided type: string - start: - description: When generation started (min event.start) + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. type: string - status: - description: The status of the attack discovery generation + required: + - action + - fill_gaps + Security_Detections_API_BulkManualRuleRun: + type: object + properties: + action: enum: - - canceled - - dismissed - - failed - - started - - succeeded + - run + type: string + gap_auto_fill_scheduler_id: + description: Gap auto fill scheduler ID used to determine gap fill status for rules + type: string + gap_fill_statuses: + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + gaps_range_end: + description: Gaps range end, valid only when query is provided type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + run: + description: Object that describes applying a manual rule run action. + type: object + properties: + end_date: + description: End date of the manual rule run + type: string + start_date: + description: Start date of the manual rule run + type: string + required: + - start_date + - end_date required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - Security_Attack_discovery_API_AttackDiscoveryGenerationConfig: + - action + - run + Security_Detections_API_CloseAlertsByIds: type: object properties: - alertsIndexPattern: - description: > - The (space specific) index pattern that contains the alerts to use - as - - context for the attack discovery. - - Example: .alerts-security.alerts-default - type: string - anonymizationFields: - description: >- - The list of fields, and whether or not they are anonymized, allowed - to be sent to LLMs. Consider using the output of the - `/api/security_ai_assistant/anonymization_fields/_find` API (for a - specific Kibana space) to provide this value. + reason: + $ref: '#/components/schemas/Security_Detections_API_Reason' + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse + format: nonempty + minLength: 1 + type: string + minItems: 1 type: array - apiConfig: - $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' - description: LLM API configuration. - connectorName: + status: + enum: + - closed type: string - end: + required: + - signal_ids + - status + Security_Detections_API_CloseAlertsByQuery: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed type: string - filter: + query: additionalProperties: true - description: >- - An Elasticsearch-style query DSL object used to filter alerts. For - example: - - ```json { - "filter": { - "bool": { - "must": [], - "filter": [ - { - "bool": { - "should": [ - { - "term": { - "user.name": { "value": "james" } - } - } - ], - "minimum_should_match": 1 - } - } - ], - "should": [], - "must_not": [] - } - } - } ``` type: object - model: - type: string - replacements: - $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - size: - type: number - start: - type: string - subAction: + reason: + $ref: '#/components/schemas/Security_Detections_API_Reason' + status: enum: - - invokeAI - - invokeStream + - closed type: string required: - - apiConfig - - alertsIndexPattern - - anonymizationFields - - size - - subAction - Security_Attack_discovery_API_AttackDiscoveryGenericError: - description: Generic error response for Attack Discovery schedule operations + - query + - status + Security_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Detections_API_DataViewId: + type: string + Security_Detections_API_DefaultParams: type: object properties: - error: - description: Error type - example: Bad Request + command: + enum: + - isolate type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. + comment: type: string - status_code: - description: HTTP status code - example: 400 - type: number - Security_Attack_discovery_API_Filters: - description: >- - The filter array used to define the conditions for when alerts are - selected as an Attack Discovery context. Defaults to an empty array. - items: {} - type: array - Security_Attack_discovery_API_IntervalApiSchedule: + required: + - command + Security_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' + type: object + Security_Detections_API_EndpointResponseAction: type: object properties: - interval: - description: The schedule interval + action_type_id: + enum: + - .endpoint type: string + params: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' + - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' + - $ref: '#/components/schemas/Security_Detections_API_RunscriptParams' required: - - interval - Security_Attack_discovery_API_NonEmptyString: - description: A string that does not contain only whitespace characters. - example: I am a string - format: nonempty - minLength: 1 - type: string - Security_Attack_discovery_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. - example: '2023-10-31T12:00:00Z' - format: nonempty - minLength: 1 - type: string - Security_Attack_discovery_API_Provider: - description: Provider + - action_type_id + - params + Security_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + event_category_override: + $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + tiebreaker_field: + $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' + timestamp_field: + $ref: '#/components/schemas/Security_Detections_API_TimestampField' + Security_Detections_API_EqlQueryLanguage: enum: - - OpenAI - - Azure OpenAI - - Other - example: OpenAI + - eql type: string - Security_Attack_discovery_API_Query: - description: An query condition to filter alerts + Security_Detections_API_EqlRequiredFields: type: object properties: language: - type: string + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use query: - oneOf: - - type: string - - additionalProperties: true - type: object + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - eql + type: string required: + - type - query - language - Security_Attack_discovery_API_Replacements: - additionalProperties: - type: string - description: Replacements object used to anonymize/deanonymize messages - type: object - Security_Attack_discovery_API_SortOrder: - description: The order in which results are sorted. - enum: - - asc - - desc - example: asc - type: string - Security_Attack_discovery_API_User: - description: Could be any string, not necessarily a UUID. + Security_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' + Security_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - eql + type: string + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' + Security_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_ErrorSchema: + additionalProperties: false type: object properties: + error: + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message id: - description: User id. - example: user123 type: string - name: - description: User name. - example: John Doe + item_id: + minLength: 1 type: string - Security_Detections_API_AlertAssignees: - type: object - properties: - add: - items: - description: >- - A list of user profile `uid`s to assign. Users need to activate - their user profile by logging into Kibana at least once. - format: nonempty - minLength: 1 - type: string - type: array - remove: - items: - description: >- - A list of user profile `uid`s to unassign. Users need to activate - their user profile by logging into Kibana at least once. - format: nonempty - minLength: 1 - type: string - type: array - required: - - add - - remove - Security_Detections_API_AlertIds: - description: A list of alerts `id`s. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - Security_Detections_API_AlertsIndex: - deprecated: true - description: (deprecated) Has no effect. - type: string - Security_Detections_API_AlertsIndexNamespace: - description: Has no effect. - type: string - Security_Detections_API_AlertsSort: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations - type: array - Security_Detections_API_AlertsSortCombinations: - anyOf: - - type: string - - additionalProperties: true - type: object - Security_Detections_API_AlertStatusExceptClosed: - description: >- - The status of an alert, which can be `open`, `acknowledged`, - `in-progress`, or `closed`. - enum: - - open - - acknowledged - - in-progress - type: string - Security_Detections_API_AlertSuppression: - description: Defines alert suppression configuration. - type: object - properties: - duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration - group_by: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' - missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy - required: - - group_by - Security_Detections_API_AlertSuppressionDuration: - type: object - properties: - unit: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit - value: - minimum: 1 - type: integer + list_id: + minLength: 1 + type: string + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - - value - - unit - Security_Detections_API_AlertSuppressionDurationUnit: - description: Time unit - enum: - - s - - m - - h - type: string - Security_Detections_API_AlertSuppressionGroupBy: - items: - type: string - maxItems: 3 - minItems: 1 - type: array - Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - - doNotSuppress - per each document a separate alert will be created - - suppress - only alert will be created per suppress by bucket + - error + Security_Detections_API_EsqlQueryLanguage: enum: - - doNotSuppress - - suppress - type: string - Security_Detections_API_AlertTag: - description: >- - Use alert tags to organize related alerts into categories that you can - filter and group. - format: nonempty - minLength: 1 - type: string - Security_Detections_API_AlertTags: - description: >- - List of keywords to organize related alerts into categories that you can - filter and group. - items: - $ref: '#/components/schemas/Security_Detections_API_AlertTag' - type: array - Security_Detections_API_AnomalyThreshold: - description: >- - Anomaly score threshold above which the rule creates an alert. Valid - values are from 0 to 100. - minimum: 0 - type: integer - Security_Detections_API_BuildingBlockType: - description: > - Determines if the rule acts as a building block. If yes, the value must - be `default`. - - By default, building-block alerts are not displayed in the UI. These - rules are used as a foundation for other rules that do generate alerts. - - For more information, refer to [About building block - rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + - esql type: string - Security_Detections_API_BulkActionEditPayload: - anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression - Security_Detections_API_BulkActionEditPayloadAlertSuppression: - anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression - Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: - type: object - properties: - type: - enum: - - delete_alert_suppression - type: string - required: - - type - Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: > - Edits index patterns of rulesClient. - - - - `add_index_patterns` adds index patterns to rules. If an index pattern - already exists for a rule, no changes are made. - - - `delete_index_patterns` removes index patterns from rules. If an index - pattern does not exist for a rule, no changes are made. - - - `set_index_patterns` sets index patterns for rules, overwriting any - existing index patterns. If the set of index patterns is the same as the - existing index patterns, no changes are made. - type: object - properties: - overwrite_data_views: - description: Resets the data view for the rule. - type: boolean - type: - enum: - - add_index_patterns - - delete_index_patterns - - set_index_patterns - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: > - Edits investigation fields of rules. - - - - `add_investigation_fields` adds investigation fields to rules. If an - investigation field already exists for a rule, no changes are made. - - - `delete_investigation_fields` removes investigation fields from rules. - If an investigation field does not exist for a rule, no changes are - made. - - - `set_investigation_fields` sets investigation fields for rules. If the - set of investigation fields is the same as the existing investigation - fields, no changes are made. - type: object - properties: - type: - enum: - - add_investigation_fields - - delete_investigation_fields - - set_investigation_fields - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadRuleActions: - description: > - Edits rule actions of rules. - - - - `add_rule_actions` adds rule actions to rules. This action is - non-idempotent, meaning that even if the same rule action already exists - for a rule, it will be added again with a new unique ID. - - - `set_rule_actions` sets rule actions for rules. This action is - non-idempotent, meaning that even if the same set of rule actions - already exists for a rule, it will be set again and the actions will - receive new unique IDs. + Security_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' + Security_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EsqlRuleOptionalFields: type: object properties: - type: - enum: - - add_rule_actions - - set_rule_actions - type: string - value: - type: object + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + Security_Detections_API_EsqlRulePatchProps: + allOf: + - type: object properties: actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions - required: - - actions - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadSchedule: - description: > - Overwrites schedule of rules. - - - - `set_schedule` sets a schedule for rules. If the same schedule already - exists for a rule, no changes are made. - - - Both `interval` and `lookback` have a format of "{integer}{time_unit}", - where accepted time units are `s` for seconds, `m` for minutes, and `h` - for hours. The integer must be positive and larger than 0. Examples: - "45s", "30m", "6h" - type: object - properties: - type: - enum: - - set_schedule - type: string - value: - type: object - properties: - interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. - example: 1h - pattern: ^[1-9]\d*[smh]$ - type: string - lookback: - description: > - Lookback time for the rules. - - - Additional look-back time that the rule analyzes. For example, - "10m" means the rule analyzes the last 10 minutes of data in - addition to the frequency interval. - example: 1h - pattern: ^[1-9]\d*[smh]$ + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + type: + description: Rule type + enum: + - esql type: string - required: - - interval - - lookback - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadSetAlertSuppression: - type: object - properties: - type: - enum: - - set_alert_suppression - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold: - type: object - properties: - type: - enum: - - set_alert_suppression_for_threshold - type: string - value: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadTags: - description: > - Edits tags of rules. - - - - `add_tags` adds tags to rules. If a tag already exists for a rule, no - changes are made. - - - `delete_tags` removes tags from rules. If a tag does not exist for a - rule, no changes are made. - - - `set_tags` sets tags for rules, overwriting any existing tags. If the - set of tags is the same as the existing tags, no changes are made. + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + Security_Detections_API_EsqlRuleRequiredFields: type: object properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: + description: Rule type enum: - - add_tags - - delete_tags - - set_tags + - esql type: string - value: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' required: - type - - value - Security_Detections_API_BulkActionEditPayloadTimeline: - description: > - Edits timeline of rules. - - - - `set_timeline` sets a timeline for rules. If the same timeline already - exists for a rule, no changes are made. - type: object - properties: - type: - enum: - - set_timeline - type: string - value: - type: object + - language + - query + Security_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - - timeline_id - - timeline_title - required: - - type - - value - Security_Detections_API_BulkActionsDryRunErrCode: - enum: - - IMMUTABLE - - PREBUILT_CUSTOMIZATION_LICENSE - - MACHINE_LEARNING_AUTH - - MACHINE_LEARNING_INDEX_PATTERN - - ESQL_INDEX_PATTERN - - MANUAL_RULE_RUN_FEATURE - - MANUAL_RULE_RUN_DISABLED_RULE - - THRESHOLD_RULE_TYPE_IN_SUPPRESSION - - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD - - RULE_FILL_GAPS_DISABLED_RULE - - USER_INSUFFICIENT_RULE_PRIVILEGES + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EventCategoryOverride: type: string - Security_Detections_API_BulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason - required: - - id - - skip_reason - Security_Detections_API_BulkDeleteRules: - type: object - properties: - action: - enum: - - delete - type: string - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. - type: string - required: - - action - Security_Detections_API_BulkDisableRules: - type: object - properties: - action: - enum: - - disable - type: string - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. - type: string - required: - - action - Security_Detections_API_BulkDuplicateRules: - type: object - properties: - action: - enum: - - duplicate - type: string - duplicate: - description: Duplicate object that describes applying an update action. - type: object - properties: - include_exceptions: - description: Whether to copy exceptions from the original rule - type: boolean - include_expired_exceptions: - description: Whether to copy expired exceptions from the original rule - type: boolean - required: - - include_exceptions - - include_expired_exceptions - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. - type: string - required: - - action - Security_Detections_API_BulkEditActionResponse: - type: object - properties: - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError - type: array - results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults - summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary - required: - - results - - summary - message: - type: string - rules_count: - type: integer - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_Detections_API_BulkEditActionResults: - type: object - properties: - created: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - deleted: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - skipped: - items: - $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' - type: array - updated: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - required: - - updated - - created - - deleted - - skipped - Security_Detections_API_BulkEditActionSummary: - description: >- - A rule can only be skipped when the bulk action to be performed on it - results in nothing being done. For example, if the `edit` action is used - to add a tag to a rule that already has that tag, or to delete an index - pattern that is not specified in a rule. Objects returned in - `attributes.results.skipped` will only include rules' `id`, `name`, and - `skip_reason`. - type: object - properties: - failed: - type: integer - skipped: - type: integer - succeeded: - type: integer - total: - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_Detections_API_BulkEditRules: - type: object - properties: - action: - enum: - - edit - type: string - edit: - description: Array of objects containing the edit operations - items: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' - minItems: 1 - type: array - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. - type: string - required: - - action - - edit - Security_Detections_API_BulkEditSkipReason: + Security_Detections_API_ExceptionListType: + description: The exception type enum: - - RULE_NOT_MODIFIED - type: string - Security_Detections_API_BulkEnableRules: - type: object - properties: - action: - enum: - - enable - type: string - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. - type: string - required: - - action - Security_Detections_API_BulkExportActionResponse: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists type: string - Security_Detections_API_BulkExportRules: + Security_Detections_API_ExternalRuleCustomizedFields: + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. + items: + type: object + properties: + field_name: + description: Name of a user-modified field in the rule object. + type: string + required: + - field_name + type: array + Security_Detections_API_ExternalRuleHasBaseVersion: + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). + type: boolean + Security_Detections_API_ExternalRuleSource: + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: - action: + customized_fields: + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' + has_base_version: + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' + is_customized: + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' + type: enum: - - export - type: string - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. + - external type: string required: - - action - Security_Detections_API_BulkGapsFillingSkipReason: + - type + - is_customized + - has_base_version + - customized_fields + Security_Detections_API_FindRulesSortField: enum: - - NO_GAPS_TO_FILL + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt type: string - Security_Detections_API_BulkManualRuleFillGaps: - type: object - properties: - action: - enum: - - fill_gaps - type: string - fill_gaps: - description: >- - Object that describes applying a manual gap fill action for the - specified time range. - type: object - properties: - end_date: - description: End date of the manual gap fill - type: string - start_date: - description: Start date of the manual gap fill - type: string - required: - - start_date - - end_date - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. - type: string - required: - - action - - fill_gaps - Security_Detections_API_BulkManualRuleRun: + Security_Detections_API_GapFillStatus: + enum: + - unfilled + - in_progress + - filled + - error + type: string + Security_Detections_API_HistoryWindowStart: + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. + format: nonempty + minLength: 1 + type: string + Security_Detections_API_IndexPatternArray: + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). + > info + > This field is not supported for ES|QL rules. + items: + type: string + type: array + Security_Detections_API_InternalRuleSource: + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: - action: + type: enum: - - run - type: string - gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - type: string - gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - gaps_range_end: - description: Gaps range end, valid only when query is provided - type: string - gaps_range_start: - description: Gaps range start, valid only when query is provided - type: string - ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - - Only valid when query property is undefined. - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules. + - internal type: string - run: - description: Object that describes applying a manual rule run action. - type: object - properties: - end_date: - description: End date of the manual rule run - type: string - start_date: - description: Start date of the manual rule run - type: string - required: - - start_date - - end_date required: - - action - - run - Security_Detections_API_CloseAlertsByIds: + - type + Security_Detections_API_InvestigationFields: + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: - reason: - $ref: '#/components/schemas/Security_Detections_API_Reason' - signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + field_names: items: - format: nonempty - minLength: 1 - type: string + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' minItems: 1 type: array - status: - enum: - - closed - type: string - required: - - signal_ids - - status - Security_Detections_API_CloseAlertsByQuery: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - reason: - $ref: '#/components/schemas/Security_Detections_API_Reason' - status: - enum: - - closed - type: string required: - - query - - status - Security_Detections_API_ConcurrentSearches: + - field_names + Security_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Detections_API_IsExternalRuleCustomized: + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). + type: boolean + Security_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. Defaults to true. + type: boolean + Security_Detections_API_IsRuleImmutable: + deprecated: true + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. + type: boolean + Security_Detections_API_ItemsPerSearch: minimum: 1 type: integer - Security_Detections_API_DataViewId: + Security_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene type: string - Security_Detections_API_DefaultParams: - type: object - properties: - command: - enum: - - isolate - type: string - comment: - type: string - required: - - command - Security_Detections_API_EcsMapping: - additionalProperties: - type: object - properties: - field: + Security_Detections_API_MachineLearningJobId: + description: Machine learning job ID(s) the rule monitors for anomaly scores. + oneOf: + - type: string + - items: type: string - value: - oneOf: - - type: string - - items: - type: string - type: array - description: >- - Map Osquery results columns or static values to Elastic Common Schema - (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} - type: object - Security_Detections_API_EndpointResponseAction: - type: object - properties: - action_type_id: - enum: - - .endpoint - type: string - params: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' - - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' - - $ref: '#/components/schemas/Security_Detections_API_RunscriptParams' - required: - - action_type_id - - params - Security_Detections_API_EqlOptionalFields: + minItems: 1 + type: array + Security_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' + Security_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + Security_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - event_category_override: - $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - tiebreaker_field: - $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' - timestamp_field: - $ref: '#/components/schemas/Security_Detections_API_TimestampField' - Security_Detections_API_EqlQueryLanguage: - enum: - - eql - type: string - Security_Detections_API_EqlRequiredFields: + Security_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + type: + description: Rule type + enum: + - machine_learning + type: string + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + Security_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' + Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' - description: Query language to use - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - - eql + - machine_learning type: string required: - type - - query - - language - Security_Detections_API_EqlRule: + - machine_learning_job_id + - anomaly_threshold + Security_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30108,10 +103305,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -30125,35 +103323,142 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + Security_Detections_API_MaxSignals: + default: 100 + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). + > info + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. + minimum: 1 + type: integer + Security_Detections_API_NewTermsFields: + description: Fields to monitor for new values. + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -30180,13 +103485,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -30215,28 +103518,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' - Security_Detections_API_EqlRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' + Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRuleCreateProps: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30250,8 +103550,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -30267,35 +103566,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -30324,13 +103612,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -30340,39 +103626,53 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_EqlRulePatchFields: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + Security_Detections_API_NewTermsRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' - description: Query language to use + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - - eql + - new_terms type: string - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRulePatchProps: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30386,12 +103686,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -30405,35 +103704,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -30462,39 +103750,328 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' - Security_Detections_API_EqlRuleResponseFields: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' + Security_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + required: + - type + - query + - new_terms_fields + - history_window_start + Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRuleUpdateProps: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + Security_Detections_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Detections_API_NormalizedRuleAction: + additionalProperties: false + type: object + properties: + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + required: + - id + - params + Security_Detections_API_NormalizedRuleError: + type: object + properties: + err_code: + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' + message: + type: string + rules: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Detections_API_OsqueryParams: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + pack_id: + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' + type: string + queries: + items: + $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' + type: array + query: + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' + type: string + saved_query_id: + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' + type: string + timeout: + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' + type: number + Security_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + Security_Detections_API_OsqueryResponseAction: + type: object + properties: + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' + required: + - action_type_id + - params + Security_Detections_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Detections_API_ProcessesParams: + type: object + properties: + command: + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' + enum: + - kill-process + - suspend-process + type: string + comment: + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' + type: string + config: + type: object + properties: + field: + description: Field to use instead of process.pid + type: string + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field + required: + - command + - config + Security_Detections_API_QueryAlertsBodyParams: + type: object + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: '#/components/schemas/Security_Detections_API_AlertsSort' + track_total_hits: + type: boolean + Security_Detections_API_QueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30508,12 +104085,9 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -30527,35 +104101,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -30565,8 +104128,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: @@ -30584,13 +104145,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -30600,55 +104159,44 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_ErrorSchema: - additionalProperties: false - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - id: - type: string - item_id: - minLength: 1 - type: string - list_id: - minLength: 1 - type: string - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - required: - - error - Security_Detections_API_EsqlQueryLanguage: - enum: - - esql - type: string - Security_Detections_API_EsqlRule: + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' + Security_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30662,8 +104210,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -30679,35 +104226,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -30717,6 +104253,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: @@ -30734,13 +104272,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -30750,47 +104286,51 @@ components: - description - risk_score - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' - Security_Detections_API_EsqlRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_QueryRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_QueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_QueryRulePatchFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleCreateProps: + - type: object + properties: + type: + description: Rule type + enum: + - query + type: string + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30804,10 +104344,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -30821,35 +104362,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -30878,45 +104408,52 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EsqlRuleOptionalFields: + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' + Security_Detections_API_QueryRuleRequiredFields: type: object properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_EsqlRulePatchProps: + type: + description: Rule type + enum: + - query + type: string + required: + - type + Security_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + required: + - query + - language + Security_Detections_API_QueryRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -30930,18 +104467,15 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: @@ -30951,37 +104485,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -31010,349 +104531,757 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - type: - description: Rule type - enum: - - esql - type: string version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - Security_Detections_API_EsqlRuleRequiredFields: + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_Reason: + description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' + - type: string + Security_Detections_API_ReasonEnum: + enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + Security_Detections_API_RelatedIntegration: + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. + + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: + + - `package`: name of the package (required, unique id) + - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) + + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain + several integrations; in this case, `integration` should be specified. + example: + integration: activitylogs + package: azure + version: ~1.1.6 + type: object + properties: + integration: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - package + - version + Security_Detections_API_RelatedIntegrationArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' + type: array + Security_Detections_API_RequiredField: + description: | + Describes an Elasticsearch field that is needed for the rule to function. + + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and + the rule will generate an alert. + + Required field is an event field that must be present in the source indices of a given rule. + + @example + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + @example + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. + type: boolean + name: + description: Name of an Elasticsearch field + format: nonempty + minLength: 1 + type: string + type: + description: Type of the Elasticsearch field + format: nonempty + minLength: 1 + type: string + required: + - name + - type + - ecs + Security_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredField' + type: array + Security_Detections_API_RequiredFieldInput: + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. + type: object + properties: + name: + description: Name of an Elasticsearch field + format: nonempty + minLength: 1 + type: string + type: + description: Type of the Elasticsearch field + format: nonempty + minLength: 1 + type: string + required: + - name + - type + Security_Detections_API_ResponseAction: + discriminator: + mapping: + .endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + .osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + propertyName: action_type_id + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + Security_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' + id: + $ref: '#/components/schemas/Security_Detections_API_UUID' + immutable: + $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' + required_fields: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' + revision: + $ref: '#/components/schemas/Security_Detections_API_RuleRevision' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_source: + $ref: '#/components/schemas/Security_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - rule_source + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Detections_API_RiskScore: + description: | + A numerical representation of the alert's severity from 0 to 100, where: + * `0` - `21` represents low severity + * `22` - `47` represents medium severity + * `48` - `73` represents high severity + * `74` - `100` represents critical severity + maximum: 100 + minimum: 0 + type: integer + Security_Detections_API_RiskScoreMapping: + description: Overrides generated alerts' risk_score with a value from the source event + items: + type: object + properties: + field: + description: Source event field used to override the default `risk_score`. + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Detections_API_RuleAction: + type: object + properties: + action_type_id: + description: | + The action type used for sending notifications, can be: + + - `.slack` + - `.slack_api` + - `.email` + - `.index` + - `.pagerduty` + - `.swimlane` + - `.webhook` + - `.servicenow` + - `.servicenow-itom` + - `.servicenow-sir` + - `.jira` + - `.resilient` + - `.opsgenie` + - `.teams` + - `.torq` + - `.tines` + - `.d3security` + type: string + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + uuid: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + description: | + Object containing an action’s conditional filters. + + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. + - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. + - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. + - start (string, required): Start time in `hh:mm` format. + - end (string, required): End time in `hh:mm` format. + - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. + - `kql` (string, required): A KQL string. + - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. + type: object + Security_Detections_API_RuleActionFrequency: + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' + summary: + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Detections_API_RuleActionGroup: + description: Optionally groups actions by use cases. Use `default` for alert notifications. + type: string + Security_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Detections_API_RuleActionNotifyWhen: + description: Defines how often rules run actions. + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Detections_API_RuleActionParams: + additionalProperties: true + description: | + Object containing the allowed connector fields, which varies according to the connector type. + + For Slack: + + - `message` (string, required): The notification message. + + For email: + + - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. + - `subject` (string, optional): Email subject line. + - `message` (string, required): Email body text. + + For Webhook: + + - `body` (string, required): JSON payload. + + For PagerDuty: + + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). + - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. + - `group` (string, optional): Enables logical grouping of service components. + - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. + - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. + - `class` (string, optional): Value indicating the class/type of the event. + type: object + Security_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Detections_API_RuleAuthorArray: + description: The rule’s author. + items: + type: string + type: array + Security_Detections_API_RuleCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + propertyName: type + Security_Detections_API_RuleDescription: + description: The rule’s description. + example: Detects anomalous Windows process creation events. + minLength: 1 + type: string + Security_Detections_API_RuleDetailsInError: type: object properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - type: - description: Rule type + id: + type: string + name: + type: string + required: + - id + Security_Detections_API_RuleExceptionList: + description: | + Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. + type: object + properties: + id: + description: ID of the exception container + format: nonempty + minLength: 1 + type: string + list_id: + description: List ID of the exception container + format: nonempty + minLength: 1 + type: string + namespace_type: + description: Determines the exceptions validity in rule's Kibana space enum: - - esql + - agnostic + - single type: string + type: + $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' required: + - id + - list_id - type - - language - - query - Security_Detections_API_EsqlRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleUpdateProps: - allOf: - - type: object + - namespace_type + Security_Detections_API_RuleExecutionMetrics: + type: object + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + frozen_indices_queried_count: + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. + minimum: 0 + type: integer + gap_range: + description: Range of the execution gap + type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + gte: + description: Start date of the execution gap + type: string + lte: + description: End date of the execution gap + type: string required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EventCategoryOverride: - type: string - Security_Detections_API_ExceptionListType: - description: The exception type + - gte + - lte + gap_reason: + description: Detected reason for the execution gap + type: object + properties: + type: + description: The type of reason for the gap (rule_disabled or rule_did_not_run) + enum: + - rule_disabled + - rule_did_not_run + type: string + required: + - type + total_enrichment_duration_ms: + description: Total time spent enriching documents during current rule execution cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: Total time spent indexing documents during current rule execution cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response + minimum: 0 + type: integer + Security_Detections_API_RuleExecutionStatus: + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists + - going to run + - running + - partial failure + - failed + - succeeded type: string - Security_Detections_API_ExternalRuleCustomizedFields: - description: >- - An array of customized field names — that is, fields that the user has - modified from their base value. Defaults to an empty array. - items: - type: object - properties: - field_name: - description: Name of a user-modified field in the rule object. - type: string - required: - - field_name - type: array - Security_Detections_API_ExternalRuleHasBaseVersion: - description: >- - Determines whether an external/prebuilt rule has its original, - unmodified version present when the calculation of its customization - status is performed (`rule_source.is_customized` and - `rule_source.customized_fields`). - type: boolean - Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. + Security_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Detections_API_RuleExecutionSummary: + description: | + Summary of the last execution of a rule. + > info + > This field is under development and its usage or schema may change type: object properties: - customized_fields: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields - has_base_version: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion - is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized - type: - enum: - - external - type: string + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' + status: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' + description: Status of the last execution + status_order: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' + required: + - date + - status + - status_order + - message + - metrics required: - - type - - is_customized - - has_base_version - - customized_fields - Security_Detections_API_FindRulesSortField: - enum: - - created_at - - createdAt - - enabled - - execution_summary.last_execution.date - - execution_summary.last_execution.metrics.execution_gap_duration_s - - execution_summary.last_execution.metrics.total_indexing_duration_ms - - execution_summary.last_execution.metrics.total_search_duration_ms - - execution_summary.last_execution.status - - name - - risk_score - - riskScore - - severity - - updated_at - - updatedAt + - last_execution + Security_Detections_API_RuleFalsePositiveArray: + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleFilterArray: + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. + > info + > This field is not supported for ES|QL rules. + items: {} + type: array + Security_Detections_API_RuleInterval: + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string - Security_Detections_API_GapFillStatus: - enum: - - unfilled - - in_progress - - filled - - error + Security_Detections_API_RuleIntervalFrom: + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + format: date-math type: string - Security_Detections_API_HistoryWindowStart: - description: >- - Start date to use when checking if a term has been seen before. Supports - relative dates – for example, now-30d will search the last 30 days of - data when checking if a term is new. We do not recommend using absolute - dates, which can cause issues with rule performance due to querying - increasing amounts of data over time. - format: nonempty + Security_Detections_API_RuleIntervalTo: + type: string + Security_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Detections_API_RuleMetadata: + additionalProperties: true + description: | + Placeholder for metadata about the rule. + > info + > This field is overwritten when you save changes to the rule’s settings. + type: object + Security_Detections_API_RuleName: + description: A human-readable name for the rule. + example: Anomalous Windows Process Creation minLength: 1 type: string - Security_Detections_API_IndexPatternArray: - description: > - Indices on which the rule functions. Defaults to the Security Solution - indices defined on the Kibana Advanced Settings page (Kibana → Stack - Management → Advanced Settings → `securitySolution:defaultIndex`). + Security_Detections_API_RuleNameOverride: + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. + type: string + Security_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Detections_API_UUID' + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. + Security_Detections_API_RulePatchProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' + Security_Detections_API_RulePreviewLoggedRequest: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + request_type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + Security_Detections_API_RulePreviewLogs: + type: object + properties: + duration: + description: Execution duration in milliseconds + type: integer + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + requests: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' + type: array + startedAt: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + required: + - errors + - warnings + - duration + Security_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Detections_API_RuleQuery: + description: | + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - > info + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. + type: string + Security_Detections_API_RuleReferenceArray: + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRule' + esql: '#/components/schemas/Security_Detections_API_EsqlRule' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' + query: '#/components/schemas/Security_Detections_API_QueryRule' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' + propertyName: type + Security_Detections_API_RuleRevision: + description: | + The rule's revision number. - > This field is not supported for ES|QL rules. + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. + > info + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. + minimum: 0 + type: integer + Security_Detections_API_RuleSignatureId: + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. + type: string + Security_Detections_API_RuleSource: + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' + - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' + Security_Detections_API_RuleTagArray: + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array - Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. + Security_Detections_API_RuleUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + propertyName: type + Security_Detections_API_RuleVersion: + description: | + The rule's version number. + + - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). + - For custom rules it is set to `1` when the rule is created. + > info + > It is not incremented on each update. Compare this to the `revision` field. + minimum: 1 + type: integer + Security_Detections_API_RunScriptOsConfigValues: + minProperties: 1 type: object properties: - type: - enum: - - internal + scriptId: type: string - required: - - type - Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. + scriptInput: + type: string + timeout: + description: Specify the timeout in seconds for the script execution + example: 60 + type: integer + Security_Detections_API_RunscriptParams: + description: | + > warn + > This functionality is currently not available type: object properties: - field_names: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array + command: + enum: + - runscript + type: string + comment: + description: Add a note that explains or describes the action. You can find your comment in the response actions history log + type: string + config: + type: object + properties: + linux: + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' + macos: + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' + windows: + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - - field_names - Security_Detections_API_InvestigationGuide: - description: Notes to help investigate alerts produced by the rule. + - command + Security_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport type: string - Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). - type: boolean - Security_Detections_API_IsRuleEnabled: - description: Determines whether the rule is enabled. Defaults to true. - type: boolean - Security_Detections_API_IsRuleImmutable: - deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. - type: boolean - Security_Detections_API_ItemsPerSearch: - minimum: 1 - type: integer - Security_Detections_API_KqlQueryLanguage: + Security_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Detections_API_SavedObjectResolveOutcome: enum: - - kuery - - lucene + - exactMatch + - aliasMatch + - conflict type: string - Security_Detections_API_MachineLearningJobId: - description: Machine learning job ID(s) the rule monitors for anomaly scores. - oneOf: - - type: string - - items: - type: string - minItems: 1 - type: array - Security_Detections_API_MachineLearningRule: + Security_Detections_API_SavedQueryId: + description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. + type: string + Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -31366,8 +105295,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -31383,35 +105311,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -31438,13 +105355,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -31473,31 +105388,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields - Security_Detections_API_MachineLearningRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' + Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRuleCreateProps: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -31511,8 +105420,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -31528,35 +105436,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -31585,13 +105482,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -31601,46 +105496,51 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields - Security_Detections_API_MachineLearningRuleOptionalFields: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_SavedQueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_MachineLearningRulePatchFields: + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - - machine_learning + - saved_query type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRulePatchProps: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -31654,12 +105554,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -31673,35 +105572,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -31730,58 +105618,52 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields - Security_Detections_API_MachineLearningRuleRequiredFields: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' + Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - - machine_learning + - saved_query type: string required: - type - - machine_learning_job_id - - anomaly_threshold - Security_Detections_API_MachineLearningRuleResponseFields: + - saved_id + Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRuleUpdateProps: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_SavedQueryRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -31795,12 +105677,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -31814,35 +105695,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -31871,13 +105741,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -31887,51 +105755,226 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields - Security_Detections_API_MaxSignals: - default: 100 - description: > - Maximum number of alerts the rule can create during a single run (the - rule’s Max alerts per run [advanced - setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) - value). - + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SetAlertAssigneesBody: + type: object + properties: + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + required: + - assignees + - ids + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' + Security_Detections_API_SetAlertsStatusByIdsBase: + type: object + properties: + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' + Security_Detections_API_SetAlertsStatusByQueryBase: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - query + - status + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetAlertTagsBody: + type: object + properties: + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + required: + - ids + - tags + Security_Detections_API_SetupGuide: + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents + * `medium`: Alerts that require investigation + * `high`: Alerts that require immediate investigation + * `critical`: Alerts that indicate it is highly likely a security incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + description: Source event field used to override the default `severity`. + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: | > info - - > This setting can be superseded by the [Kibana configuration - setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) - `xpack.alerting.rules.run.alerts.max`, which determines the maximum - alerts generated by any rule in the Kibana alerting framework. For - example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the - rule can generate no more than 1000 alerts even if `max_signals` is set - higher. - minimum: 1 - type: integer - Security_Detections_API_NewTermsFields: - description: Fields to monitor for new values. + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. items: type: string - maxItems: 3 + type: array + Security_Detections_API_ThreatIndicatorPath: + description: Defines the path to the threat indicator in the indicator documents (optional) + type: string + Security_Detections_API_ThreatMapping: + description: | + Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: + + - field: field from the event indices on which the rule runs + - type: must be mapping + - value: field from the Elasticsearch threat index + + You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. + items: + type: object + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries minItems: 1 type: array - Security_Detections_API_NewTermsRule: + Security_Detections_API_ThreatMappingEntry: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + Security_Detections_API_ThreatMatchRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -31945,8 +105988,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -31962,35 +106004,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -32017,13 +106048,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -32052,33 +106081,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields - Security_Detections_API_NewTermsRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' + Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields - Security_Detections_API_NewTermsRuleCreateProps: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -32092,8 +106113,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -32109,35 +106129,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -32166,13 +106175,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -32182,60 +106189,67 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields - Security_Detections_API_NewTermsRuleDefaultableFields: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_NewTermsRuleOptionalFields: + Security_Detections_API_ThreatMatchRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + concurrent_searches: + $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - Security_Detections_API_NewTermsRulePatchFields: + items_per_search: + $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' + threat_language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThreatMatchRulePatchFields: allOf: - type: object properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - - new_terms + - threat_match type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields - Security_Detections_API_NewTermsRulePatchProps: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -32249,12 +106263,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -32268,35 +106281,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -32325,66 +106327,61 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' - Security_Detections_API_NewTermsRuleRequiredFields: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' + Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - - new_terms + - threat_match type: string required: - type - query - - new_terms_fields - - history_window_start - Security_Detections_API_NewTermsRuleResponseFields: + - threat_query + - threat_mapping + - threat_index + Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language - Security_Detections_API_NewTermsRuleUpdateProps: + Security_Detections_API_ThreatMatchRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -32398,12 +106395,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -32417,35 +106413,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -32474,223 +106459,138 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields - Security_Detections_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 - type: string - Security_Detections_API_NormalizedRuleAction: - additionalProperties: false - type: object - properties: - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - required: - - id - - params - Security_Detections_API_NormalizedRuleError: - type: object - properties: - err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode - message: - type: string - rules: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' - type: array - status_code: - type: integer - required: - - message - - status_code - - rules - Security_Detections_API_OsqueryParams: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + Security_Detections_API_ThreatQuery: + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. + type: string + Security_Detections_API_ThreatSubtechnique: type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - pack_id: - description: >- - To specify a query pack, use the packId field. Example: "packId": - "processes_elastic" + id: + description: Subtechnique ID type: string - queries: - items: - $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' - type: array - query: - description: >- - To run a single query, use the query field and enter a SQL query. - Example: "query": "SELECT * FROM processes;" + name: + description: Subtechnique name type: string - saved_query_id: - description: >- - To run a saved query, use the saved_query_id field and specify the - saved query ID. Example: "saved_query_id": "processes_elastic" + reference: + description: Subtechnique reference type: string - timeout: - description: >- - A timeout period, in seconds, after which the query will stop - running. Overwriting the default timeout allows you to support - queries that require more time to complete. The default and minimum - supported value is 60. The maximum supported value is 900. Example: - "timeout": 120. - type: number - Security_Detections_API_OsqueryQuery: + required: + - id + - name + - reference + Security_Detections_API_ThreatTactic: + description: | + Object containing information on the attack type type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' id: - description: Query ID - type: string - platform: + description: Tactic ID type: string - query: - description: Query to run + name: + description: Tactic name type: string - removed: - type: boolean - snapshot: - type: boolean - version: - description: Query version + reference: + description: Tactic reference type: string required: - id - - query - Security_Detections_API_OsqueryResponseAction: + - name + - reference + Security_Detections_API_ThreatTechnique: type: object properties: - action_type_id: - enum: - - .osquery + id: + description: Technique ID type: string - params: - $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' - required: - - action_type_id - - params - Security_Detections_API_PlatformErrorResponse: - type: object - properties: - error: + name: + description: Technique name type: string - message: + reference: + description: Technique reference type: string - statusCode: - type: integer + subtechnique: + description: | + Array containing more specific information on the attack technique. + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' + type: array required: - - statusCode - - error - - message - Security_Detections_API_ProcessesParams: + - id + - name + - reference + Security_Detections_API_Threshold: type: object properties: - command: - description: >- - To run an endpoint response action, specify a value for the command - field. Example: "command": "isolate" - enum: - - kill-process - - suspend-process - type: string - comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log. Example: "comment": - "Check processes" - type: string - config: - type: object - properties: - field: - description: Field to use instead of process.pid - type: string - overwrite: - default: true - description: Whether to overwrite field with process.pid - type: boolean - required: - - field + cardinality: + $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' + field: + $ref: '#/components/schemas/Security_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' required: - - command - - config - Security_Detections_API_QueryAlertsBodyParams: + - field + - value + Security_Detections_API_ThresholdAlertSuppression: + description: Defines alert suppression configuration. type: object properties: - _source: - oneOf: - - type: boolean - - type: string - - items: - type: string - type: array - aggs: - additionalProperties: true - type: object - fields: - items: + duration: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + required: + - duration + Security_Detections_API_ThresholdCardinality: + description: The field on which the cardinality is applied. + items: + type: object + properties: + field: + description: The field on which to calculate and compare the cardinality. + type: string + value: + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Detections_API_ThresholdField: + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. + oneOf: + - type: string + - items: type: string + maxItems: 5 + minItems: 0 type: array - query: - additionalProperties: true - type: object - runtime_mappings: - additionalProperties: true - type: object - size: - minimum: 0 - type: integer - sort: - $ref: '#/components/schemas/Security_Detections_API_AlertsSort' - track_total_hits: - type: boolean - Security_Detections_API_QueryRule: + Security_Detections_API_ThresholdRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -32704,8 +106604,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -32721,35 +106620,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -32776,13 +106664,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -32811,30 +106697,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' - Security_Detections_API_QueryRuleCreateFields: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' + Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields - Security_Detections_API_QueryRuleCreateProps: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -32848,8 +106729,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -32865,35 +106745,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -32922,13 +106791,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -32938,19 +106805,17 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_QueryRuleDefaultableFields: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_QueryRuleOptionalFields: + Security_Detections_API_ThresholdRuleOptionalFields: type: object properties: alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -32959,35 +106824,34 @@ components: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_QueryRulePatchFields: + Security_Detections_API_ThresholdRulePatchFields: allOf: - type: object properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - - query + - threshold type: string - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields - Security_Detections_API_QueryRulePatchProps: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -33001,12 +106865,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -33020,35 +106883,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -33077,58 +106929,55 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' - Security_Detections_API_QueryRuleRequiredFields: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' + Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - - query + - threshold type: string required: - type - Security_Detections_API_QueryRuleResponseFields: + - query + - threshold + Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' required: - - query - language - Security_Detections_API_QueryRuleUpdateProps: + Security_Detections_API_ThresholdRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -33142,12 +106991,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -33161,35 +107009,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -33218,13 +107055,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -33234,13921 +107069,11844 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_Reason: - description: >- - The reason for closing the alerts. Can be one of following predefined - reasons: [false_positive, duplicate, true_positive, benign_positive, - automated_closure, other] or a custom reason provided by the user - through the advanced settings. - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - - type: string - Security_Detections_API_ReasonEnum: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + Security_Detections_API_ThresholdValue: + description: The threshold value from which an alert is generated. + minimum: 1 + type: integer + Security_Detections_API_ThrottleForBulkActions: + description: | + Defines the maximum interval in which a rule’s actions are executed. + > info + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - - false_positive - - duplicate - - true_positive - - benign_positive - - automated_closure - - other + - rule + - 1h + - 1d + - 7d type: string - Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the - - package's "integrations" that this package contains. It is represented - by 3 properties: - - - - `package`: name of the package (required, unique id) - - - `version`: version of the package (required, semver-compatible) - - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - - several integrations; in this case, `integration` should be specified. - example: - integration: activitylogs - package: azure - version: ~1.1.6 + Security_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Detections_API_TimestampField: + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. + type: string + Security_Detections_API_TimestampOverride: + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. + type: string + Security_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Detections_API_WarningSchema: type: object properties: - integration: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - package: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - version: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string required: - - package - - version - Security_Detections_API_RelatedIntegrationArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' - type: array - Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and - - the rule will generate an alert. - - - Required field is an event field that must be present in the source - indices of a given rule. - - - @example - - const standardEcsField: RequiredField = { - name: 'event.action', - type: 'keyword', - ecs: true, - }; - - - @example - - const nonEcsField: RequiredField = { - name: 'winlog.event_data.AttributeLDAPDisplayName', - type: 'keyword', - ecs: false, - }; + - type + - message + - actionPath + Security_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' + - additionalProperties: false + type: object + Security_Endpoint_Exceptions_API_EndpointListItem: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + Security_Endpoint_Exceptions_API_ExceptionList: type: object properties: - ecs: - description: >- - Indicates whether the field is ECS-compliant. This property is only - present in responses. Its value is computed based on field’s name - and type. + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' + immutable: type: boolean + list_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: - description: Name of an Elasticsearch field - format: nonempty - minLength: 1 + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - description: Type of the Elasticsearch field - format: nonempty - minLength: 1 + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - - name + - id + - list_id - type - - ecs - Security_Detections_API_RequiredFieldArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredField' - type: array - Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + example: This list tracks allowlisted values. + type: string + Security_Endpoint_Exceptions_API_ExceptionListHumanId: + description: | + The exception list's human-readable string identifier. + + For endpoint artifacts, use one of the following values: + + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + example: simple_list + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItem: type: object properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - description: Name of an Elasticsearch field - format: nonempty - minLength: 1 + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - description: Type of the Elasticsearch field - format: nonempty - minLength: 1 + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. type: string required: - - name + - id + - item_id + - list_id - type - Security_Detections_API_ResponseAction: - discriminator: - mapping: - .endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction' - .osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - propertyName: action_type_id - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' - Security_Detections_API_ResponseFields: + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListItemComment: type: object properties: + comment: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' created_at: + description: Autogenerated date of object creation. format: date-time type: string created_by: - type: string - execution_summary: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - immutable: - $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' - required_fields: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' - revision: - $ref: '#/components/schemas/Security_Detections_API_RuleRevision' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_source: - $ref: '#/components/schemas/Security_Detections_API_RuleSource' + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' updated_at: + description: Autogenerated date of last object update. format: date-time type: string updated_by: - type: string + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - id - - rule_id - - immutable - - rule_source - - updated_at - - updated_by + - comment - created_at - created_by - - revision - - related_integrations - - required_fields - Security_Detections_API_RiskScore: + Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: description: | - A numerical representation of the alert's severity from 0 to 100, where: - * `0` - `21` represents low severity - * `22` - `47` represents medium severity - * `48` - `73` represents high severity - * `74` - `100` represents critical severity - maximum: 100 - minimum: 0 - type: integer - Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event + Array of comment fields: + + - comment (string): Comments about the exception item. items: - type: object - properties: - field: - description: Source event field used to override the default `risk_score`. - type: string - operator: - enum: - - equals - type: string - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - value: - type: string - required: - - field - - operator - - value + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array - Security_Detections_API_RuleAction: + Security_Endpoint_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' + discriminator: + propertyName: type + Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object properties: - action_type_id: - description: | - The action type used for sending notifications, can be: - - - `.slack` - - `.slack_api` - - `.email` - - `.index` - - `.pagerduty` - - `.swimlane` - - `.webhook` - - `.servicenow` - - `.servicenow-itom` - - `.servicenow-sir` - - `.jira` - - `.resilient` - - `.opsgenie` - - `.teams` - - `.torq` - - `.tines` - - `.d3security` + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - exists type: string - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - uuid: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - - action_type_id - - id - - params - Security_Detections_API_RuleActionAlertsFilter: - additionalProperties: true - description: > - Object containing an action’s conditional filters. - - - - `timeframe` (object, optional): Object containing the time frame for - when this action can be run. - - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - - start (string, required): Start time in `hh:mm` format. - - end (string, required): End time in `hh:mm` format. - - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which - gets applied to an action and determines whether the action should run. - - `kql` (string, required): A KQL string. - - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. - type: object - Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). + - type + - field + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: type: object properties: - notifyWhen: - $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' - summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert - type: boolean - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - nullable: true + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - list + type: string required: - - summary - - notifyWhen - - throttle - Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. - type: string - Security_Detections_API_RuleActionId: - description: The connector ID. - type: string - Security_Detections_API_RuleActionNotifyWhen: - description: Defines how often rules run actions. - enum: - - onActiveAlert - - onThrottleInterval - - onActionGroupChange - type: string - Security_Detections_API_RuleActionParams: - additionalProperties: true - description: > - Object containing the allowed connector fields, which varies according - to the connector type. - - - For Slack: - - - `message` (string, required): The notification message. - - For email: - - - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. - - `subject` (string, optional): Email subject line. - - `message` (string, required): Email body text. - - For Webhook: - - - `body` (string, required): JSON payload. - - For PagerDuty: - - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - - `group` (string, optional): Enables logical grouping of service components. - - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. - - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. - - `class` (string, optional): Value indicating the class/type of the event. + - type + - field + - list + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: type: object - Security_Detections_API_RuleActionThrottle: - description: Defines how often rule actions are taken. - oneOf: - - enum: - - no_actions - - rule - type: string - - description: Time interval in seconds, minutes, hours, or days. - example: 1h - pattern: ^[1-9]\d*[smhd]$ + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match type: string - Security_Detections_API_RuleAuthorArray: - description: The rule’s author. - items: - type: string - type: array - Security_Detections_API_RuleCreateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - discriminator: - mapping: - eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - propertyName: type - Security_Detections_API_RuleDescription: - description: The rule’s description. - example: Detects anomalous Windows process creation events. - minLength: 1 - type: string - Security_Detections_API_RuleDetailsInError: + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: - id: - type: string - name: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match_any type: string + value: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + minItems: 1 + type: array required: - - id - Security_Detections_API_RuleExceptionList: - description: > - Array of [exception - containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), - which define exceptions that prevent the rule from generating alerts - even when its other criteria are met. + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: - id: - description: ID of the exception container - format: nonempty - minLength: 1 - type: string - list_id: - description: List ID of the exception container - format: nonempty - minLength: 1 - type: string - namespace_type: - description: Determines the exceptions validity in rule's Kibana space + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: enum: - - agnostic - - single + - wildcard type: string - type: - $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - - id - - list_id - type - - namespace_type - Security_Detections_API_RuleExecutionMetrics: + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: type: object properties: - execution_gap_duration_s: - description: Duration in seconds of execution gap - minimum: 0 - type: integer - frozen_indices_queried_count: - description: >- - Count of frozen indices queried during the rule execution. These - indices could not be entirely excluded after applying the time range - filter. - minimum: 0 - type: integer - gap_range: - description: Range of the execution gap - type: object - properties: - gte: - description: Start date of the execution gap - type: string - lte: - description: End date of the execution gap - type: string - required: - - gte - - lte - gap_reason: - description: Detected reason for the execution gap - type: object - properties: - type: - description: >- - The type of reason for the gap (rule_disabled or - rule_did_not_run) - enum: - - rule_disabled - - rule_did_not_run - type: string - required: - - type - total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle - minimum: 0 - type: integer - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle - minimum: 0 - type: integer - total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response - minimum: 0 - type: integer - Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. + entries: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - - going to run - - running - - partial failure - - failed - - succeeded + - excluded + - included type: string - Security_Detections_API_RuleExecutionStatusOrder: - type: integer - Security_Detections_API_RuleExecutionSummary: - description: | - Summary of the last execution of a rule. - > info - > This field is under development and its usage or schema may change + Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + example: simple_list_item + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true type: object - properties: - last_execution: - type: object - properties: - date: - description: Date of the last execution - format: date-time - type: string - message: - type: string - metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics - status: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' - description: Status of the last execution - status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder - required: - - date - - status - - status_order - - message - - metrics - required: - - last_execution - Security_Detections_API_RuleFalsePositiveArray: - description: >- - String array used to describe common reasons why the rule may issue - false-positive alerts. Defaults to an empty array. + Security_Endpoint_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - type: string + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array - Security_Detections_API_RuleFilterArray: - description: > - The query and filter context array used to define the conditions for - when alerts are created from events. Defaults to an empty array. - - > info - - > This field is not supported for ES|QL rules. - items: {} + Security_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + description: String array containing words and phrases to help categorize exception items. + format: nonempty + minLength: 1 + type: string type: array - Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). + Security_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple type: string - Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). - format: date-math + Security_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Endpoint_Exceptions_API_ExceptionListName: + description: The name of the exception list. + example: My exception list type: string - Security_Detections_API_RuleIntervalTo: + Security_Endpoint_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows type: string - Security_Detections_API_RuleLicense: - description: The rule's license. + Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + type: array + Security_Endpoint_Exceptions_API_ExceptionListTags: + description: String array containing words and phrases to help categorize exception containers. + items: + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListType: + description: The type of exception list to be created. Different list types may denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists type: string - Security_Detections_API_RuleMetadata: - additionalProperties: true - description: > - Placeholder for metadata about the rule. + Security_Endpoint_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: | + Determines whether the exception container is available in all Kibana spaces or just the space + in which it is created, where: - > info + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. - > This field is overwritten when you save changes to the rule’s - settings. - type: object - Security_Detections_API_RuleName: - description: A human-readable name for the rule. - example: Anomalous Windows Process Creation + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. + enum: + - agnostic + - single + type: string + Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty minLength: 1 type: string - Security_Detections_API_RuleNameOverride: - description: >- - Sets which field in the source event is used to populate the alert's - `signal.rule.name` value (in the UI, this value is displayed on the - Rules page in the Rule column). When unspecified, the rule’s `name` - value is used. The source field must be a string data type. + Security_Endpoint_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Endpoint_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 type: string - Security_Detections_API_RuleObjectId: - $ref: '#/components/schemas/Security_Detections_API_UUID' - description: >- - A dynamic unique identifier for the rule object. It is randomly - generated when a rule is created and cannot be changed after that. It is - always a UUID. It is unique within a given Kibana space. The same - prebuilt Elastic rule, when installed in two different Kibana spaces or - two different Elastic environments, will have different object `id`s. - Security_Detections_API_RulePatchProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' - Security_Detections_API_RulePreviewLoggedRequest: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - duration: - type: integer - request: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - request_type: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - Security_Detections_API_RulePreviewLogs: + Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: - duration: - description: Execution duration in milliseconds + error: + type: string + message: + type: string + statusCode: type: integer - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - requests: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest - type: array - startedAt: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array required: - - errors - - warnings - - duration - Security_Detections_API_RulePreviewParams: + - statusCode + - error + - message + Security_Endpoint_Exceptions_API_SiemErrorResponse: type: object properties: - invocationCount: - type: integer - timeframeEnd: - format: date-time + message: type: string + status_code: + type: integer required: - - invocationCount - - timeframeEnd - Security_Detections_API_RuleQuery: - description: > - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used - by the rule to create alerts. - - - - For indicator match rules, only the query’s results are used to - determine whether an alert is generated. - - - ES|QL rules have additional query requirements. Refer to [Create - ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) - rules for more information. - type: string - Security_Detections_API_RuleReferenceArray: - description: >- - Array containing notes about or references to relevant information about - the rule. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleResponse: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + - status_code + - message + Security_Endpoint_Management_API_ActionDetailsResponse: discriminator: mapping: - eql: '#/components/schemas/Security_Detections_API_EqlRule' - esql: '#/components/schemas/Security_Detections_API_EsqlRule' - machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' - new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' - query: '#/components/schemas/Security_Detections_API_QueryRule' - saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' - threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' - propertyName: type - Security_Detections_API_RuleRevision: - description: > - The rule's revision number. - - - It represents the version of rule's object in Kibana. It is set to `0` - when the rule is installed or created and then gets incremented on each - update. - - > info - - > Not all updates to any rule fields will increment the revision. Only - those fields that are considered static `rule parameters` can trigger - revision increments. For example, an update to a rule's query or index - fields will increment the rule's revision by `1`. However, changes to - dynamic or technical fields like enabled or execution_summary will not - cause revision increments. - minimum: 0 - type: integer - Security_Detections_API_RuleSignatureId: - description: >- - A stable unique identifier for the rule object. It can be assigned - during rule creation. It can be any string, but often is a UUID. It - should be unique not only within a given Kibana space, but also across - spaces and Elastic environments. The same prebuilt Elastic rule, when - installed in two different Kibana spaces or two different Elastic - environments, will have the same `rule_id`s. - type: string - Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. - discriminator: - propertyName: type + cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel' + execute: '#/components/schemas/Security_Endpoint_Management_API_Execute' + get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile' + isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' + kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' + memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' + runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' + scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' + suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' + unisolate: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' + upload: '#/components/schemas/Security_Endpoint_Management_API_Upload' + propertyName: command oneOf: - - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' - Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleUpdateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - discriminator: - mapping: - eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps - new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - propertyName: type - Security_Detections_API_RuleVersion: - description: > - The rule's version number. - - - - For prebuilt rules it represents the version of the rule's content in - the source [detection-rules](https://github.com/elastic/detection-rules) - repository (and the corresponding `security_detection_engine` Fleet - package that is used for distributing prebuilt rules). - - - For custom rules it is set to `1` when the rule is created. - - > info - - > It is not incremented on each update. Compare this to the `revision` - field. - minimum: 1 - type: integer - Security_Detections_API_RunScriptOsConfigValues: - minProperties: 1 + - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' + Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object properties: - scriptId: - type: string - scriptInput: - type: string - timeout: - description: Specify the timeout in seconds for the script execution - example: 60 - type: integer - Security_Detections_API_RunscriptParams: - description: | - > warn - > This functionality is currently not available + body: + type: object + properties: + data: + type: object + properties: + canEncrypt: + description: Whether the Kibana instance has encryption enabled for response actions. + type: boolean + required: + - data + required: + - body + Security_Endpoint_Management_API_ActionStatusSuccessResponse: type: object properties: - command: - enum: - - runscript - type: string - comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log - type: string - config: + body: type: object properties: - linux: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues - macos: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues - windows: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + data: + type: object + properties: + agent_id: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + pending_actions: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' + required: + - agent_id + - pending_actions + required: + - data required: - - command - Security_Detections_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Detections_API_SavedObjectResolveAliasTargetId: + - body + Security_Endpoint_Management_API_AgentId: + description: Agent ID type: string - Security_Detections_API_SavedObjectResolveOutcome: + Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 250. + example: + - agent-id-1 + - agent-id-2 + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 250 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Endpoint_Management_API_AgentTypes: + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Detections_API_SavedQueryId: - description: >- - Kibana [saved - search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) - used by the rule to create alerts. + - endpoint + - sentinel_one + - crowdstrike + - microsoft_defender_endpoint + example: endpoint type: string - Security_Detections_API_SavedQueryRule: + Security_Endpoint_Management_API_Cancel: allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields - Security_Detections_API_SavedQueryRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields - Security_Detections_API_SavedQueryRuleCreateProps: + outputs: + additionalProperties: + type: object + properties: + content: + type: object + properties: + code: + type: string + type: object + parameters: + type: object + properties: + id: + format: uuid + type: string + Security_Endpoint_Management_API_CancelRouteRequestBody: allOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SavedQueryRuleDefaultableFields: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + id: + description: ID of the response action to cancel + example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + minLength: 1 + type: string + required: + - id + required: + - parameters + Security_Endpoint_Management_API_CloudFileScriptParameters: + type: object + properties: + cloudFile: + description: Script name in cloud storage. + minLength: 1 + type: string + commandLine: + description: Command line arguments. + minLength: 1 + type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer + required: + - cloudFile + Security_Endpoint_Management_API_Command: + description: The command for the response action + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + - runscript + - cancel + - memory-dump + minLength: 1 + type: string + Security_Endpoint_Management_API_Commands: + description: A list of response action command names. + example: + - isolate + - unisolate + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + maxItems: 50 + type: array + Security_Endpoint_Management_API_Comment: + description: Optional comment + example: This is a comment + type: string + Security_Endpoint_Management_API_DownloadUri: type: object properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_SavedQueryRuleOptionalFields: + downloadUri: + description: | + The server relative URI to download the file associated with the output of the response action. + URI does **not** include the space prefix + example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download + format: uri-reference + type: string + Security_Endpoint_Management_API_EndDate: + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' + type: string + Security_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings). Max of 250. + example: + - endpoint-id-1 + - endpoint-id-2 + items: + minLength: 1 + type: string + maxItems: 250 + minItems: 1 + type: array + Security_Endpoint_Management_API_EndpointMetadataResponse: + example: + host_status: healthy + last_checkin: '2023-07-04T15:48:57.360Z' + metadata: + '@timestamp': '2023-07-04T15:48:57.3609346Z' + agent: + build: + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 7.16.0 + data_stream: + dataset: endpoint.metadata + namespace: default + type: metrics + ecs: + version: 1.11.0 + elastic: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + Endpoint: + capabilities: + - isolation + configuration: + isolation: false + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + version: '3' + state: + isolation: false + status: enrolled + event: + action: endpoint_metadata + agent_id_status: verified + category: + - host + created: '2023-07-04T15:48:57.3609346Z' + dataset: endpoint.metadata + id: MNtRc++KoKHXXwlj+++++OhZ + ingested: '2023-07-04T15:48:58Z' + kind: metric + module: endpoint + sequence: 43757 + type: + - info + host: + architecture: x86_64 + hostname: WinDev2104Eval + id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 + ip: + - 10.0.2.15 + - fe80::21a6:63d3:d70e:e3ad + - 127.0.0.1 + - '::1' + mac: + - 08:00:27:b1:1d:5a + name: WinDev2104Eval + os: + Ext: + variant: Windows 10 Enterprise Evaluation + family: windows + full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) + kernel: 20H2 (10.0.19042.906) + name: Windows + platform: windows + type: windows + version: 20H2 (10.0.19042.906) + message: Endpoint metadata + policy_info: + agent: + applied: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + configured: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + endpoint: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + revision: 2 type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_SavedQueryRulePatchFields: + properties: {} + Security_Endpoint_Management_API_Execute: allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - type: - description: Rule type - enum: - - saved_query - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields - Security_Detections_API_SavedQueryRulePatchProps: + outputs: + additionalProperties: + type: object + properties: + content: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - type: object + properties: + code: + type: string + cwd: + type: string + output_file_id: + type: string + output_file_stderr_truncated: + type: boolean + output_file_stdout_truncated: + type: boolean + shell_code: + type: number + stderr: + type: string + stderr_truncated: + type: boolean + stdout: + type: string + stdout_truncated: + type: boolean + type: object + parameters: + type: object + properties: + command: + type: string + timeout: + type: number + Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields - Security_Detections_API_SavedQueryRuleRequiredFields: - type: object - properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - type: - description: Rule type - enum: - - saved_query - type: string - required: - - type - - saved_id - Security_Detections_API_SavedQueryRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids - type: object properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + parameters: + type: object + properties: + command: + description: The shell command to execute on the endpoint. + minLength: 1 + type: string + timeout: + description: The maximum timeout value in seconds before the command is terminated. + minimum: 1 + type: integer + required: + - command required: - - language - Security_Detections_API_SavedQueryRuleUpdateProps: + - parameters + Security_Endpoint_Management_API_GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: + agentTypes: + description: The list of agent types the query was filtered by. + items: + type: string + type: array + commands: + description: The list of commands the query was filtered by. + items: + type: string + type: array + data: + description: The list of response actions. + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + type: array + elasticAgentIds: + description: The list of elastic agent IDs the query was filtered by. + items: + type: string + type: array + endDate: + description: The end date filter applied to the query. + type: string + page: + description: The current page number. + type: integer + pageSize: + description: The number of items per page. + type: integer + startDate: + description: The start date filter applied to the query. + type: string + statuses: + description: The list of statuses the query was filtered by. + items: + type: string + type: array + total: + description: The total number of response actions matching the query. + type: integer + userIds: + description: The list of user IDs the query was filtered by. + items: + type: string + type: array + Security_Endpoint_Management_API_GetFile: allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + outputs: + additionalProperties: + type: object + properties: + content: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - type: object + properties: + code: + type: string + contents: + items: + type: object + properties: + file_name: + type: string + path: + type: string + sha256: + type: string + size: + type: number + type: + type: string + type: array + zip_size: + type: number + type: object + parameters: + type: object + properties: + path: + type: string + Security_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SetAlertAssigneesBody: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - required: - - assignees - - ids - Security_Detections_API_SetAlertsStatusByIds: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase - Security_Detections_API_SetAlertsStatusByIdsBase: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + description: The full file path to retrieve from the endpoint. + type: string + required: + - path + required: + - parameters + Security_Endpoint_Management_API_GetProcessesRouteRequestBody: type: object properties: - signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - format: nonempty minLength: 1 type: string + maxItems: 50 minItems: 1 type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase - Security_Detections_API_SetAlertsStatusByQueryBase: + - endpoint_ids + Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: - conflicts: - default: abort - enum: - - abort - - proceed + commandLine: + description: Command line arguments. + minLength: 1 type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - query - - status - Security_Detections_API_SetAlertTags: - description: Object with list of tags to add and remove. - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetAlertTagsBody: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - Security_Detections_API_SetupGuide: - description: >- - Populates the rule’s setup guide with instructions on rule prerequisites - such as required integrations, configuration steps, and anything else - needed for the rule to work correctly. - type: string - Security_Detections_API_Severity: - description: > - Severity level of alerts produced by the rule, which must be one of the - following: - - * `low`: Alerts that are of interest but generally not considered to be - security incidents - - * `medium`: Alerts that require investigation - - * `high`: Alerts that require immediate investigation - - * `critical`: Alerts that indicate it is highly likely a security - incident has occurred - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - description: Source event field used to override the default `severity`. - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: + hostPath: + description: Absolute or relative path of script on host machine. + minLength: 1 type: string - status_code: + timeout: + description: Timeout in seconds. + minimum: 1 type: integer required: - - status_code - - message - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - description: > - > info - - > Currently, only threats described using the MITRE ATT&CK™ - framework are supported. - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - description: Elasticsearch indices used to check which field values generate alerts. + - hostPath + Security_Endpoint_Management_API_HostStatuses: + description: A set of agent health statuses to filter by. + example: + - healthy + - updating items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled type: string + maxItems: 20 type: array - Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) - type: string - Security_Detections_API_ThreatMapping: - description: > - Array of entries objects that define mappings between the source event - fields and the values in the Elasticsearch threat index. Each entries - object must contain these fields: - - - - field: field from the event indices on which the rule runs - - - type: must be mapping - - - value: field from the Elasticsearch threat index - - You can use Boolean and and or logic to define the conditions for when - matching fields and values generate alerts. Sibling entries objects are - evaluated using or logic, whereas multiple entries in a single entries - object use and logic. See Example of Threat Match rule which uses both - `and` and `or` logic. - items: - type: object - properties: - entries: - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMappingEntry: + Security_Endpoint_Management_API_Isolate: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - description: Details of an isolate action response. + type: object + Security_Endpoint_Management_API_IsolateRouteResponse: type: object properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - negate: - type: boolean - type: - enum: - - mapping + action: + description: The action ID (legacy field, same as `data.id`). type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields - Security_Detections_API_ThreatMatchRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields - Security_Detections_API_ThreatMatchRuleCreateProps: + data: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + Security_Endpoint_Management_API_KillProcess: allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + outputs: + additionalProperties: + type: object + properties: + content: + oneOf: + - type: object + properties: + code: + type: string + command: + type: string + pid: + type: number + - type: object + properties: + code: + type: string + command: + type: string + entity_id: + type: string + - type: object + properties: + code: + type: string + command: + type: string + process_name: + type: string + type: object + parameters: + oneOf: + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + minimum: 1 + type: number + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + minLength: 1 + type: string + - type: object + properties: + process_name: + description: The name of the process to terminate. Valid for SentinelOne agent type only. + type: string + Security_Endpoint_Management_API_KillProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields - Security_Detections_API_ThreatMatchRuleDefaultableFields: - type: object + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string + - type: object + properties: + process_name: + description: The name of the process to terminate. Valid for SentinelOne agent type only. + example: Elastic + minLength: 1 + type: string + required: + - parameters + Security_Endpoint_Management_API_Kuery: + description: A KQL string. + example: 'united.endpoint.host.os.name : ''Windows''' + type: string + Security_Endpoint_Management_API_MDERunScriptParameters: + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. + example: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - endpoint-id-1 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRuleOptionalFields: + args: + description: Optional command line arguments for the script. + minLength: 1 + type: string + scriptName: + description: The name of the script to execute from the cloud storage. + minLength: 1 + type: string + required: + - scriptName + title: Microsoft Defender Endpoint Run Script Parameters type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - concurrent_searches: - $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - items_per_search: - $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - threat_filters: - $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' - threat_indicator_path: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' - threat_language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRulePatchFields: + Security_Endpoint_Management_API_MemoryDump: allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' - type: - description: Rule type - enum: - - threat_match - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields - Security_Detections_API_ThreatMatchRulePatchProps: + outputs: + additionalProperties: + type: object + properties: + content: + properties: + code: + type: string + disk_free_space: + description: The free space on the host machine in bytes after the memory dump is written to disk + type: number + file_size: + description: The size of the memory dump compressed file in bytes + type: string + path: + description: The path to the memory dump compressed file on the host machine + type: string + title: Memory dump output + type: object + type: object + parameters: + oneOf: + - properties: + type: + description: Kernel-level memory dump + enum: + - kernel + type: string + required: + - type + title: Kernel memory dump + type: object + - properties: + pid: + description: The process ID (PID) + type: number + type: + description: Process-level memory dump using a process ID + enum: + - process + type: string + required: + - type + - pid + title: Process memory dump with PID + type: object + - properties: + entity_id: + description: The process entity ID + type: string + type: + description: Process-level memory dump using an entity ID + enum: + - process + type: string + required: + - type + - entity_id + title: Process memory dump with entity ID + type: object + required: + - parameters + Security_Endpoint_Management_API_MemoryDumpRouteRequestBody: allOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields - Security_Detections_API_ThreatMatchRuleRequiredFields: + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - description: Dump the entire kernel memory. + type: object + properties: + type: + enum: + - kernel + type: string + required: + - type + - description: Dump the entire memory of a process using the PID. + type: object + properties: + pid: + type: number + type: + enum: + - process + type: string + required: + - type + - pid + - description: Dump the entire memory of a process using the entity ID. + type: object + properties: + entity_id: + type: string + type: + enum: + - process + type: string + required: + - type + - entity_id + required: + - parameters + Security_Endpoint_Management_API_MetadataListResponse: + example: + data: + - host_status: healthy + last_checkin: '2023-07-04T15:47:57.432Z' + metadata: + '@timestamp': '2023-07-04T15:47:57.432173535Z' + agent: + build: + original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + id: 285297c6-3bff-4b83-9a07-f3e749801123 + type: endpoint + version: 7.16.0 + data_stream: + dataset: endpoint.metadata + namespace: default + type: metrics + ecs: + version: 1.11.0 + elastic: + agent: + id: 285297c6-3bff-4b83-9a07-f3e749801123 + Endpoint: + capabilities: + - isolation + configuration: + isolation: false + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + version: '3' + state: + isolation: false + status: enrolled + event: + action: endpoint_metadata + agent_id_status: verified + category: + - host + created: '2023-07-04T15:47:57.432173535Z' + dataset: endpoint.metadata + id: MNtSXK/SkhEBnmgt++++++7S + ingested: '2023-07-04T15:47:58Z' + kind: metric + module: endpoint + sequence: 400 + type: + - info + host: + architecture: x86_64 + hostname: david-Xubuntu + id: 0cfead88e2024bd8a27476352b5ab264 + ip: + - 127.0.0.1 + - '::1' + - 10.0.2.15 + - fe80::2ac7:8e15:b957:2fa1 + mac: + - 08:00:27:e6:78:8b + name: david-Xubuntu + os: + Ext: + variant: Ubuntu + family: ubuntu + full: Ubuntu 20.04.2 + kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' + name: Linux + platform: ubuntu + type: linux + version: 20.04.2 + message: Endpoint metadata + policy_info: + agent: + applied: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 0 + configured: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + endpoint: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + revision: 2 + - host_status: healthy + last_checkin: '2023-07-04T15:44:31.491Z' + metadata: + '@timestamp': '2023-07-04T15:44:31.4917849Z' + agent: + build: + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 7.16.0 + data_stream: + dataset: endpoint.metadata + namespace: default + type: metrics + ecs: + version: 1.11.0 + elastic: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + Endpoint: + capabilities: + - isolation + configuration: + isolation: false + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + version: '3' + state: + isolation: false + status: enrolled + event: + action: endpoint_metadata + agent_id_status: verified + category: + - host + created: '2023-07-04T15:44:31.4917849Z' + dataset: endpoint.metadata + id: MNtRc++KoKHXXwlj+++++/N9 + ingested: '2023-07-04T15:44:33Z' + kind: metric + module: endpoint + sequence: 5159 + type: + - info + host: + architecture: x86_64 + hostname: WinDev2104Eval + id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 + ip: + - 10.0.2.15 + - fe80::21a6:63d3:d70e:e3ad + - 127.0.0.1 + - '::1' + mac: + - 08:00:27:b1:1d:5a + name: WinDev2104Eval + os: + Ext: + variant: Windows 10 Enterprise Evaluation + family: windows + full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) + kernel: 20H2 (10.0.19042.906) + name: Windows + platform: windows + type: windows + version: 20H2 (10.0.19042.906) + message: Endpoint metadata + policy_info: + agent: + applied: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 0 + configured: + id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 + revision: 3 + endpoint: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + revision: 2 + page: 0 + pageSize: 10 + sortDirection: desc + sortField: enrolled_at + total: 2 type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' - type: - description: Rule type - enum: - - threat_match - type: string - required: - - type - - query - - threat_query - - threat_mapping - - threat_index - Security_Detections_API_ThreatMatchRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_ThreatMatchRuleUpdateProps: - allOf: + properties: {} + Security_Endpoint_Management_API_Page: + default: 1 + description: Page number + example: 1 + minimum: 1 + type: integer + Security_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + example: 10 + maximum: 100 + minimum: 1 + type: integer + Security_Endpoint_Management_API_Parameters: + description: Parameters object + type: object + Security_Endpoint_Management_API_PendingActionDataType: + description: Number of pending actions of this type. + type: integer + Security_Endpoint_Management_API_PendingActionsSchema: + oneOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields - Security_Detections_API_ThreatQuery: - description: >- - Query used to determine which fields in the Elasticsearch index are used - for generating alerts. - type: string - Security_Detections_API_ThreatSubtechnique: + execute: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending execute actions. + get-file: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending get-file actions. + isolate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending isolate actions. + kill-process: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending kill-process actions. + running-processes: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending running-processes (get processes) actions. + scan: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending scan actions. + suspend-process: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending suspend-process actions. + unisolate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending unisolate (release) actions. + upload: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + description: Number of pending upload actions. + - additionalProperties: true + type: object + Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: - id: - description: Subtechnique ID + note: + description: A note associated with the protection updates for the given package policy. type: string - name: - description: Subtechnique name + Security_Endpoint_Management_API_RawScriptParameters: + type: object + properties: + commandLine: + description: Command line arguments. + minLength: 1 type: string - reference: - description: Subtechnique reference + raw: + description: Raw script content. + minLength: 1 type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer required: - - id - - name - - reference - Security_Detections_API_ThreatTactic: - description: | - Object containing information on the attack type + - raw + Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: __agent__type__here_ + command: __command__name__here__ + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + type: object + properties: + data: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: + agents: + description: The agent IDs for the hosts that the response action was sent to + items: + format: uuid + type: string + type: array + agentState: + additionalProperties: + format: uuid + type: object + properties: + completedAt: + description: The date and time the response action was completed for the agent ID + type: string + isCompleted: + description: Whether the response action is completed for the agent ID + type: boolean + wasSuccessful: + description: Whether the response action was successful for the agent ID + type: boolean + description: The state of the response action for each agent ID that it was sent to + type: object + agentType: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + command: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + completedAt: + description: The response action completion time + format: date-time + type: string + createdBy: + description: The user who created the response action + type: string + hosts: + additionalProperties: + format: uuid + type: object + properties: + name: + description: The host name + type: string + description: An object containing the host names associated with the agent IDs the response action was sent to + type: object id: - description: Tactic ID + description: The response action ID + format: uuid type: string - name: - description: Tactic name + isComplete: + description: Whether the response action is complete + type: boolean + isExpired: + description: Whether the response action is expired + type: boolean + outputs: + additionalProperties: + description: The agent id + format: uuid + properties: + content: + description: The response action output content for the agent ID. Exact format depends on the response action command. + oneOf: + - type: object + - type: string + type: + enum: + - json + - text + type: string + required: + - type + - content + title: Agent ID + type: object + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action + type: object + parameters: + description: The parameters of the response action. Content different depending on the response action command + type: object + startedAt: + description: The response action start time + format: date-time type: string - reference: - description: Tactic reference + status: + description: The response action status type: string + wasSuccessful: + description: Whether the response action was successful + type: boolean required: - - id - - name - - reference - Security_Detections_API_ThreatTechnique: + - command + Security_Endpoint_Management_API_RunningProcesses: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - type: object + properties: + outputs: + additionalProperties: + type: object + properties: + content: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' + type: object + Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: + description: Processes output for `agentType` of `endpoint` type: object properties: - id: - description: Technique ID - type: string - name: - description: Technique name - type: string - reference: - description: Technique reference + code: type: string - subtechnique: - description: | - Array containing more specific information on the attack technique. + entries: items: - $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' + type: object + properties: + command: + type: string + entity_id: + type: string + pid: + type: number + user: + type: string type: array - required: - - id - - name - - reference - Security_Detections_API_Threshold: + Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - description: Processes output for `agentType` of `sentinel_one` + type: object + properties: + code: + type: string + Security_Endpoint_Management_API_Runscript: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - type: object + properties: + outputs: + additionalProperties: + type: object + properties: + content: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - type: object + properties: + code: + type: string + stderr: + type: string + stdout: + type: string + type: object + parameters: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' + Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: - cardinality: - $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' - field: - $ref: '#/components/schemas/Security_Detections_API_ThresholdField' - value: - $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' - required: - - field - - value - Security_Detections_API_ThresholdAlertSuppression: - description: Defines alert suppression configuration. + cloudFile: + type: string + commandLine: + type: string + hostPath: + type: string + raw: + type: string + timeout: + type: number + Security_Endpoint_Management_API_RunscriptParamsMicrosoft: type: object properties: - duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration - required: - - duration - Security_Detections_API_ThresholdCardinality: - description: The field on which the cardinality is applied. - items: - type: object - properties: - field: - description: The field on which to calculate and compare the cardinality. - type: string - value: - description: >- - The threshold value from which an alert is generated based on - unique number of values of cardinality.field. - minimum: 0 - type: integer - required: - - field - - value - type: array - Security_Detections_API_ThresholdField: - description: >- - The field on which the threshold is applied. If you specify an empty - array ([]), alerts are generated when the query returns at least the - number of results specified in the value field. - oneOf: - - type: string - - items: - type: string - maxItems: 5 - minItems: 0 - type: array - Security_Detections_API_ThresholdRule: - allOf: - - type: object - properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + args: + type: string + scriptName: + type: string + Security_Endpoint_Management_API_RunscriptParamsSentinelOne: + type: object + properties: + scriptId: + type: string + scriptInput: + type: string + Security_Endpoint_Management_API_RunScriptRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields - Security_Detections_API_ThresholdRuleCreateFields: + - endpoint_ids + - type: object + properties: + parameters: + description: | + One of the following set of parameters must be provided + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' + required: + - parameters + Security_Endpoint_Management_API_Scan: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields - Security_Detections_API_ThresholdRuleCreateProps: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - type: object + properties: + outputs: + additionalProperties: + type: object + properties: + content: + type: object + properties: + code: + type: string + type: object + parameters: + type: object + properties: + path: + type: string + Security_Endpoint_Management_API_ScanRouteRequestBody: allOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields - Security_Detections_API_ThresholdRuleDefaultableFields: - type: object + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + description: The folder or file's full path (including the file name). + example: /usr/my-file.txt + type: string + required: + - path + required: + - parameters + Security_Endpoint_Management_API_SentinelOneRunScriptParameters: + description: Parameters for Run Script response action against SentinelOne agent type. + example: + agent_type: sentinel_one + endpoint_ids: + - endpoint-id-1 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThresholdRuleOptionalFields: + scriptId: + description: The script ID from SentinelOne scripts library that will be executed. + minLength: 1 + type: string + scriptInput: + description: The input parameter arguments for the script that was selected. + minLength: 1 + type: string + required: + - scriptId + title: SentinelOne Run Script Parameters type: object - properties: - alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_ThresholdRulePatchFields: + Security_Endpoint_Management_API_SortDirection: + description: Determines the sort order. + enum: + - asc + - desc + example: desc + type: string + Security_Endpoint_Management_API_SortField: + description: Determines which field is used to sort the results. + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + example: enrolled_at + type: string + Security_Endpoint_Management_API_StartDate: + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' + type: string + Security_Endpoint_Management_API_SuccessResponse: + description: A generic successful response. + type: object + Security_Endpoint_Management_API_SuspendProcess: allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' - type: - description: Rule type - enum: - - threshold - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields - Security_Detections_API_ThresholdRulePatchProps: + outputs: + additionalProperties: + type: object + properties: + content: + oneOf: + - type: object + properties: + code: + type: string + command: + type: string + pid: + type: number + - type: object + properties: + code: + type: string + command: + type: string + entity_id: + type: string + type: object + parameters: + oneOf: + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + minimum: 1 + type: number + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + minLength: 1 + type: string + Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: allOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields - Security_Detections_API_ThresholdRuleRequiredFields: + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string + required: + - parameters + Security_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Endpoint_Management_API_Types: + description: List of types of response actions + example: + - automated + - manual + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Endpoint_Management_API_Unisolate: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - description: Details of an unisolate action response. + type: object + Security_Endpoint_Management_API_UnisolateRouteResponse: type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' - type: - description: Rule type - enum: - - threshold - type: string - required: - - type - - query - - threshold - Security_Detections_API_ThresholdRuleResponseFields: + properties: + action: + description: The action ID (legacy field, same as `data.id`). + type: string + data: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + Security_Endpoint_Management_API_Upload: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_ThresholdRuleUpdateProps: + outputs: + additionalProperties: + type: object + properties: + content: + type: object + properties: + code: + type: string + disk_free_space: + type: number + path: + type: string + type: object + parameters: + description: | + The parameters for upload returned on the details are derived via the API from the file that + was uploaded at the time that the response action was submitted + type: object + properties: + file_id: + type: string + file_name: + type: string + file_sha256: + type: string + file_size: + type: number + Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - response_actions: + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + minLength: 1 + type: string + maxItems: 50 + minItems: 1 type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields - Security_Detections_API_ThresholdValue: - description: The threshold value from which an alert is generated. - minimum: 1 - type: integer - Security_Detections_API_ThrottleForBulkActions: - description: > - Defines the maximum interval in which a rule’s actions are executed. - - > info - - > The rule level `throttle` field is deprecated in Elastic Security 8.8 - and will remain active for at least the next 12 months. - - > In Elastic Security 8.8 and later, you can use the `frequency` field - to define frequencies for individual actions. Actions without - frequencies will acquire a converted version of the rule’s `throttle` - field. In the response, the converted `throttle` setting appears in the - individual actions' `frequency` field. - enum: - - rule - - 1h - - 1d - - 7d - type: string - Security_Detections_API_TiebreakerField: - description: Sets a secondary field for sorting events - type: string - Security_Detections_API_TimelineTemplateId: - description: Timeline template ID - type: string - Security_Detections_API_TimelineTemplateTitle: - description: Timeline template title - type: string - Security_Detections_API_TimestampField: - description: >- - Specifies the name of the event timestamp field used for sorting a - sequence of events. Not to be confused with `timestamp_override`, which - specifies the more general field used for querying events within a - range. Defaults to the @timestamp ECS field. - type: string - Security_Detections_API_TimestampOverride: - description: >- - Sets the time field used to query indices. When unspecified, rules query - the `@timestamp` field. The source field must be an Elasticsearch date - data type. - type: string - Security_Detections_API_TimestampOverrideFallbackDisabled: - description: Disables the fallback to the event's @timestamp field - type: boolean - Security_Detections_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Detections_API_WarningSchema: - type: object - properties: - actionPath: - type: string - buttonLabel: - type: string - message: - type: string - type: + - endpoint_ids + - type: object + properties: + file: + description: The binary content of the file. + example: RWxhc3RpYw== + format: binary + type: string + parameters: + type: object + properties: + overwrite: + default: false + description: Overwrite the file on the host if it already exists. + example: false + type: boolean + required: + - parameters + - file + Security_Endpoint_Management_API_UserIds: + description: A list of user IDs. Max of 50. + example: + - user-id-1 + - user-id-2 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 type: string - required: - - type - - message - - actionPath - Security_Endpoint_Exceptions_API_EndpointList: + Security_Endpoint_Management_API_WithOutputs: + description: A list of action IDs that should include the complete output of the action. Max of 50. + example: + - action-id-1 + - action-id-2 oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - - additionalProperties: false - type: object - Security_Endpoint_Exceptions_API_EndpointListItem: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - Security_Endpoint_Exceptions_API_ExceptionList: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Entity_Analytics_API_Asset: + additionalProperties: false + description: Asset metadata associated with the entity. type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. - type: string - created_at: - description: Autogenerated date of object creation. - format: date-time + business_unit: + description: Business unit the asset belongs to. type: string - created_by: - description: Autogenerated value - user that created object. + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + description: The criticality level assigned to this asset. + nullable: true + environment: + description: Deployment environment (for example, production, staging). type: string - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId - immutable: - type: boolean - list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + description: Unique identifier for the asset. + type: string + model: + description: Model name or number. + type: string name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Human-readable asset name. type: string - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType - updated_at: - description: Autogenerated date of last object update. - format: date-time + owner: + description: The owner of the asset. type: string - updated_by: - description: Autogenerated value - user that last updated object. + serial_number: + description: Serial number of the asset. + type: string + vendor: + description: Vendor or manufacturer. + type: string + Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: type: string - version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListDescription: - description: Describes the exception list. - example: This list tracks allowlisted values. - type: string - Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: > - The exception list's human-readable string identifier. - - - For endpoint artifacts, use one of the following values: - - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) - example: simple_list - format: nonempty - minLength: 1 + - message + - index + Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact type: string - Security_Endpoint_Exceptions_API_ExceptionListId: - description: Exception list's identifier. - example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - format: nonempty - minLength: 1 + Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + - unassigned type: string - Security_Endpoint_Exceptions_API_ExceptionListItem: + Security_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' + - type: object + properties: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time + type: string + required: + - '@timestamp' + example: + '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - expire_time: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - type: string - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string + asset: + type: object + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - asset + entity: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + id: + type: string + required: + - id + host: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + name: + type: string + required: + - name + service: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + name: + type: string + required: + - name + user: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + name: + type: string + required: + - name required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListItemComment: + - asset + Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: type: object properties: - comment: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - updated_at: - description: Autogenerated date of last object update. - format: date-time + id_field: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. type: string - updated_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - - id - - comment - - created_at - - created_by - Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: - description: | - Array of comment fields: - - - comment (string): Comments about the exception item. - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemDescription: - description: Describes the exception list. - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + - id_value + - id_field + Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: type: object properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string + cleanup_successful: + example: false + type: boolean + errors: + items: + type: object + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error + type: array required: - - type - - field - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: + - cleanup_successful + - errors + Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: type: object properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - list: - type: object + errors: + items: + type: object + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error + type: array + risk_engine_saved_object_configured: + example: false + type: boolean + required: + - risk_engine_saved_object_configured + - errors + Security_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object properties: - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - - id - - type - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + - criticality_level + Security_Entity_Analytics_API_DateRange: + description: Defines the lookback period for filtering source data by timestamp. type: object properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match + end: + description: End of the lookback period (date math or ISO string, e.g. "now") + type: string + start: + description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + - start + - end + Security_Entity_Analytics_API_EngineComponentResource: + description: The type of Elasticsearch or Kibana resource backing an engine component. + enum: + - entity_engine + - entity_definition + - index + - data_stream + - component_template + - index_template + - ingest_pipeline + - enrich_policy + - task + - transform + - ilm_policy + type: string + Security_Entity_Analytics_API_EngineComponentStatus: + description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any - type: string - value: + errors: + description: Errors reported by this component, if any. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - minItems: 1 + type: object + properties: + message: + description: Detailed error message. + type: string + title: + description: Short error title. + type: string type: array + health: + description: The health status of the component. + enum: + - green + - yellow + - red + - unavailable + - unknown + type: string + id: + description: Unique identifier for the component. + type: string + installed: + description: Whether the component is currently installed. + type: boolean + metadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' + resource: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + - id + - installed + - resource + Security_Entity_Analytics_API_EngineDataviewUpdateResult: + description: The result of applying data view index changes to a single engine. type: object properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + changes: + description: The changes applied to the engine. + type: object + properties: + indexPatterns: + description: The updated list of index patterns now used by the engine. + items: + type: string + type: array type: - enum: - - wildcard + description: The entity type of the engine that was updated. type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + Security_Entity_Analytics_API_EngineDescriptor: + description: Describes a single entity engine, including its configuration and current status. type: object properties: - entries: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - type: - enum: - - nested + delay: + default: 1m + description: The delay before the transform processes new data, allowing late-arriving documents to be included. + example: 1m + pattern: '[smdh]$' + type: string + docsPerSecond: + description: Throttle value for the number of documents processed per second. Use -1 for no throttle. + type: integer + error: + description: Present when the engine status is `error`. Describes the failure. + type: object + properties: + action: + description: The lifecycle action that caused the error. + enum: + - init + type: string + message: + description: A human-readable error message. + type: string + required: + - message + - action + fieldHistoryLength: + description: The number of historical values retained per field. + example: 10 + type: integer + filter: + description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. + example: 'host.name: "my-host"' + type: string + frequency: + default: 1m + description: How often the transform runs. + example: 1m + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 24h + description: How far back the transform looks when calculating aggregations. + example: 24h + pattern: '[smdh]$' + type: string + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + example: 180s + pattern: '[smdh]$' + type: string + timestampField: + description: The field used as the timestamp for source documents. + example: '@timestamp' type: string + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' required: - type - - field - - entries - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. - format: date-time - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: - description: Human readable string identifier, e.g. `trusted-linux-processes` - example: simple_list_item - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemId: - description: Exception's identifier. - example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Endpoint_Exceptions_API_ExceptionListItemName: - description: Exception list name. - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemTags: - items: - description: >- - String array containing words and phrases to help categorize exception - items. - format: nonempty - minLength: 1 - type: string - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Endpoint_Exceptions_API_ExceptionListMeta: - additionalProperties: true - description: Placeholder for metadata about the list container. - type: object - Security_Endpoint_Exceptions_API_ExceptionListName: - description: The name of the exception list. - example: My exception list - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsType: - description: Use this field to specify the operating system. - enum: - - linux - - macos - - windows - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: - description: Use this field to specify the operating system. Only enter one value. - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType - type: array - Security_Endpoint_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. - items: - type: string - type: array - Security_Endpoint_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Endpoint_Exceptions_API_ExceptionListVersion: - description: The document version, automatically increasd on updates. - minimum: 1 - type: integer - Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. - enum: - - agnostic - - single - type: string - Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - - - - `keyword`: Many ECS fields are Elasticsearch keywords - - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Endpoint_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 - type: string - Security_Endpoint_Exceptions_API_PlatformErrorResponse: + - indexPattern + - status + - fieldHistoryLength + Security_Entity_Analytics_API_EngineMetadata: + additionalProperties: false + description: Internal metadata attached to an entity by the engine that produced it. type: object properties: - error: - type: string - message: + Type: + description: The engine type that produced this entity record. type: string - statusCode: - type: integer required: - - statusCode + - Type + Security_Entity_Analytics_API_EngineStatus: + description: The current operational status of an entity engine. + enum: + - installing + - started + - stopped + - updating - error - - message - Security_Endpoint_Exceptions_API_SiemErrorResponse: + type: string + Security_Entity_Analytics_API_EntitiesContainer: + description: A collection of entities to upsert in bulk. type: object properties: - message: - type: string - status_code: - type: integer + entities: + description: The entities to create or update. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer' + type: array required: - - status_code - - message - Security_Endpoint_Management_API_ActionDetailsResponse: - discriminator: - mapping: - cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel' - execute: '#/components/schemas/Security_Endpoint_Management_API_Execute' - get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile' - isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' - memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses - runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' - scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' - suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - unisolate: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - upload: '#/components/schemas/Security_Endpoint_Management_API_Upload' - propertyName: command + - entities + Security_Entity_Analytics_API_Entity: + description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses - - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - Security_Endpoint_Management_API_ActionStateSuccessResponse: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' + Security_Entity_Analytics_API_EntityAnalyticsPrivileges: type: object properties: - body: + has_all_required: + type: boolean + has_read_permissions: + type: boolean + has_write_permissions: + type: boolean + privileges: type: object properties: - data: + elasticsearch: type: object properties: - canEncrypt: - description: >- - Whether the Kibana instance has encryption enabled for - response actions. - type: boolean + cluster: + additionalProperties: + type: boolean + type: object + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + kibana: + additionalProperties: + type: boolean + type: object required: - - data + - elasticsearch required: - - body - Security_Endpoint_Management_API_ActionStatusSuccessResponse: + - has_all_required + - privileges + Security_Entity_Analytics_API_EntityContainer: + description: A wrapper that pairs an entity type with the entity record to upsert. type: object properties: - body: + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: The entity record to create or update. + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + description: The entity type of the record. + required: + - type + - record + Security_Entity_Analytics_API_EntityField: + additionalProperties: false + description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. + type: object + properties: + attributes: + additionalProperties: false + description: Boolean flags describing characteristics of the entity. type: object properties: - data: - type: object - properties: - agent_id: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentId - pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema - required: - - agent_id - - pending_actions - required: - - data - required: - - body - Security_Endpoint_Management_API_AgentId: - description: Agent ID - type: string - Security_Endpoint_Management_API_AgentIds: - description: A list of agent IDs. Max of 250. - example: - - agent-id-1 - - agent-id-2 - minLength: 1 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 250 - minItems: 1 - type: array - - minLength: 1 + asset: + description: Whether the entity is classified as an asset. + type: boolean + managed: + description: Whether the entity is managed (for example, via a directory service). + type: boolean + mfa_enabled: + description: Whether multi-factor authentication is enabled for the entity. + type: boolean + privileged: + description: Whether the entity has elevated privileges. + type: boolean + behaviors: + additionalProperties: false + description: Boolean flags indicating observed behavioral signals. + type: object + properties: + brute_force_victim: + description: Whether the entity has been targeted by brute-force attacks. + type: boolean + new_country_login: + description: Whether the entity has logged in from a new country. + type: boolean + used_usb_device: + description: Whether the entity has used a USB device. + type: boolean + EngineMetadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' + id: + description: Unique identifier for this entity. + example: arn:aws:iam::123456789012:user/jane.doe type: string - Security_Endpoint_Management_API_AgentTypes: - description: List of agent types to retrieve. Defaults to `endpoint`. - enum: - - endpoint - - sentinel_one - - crowdstrike - - microsoft_defender_endpoint - example: endpoint - type: string - Security_Endpoint_Management_API_Cancel: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object + lifecycle: + additionalProperties: false + description: Timestamps tracking the entity lifecycle. + type: object properties: - outputs: - additionalProperties: - type: object - properties: - content: - type: object - properties: - code: - type: string - type: object - parameters: - type: object - properties: - id: - format: uuid - type: string - Security_Endpoint_Management_API_CancelRouteRequestBody: - allOf: - - type: object + first_seen: + description: When the entity was first observed. + format: date-time + type: string + last_activity: + description: When the entity last generated activity. + format: date-time + type: string + last_seen: + description: When the entity was last observed. + format: date-time + type: string + name: + description: Human-readable name of the entity. + example: jane.doe + type: string + relationships: + additionalProperties: false + description: Connections between this entity and other entities. + type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + accessed_frequently_by: + description: Entity IDs that frequently access this entity. items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 + accesses_frequently: + description: Entity IDs this entity accesses frequently. items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object + accesses_infrequently: + description: Entity IDs this entity accesses infrequently. + items: + type: string + type: array + communicates_with: + description: Entity IDs this entity communicates with. + items: + type: string + type: array + dependent_of: + description: Entity IDs that depend on this entity. + items: + type: string + type: array + depends_on: + description: Entity IDs this entity depends on. + items: + type: string + type: array + owned_by: + description: Entity IDs that own this entity. + items: + type: string + type: array + owns: + description: Entity IDs owned by this entity. + items: + type: string + type: array + supervised_by: + description: Entity IDs that supervise this entity. + items: + type: string + type: array + supervises: + description: Entity IDs supervised by this entity. + items: + type: string + type: array + risk: + additionalProperties: false + description: Risk scoring information for the entity. + type: object properties: - parameters: - type: object - properties: - id: - description: ID of the response action to cancel - example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - minLength: 1 - type: string - required: - - id - required: - - parameters - Security_Endpoint_Management_API_CloudFileScriptParameters: + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + source: + description: The source that produced this entity record. + type: string + sub_type: + description: Optional sub-type classification for the entity. + type: string + type: + description: The entity type. + example: user + type: string + required: + - id + Security_Entity_Analytics_API_EntityRiskLevels: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + Security_Entity_Analytics_API_EntityRiskScoreRecord: type: object properties: - cloudFile: - description: Script name in cloud storage. - minLength: 1 + '@timestamp': + description: The time at which the risk score was calculated. + example: '2017-07-21T17:32:28Z' + format: date-time type: string - commandLine: - description: Command line arguments. - minLength: 1 + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + calculation_run_id: + description: Unique identifier for the scoring run that produced this document. type: string - timeout: - description: Timeout in seconds. - minimum: 1 + category_1_count: + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). + type: integer + category_1_score: + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: type: integer + category_2_score: + format: double + type: number + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + criticality_modifier: + format: double + type: number + id_field: + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. + example: host.name + type: string + id_value: + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. + example: example.host + type: string + inputs: + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' + type: array + modifiers: + description: A list of modifiers that were applied to the risk score calculation. + items: + type: object + properties: + contribution: + format: double + type: number + metadata: + additionalProperties: true + type: object + modifier_value: + format: double + type: number + subtype: + type: string + type: + type: string + required: + - type + - contribution + type: array + notes: + items: + type: string + type: array + related_entities: + items: + type: object + properties: + entity_id: + type: string + relationship_type: + type: string + type: array + score_type: + description: Distinguishes base, propagated, and resolution scores. + enum: + - base + - propagated + - resolution + type: string required: - - cloudFile - Security_Endpoint_Management_API_Command: - description: The command for the response action + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + Security_Entity_Analytics_API_EntitySourceType: enum: - - isolate - - unisolate - - kill-process - - suspend-process - - running-processes - - get-file - - execute - - upload - - scan - - runscript - - cancel - - memory-dump - minLength: 1 + - index + - entity_analytics_integration + - store type: string - Security_Endpoint_Management_API_Commands: - description: A list of response action command names. - example: - - isolate - - unisolate - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' - maxItems: 50 - type: array - Security_Endpoint_Management_API_Comment: - description: Optional comment - example: This is a comment + Security_Entity_Analytics_API_EntityType: + description: The type of entity. + enum: + - user + - host + - service + - generic type: string - Security_Endpoint_Management_API_DownloadUri: + Security_Entity_Analytics_API_Filter: type: object properties: - downloadUri: - description: > - The server relative URI to download the file associated with the - output of the response action. - - URI does **not** include the space prefix - example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download - format: uri-reference - type: string - Security_Endpoint_Management_API_EndDate: - description: An end date in ISO format or Date Math format. - example: '2023-10-31T23:59:59.999Z' - type: string - Security_Endpoint_Management_API_EndpointIds: - description: List of endpoint IDs (cannot contain empty strings). Max of 250. - example: - - endpoint-id-1 - - endpoint-id-2 - items: - minLength: 1 - type: string - maxItems: 250 - minItems: 1 - type: array - Security_Endpoint_Management_API_EndpointMetadataResponse: - example: - host_status: healthy - last_checkin: '2023-07-04T15:48:57.360Z' - metadata: - '@timestamp': '2023-07-04T15:48:57.3609346Z' - agent: - build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 7.16.0 - data_stream: - dataset: endpoint.metadata - namespace: default - type: metrics - ecs: - version: 1.11.0 - elastic: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - Endpoint: - capabilities: - - isolation - configuration: - isolation: false - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - version: '3' - state: - isolation: false - status: enrolled - event: - action: endpoint_metadata - agent_id_status: verified - category: - - host - created: '2023-07-04T15:48:57.3609346Z' - dataset: endpoint.metadata - id: MNtRc++KoKHXXwlj+++++OhZ - ingested: '2023-07-04T15:48:58Z' - kind: metric - module: endpoint - sequence: 43757 - type: - - info - host: - architecture: x86_64 - hostname: WinDev2104Eval - id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 - ip: - - 10.0.2.15 - - fe80::21a6:63d3:d70e:e3ad - - 127.0.0.1 - - '::1' - mac: - - 08:00:27:b1:1d:5a - name: WinDev2104Eval - os: - Ext: - variant: Windows 10 Enterprise Evaluation - family: windows - full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) - kernel: 20H2 (10.0.19042.906) - name: Windows - platform: windows - type: windows - version: 20H2 (10.0.19042.906) - message: Endpoint metadata - policy_info: - agent: - applied: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - configured: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - endpoint: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - revision: 2 + kuery: + oneOf: + - type: string + - type: object + Security_Entity_Analytics_API_GenericEntity: + additionalProperties: false + description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + required: + - entity + Security_Entity_Analytics_API_HostEntity: + additionalProperties: false + description: An entity record representing a host, stored in the Entity Store latest index. type: object - properties: {} - Security_Endpoint_Management_API_Execute: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object properties: - outputs: - additionalProperties: - type: object - properties: - content: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri - - type: object - properties: - code: - type: string - cwd: - type: string - output_file_id: - type: string - output_file_stderr_truncated: - type: boolean - output_file_stdout_truncated: - type: boolean - shell_code: - type: number - stderr: - type: string - stderr_truncated: - type: boolean - stdout: - type: string - stdout_truncated: - type: boolean - type: object - parameters: - type: object - properties: - command: - type: string - timeout: - type: number - Security_Endpoint_Management_API_ExecuteRouteRequestBody: - allOf: - - type: object + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + host: + additionalProperties: false + description: Elastic Common Schema (ECS) host fields collected on the entity. + type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + architecture: + description: Observed CPU architectures. items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 + domain: + description: Observed host domains. items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + hostname: + description: Observed hostnames. + items: + type: string + type: array + id: + description: Observed host IDs. + items: + type: string + type: array + ip: + description: Observed IP addresses. + items: + type: string + type: array + mac: + description: Observed MAC addresses. + items: + type: string + type: array + name: + description: Primary host name. + type: string + os: + additionalProperties: false + description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. type: object properties: - command: - description: The shell command to execute on the endpoint. - minLength: 1 + family: type: string - timeout: - description: >- - The maximum timeout value in seconds before the command is - terminated. - minimum: 1 - type: integer - required: - - command + full: + type: string + kernel: + type: string + name: + oneOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + oneOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + type: + description: Observed host types. + items: + type: string + type: array required: - - parameters - Security_Endpoint_Management_API_GetEndpointActionListResponse: - example: - data: - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: running-processes - completedAt: '2022-08-08T09:50:47.672Z' - createdBy: elastic - id: b3d6de74-36b0-4fa8-be46-c375bf1771bf - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:24:57.402Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: kill-process - comment: bad process - taking up too much cpu - completedAt: '2022-08-08T09:44:50.952Z' - createdBy: elastic - id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa - isCompleted: true - isExpired: false - startedAt: '2022-08-08T14:38:44.125Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: unisolate - comment: Not a threat to the network - completedAt: '2022-08-08T09:40:47.398Z' - createdBy: elastic - id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a - isCompleted: true - isExpired: false - startedAt: '2022-08-08T14:38:15.391Z' - wasSuccessful: true - elasticAgentIds: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - endDate: now - page: 1 - pageSize: 10 - startDate: now-24h/h - total: 4 + - name + required: + - entity + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + - service.name + - entity.id + type: string + Security_Entity_Analytics_API_IndexPattern: + description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. + example: logs-* + type: string + Security_Entity_Analytics_API_InspectQuery: + description: Debug information about the Elasticsearch query executed. type: object properties: - agentTypes: - description: The list of agent types the query was filtered by. - items: - type: string - type: array - commands: - description: The list of commands the query was filtered by. + dsl: + description: Elasticsearch query DSL that was executed. items: type: string type: array - data: - description: The list of response actions. - items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - type: array - elasticAgentIds: - description: The list of elastic agent IDs the query was filtered by. + response: + description: Raw Elasticsearch responses. items: type: string type: array - endDate: - description: The end date filter applied to the query. - type: string - page: - description: The current page number. - type: integer - pageSize: - description: The number of items per page. - type: integer - startDate: - description: The start date filter applied to the query. + required: + - dsl + - response + Security_Entity_Analytics_API_Integrations: + type: object + properties: + syncData: + description: integrations latest full sync and update syncData + type: object + properties: + lastFullSync: + description: Timestamp of the last full sync from integrations + format: date-time + type: string + lastUpdateProcessed: + description: Timestamp of the last update processed from integrations + format: date-time + type: string + syncMarkerIndex: + description: Index to read latest sync markers from type: string - statuses: - description: The list of statuses the query was filtered by. - items: - type: string - type: array - total: - description: The total number of response actions matching the query. - type: integer - userIds: - description: The list of user IDs the query was filtered by. + Security_Entity_Analytics_API_Interval: + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + Security_Entity_Analytics_API_Matcher: + type: object + properties: + fields: items: type: string type: array - Security_Endpoint_Management_API_GetFile: + values: + description: | + Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. + oneOf: + - items: + type: string + type: array + - items: + type: boolean + type: array + required: + - fields + - values + Security_Entity_Analytics_API_Metadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' + Security_Entity_Analytics_API_MonitoredUserDoc: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - type: object properties: - outputs: - additionalProperties: - type: object - properties: - content: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri - - type: object - properties: - code: - type: string - contents: - items: - type: object - properties: - file_name: - type: string - path: - type: string - sha256: - type: string - size: - type: number - type: - type: string - type: array - zip_size: - type: number + '@timestamp': + format: date-time + type: string + event: type: object - parameters: + properties: + '@timestamp': + format: date-time + type: string + ingested: + format: date-time + type: string + user: type: object properties: - path: + entity: + type: object + properties: + attributes: + type: object + properties: + Privileged: + description: Indicates if the user is privileged. + type: boolean + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: type: string - Security_Endpoint_Management_API_GetFileRouteRequestBody: - allOf: - - type: object + Security_Entity_Analytics_API_MonitoredUserUpdateDoc: + type: object + properties: + entity_analytics_monitoring: + type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + labels: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' + type: array + id: + type: string + labels: + type: object + properties: + source_ids: items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 + source_integrations: items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + sources: + items: + enum: + - csv + - index_sync + - api + type: array + user: + type: object + properties: + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoringEngineDescriptor: + type: object + properties: + error: + type: object + properties: + message: + description: Error message typically only present if the engine is in error state + type: string + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + required: + - status + Security_Entity_Analytics_API_MonitoringEntitySource: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: - parameters: - type: object - properties: - path: - description: The full file path to retrieve from the endpoint. - type: string - required: - - path + id: + type: string required: - - parameters - Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + - type + - name + - id + - managed + Security_Entity_Analytics_API_MonitoringEntitySourceProperties: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' + - type: object + properties: + managed: + type: boolean + Security_Entity_Analytics_API_MonitoringLabel: + type: object + properties: + field: + type: string + source: + type: string + value: + type: string + required: + - field + - value + - source + Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: + description: The status of the Privilege Monitoring Engine + enum: + - started + - error + - disabled + - not_installed + type: string + Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: + type: object + properties: + index: + nullable: true + type: integer + message: + type: string + username: + nullable: true + type: string + required: + - message + - index + - username + Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: + type: object + properties: + failedOperations: + type: integer + successfulOperations: + type: integer + totalOperations: + type: integer + uploaded: + type: integer + required: + - successfulOperations + - uploaded + - failedOperations + - totalOperations + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be specified - here. The action will be logged in any cases associated with the - specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: The IDs of cases where the action taken will be logged. Max of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + full_error: + type: string + message: + type: string required: - - endpoint_ids - Security_Endpoint_Management_API_HostPathScriptParameters: + - message + - full_error + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: type: object properties: - commandLine: - description: Command line arguments. - minLength: 1 + success: + type: boolean + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. + type: object + properties: + category: + description: The risk category of the risk input document. + example: category_1 type: string - hostPath: - description: Absolute or relative path of script on host machine. - minLength: 1 + contribution_score: + format: double + type: number + description: + description: A human-readable description of the risk input document. + example: 'Generated from Detection Engine Rule: Malware Prevention Alert' + type: string + entity_id: + description: The EUID of the entity within the graph that generated this alert. + type: string + id: + description: The unique identifier (`_id`) of the original source document + example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + type: string + index: + description: The unique index (`_index`) of the original source document + example: .internal.alerts-security.alerts-default-000001 + type: string + risk_score: + description: The weighted risk score of the risk input document. + format: double + maximum: 100 + minimum: 0 + type: number + timestamp: + description: The @timestamp of the risk input document. + example: '2017-07-21T17:32:28Z' type: string - timeout: - description: Timeout in seconds. - minimum: 1 - type: integer required: - - hostPath - Security_Endpoint_Management_API_HostStatuses: - description: A set of agent health statuses to filter by. - example: - - healthy - - updating - items: - enum: - - healthy - - offline - - updating - - inactive - - unenrolled - type: string - maxItems: 20 - type: array - Security_Endpoint_Management_API_Isolate: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - description: Details of an isolate action response. - type: object - Security_Endpoint_Management_API_IsolateRouteResponse: + - id + - index + - description + - category + Security_Entity_Analytics_API_ServiceEntity: + additionalProperties: false + description: An entity record representing a service, stored in the Entity Store latest index. type: object properties: - action: - description: The action ID (legacy field, same as `data.id`). + '@timestamp': + description: The time the entity record was last updated. + format: date-time type: string - data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - Security_Endpoint_Management_API_KillProcess: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - oneOf: - - type: object - properties: - code: - type: string - command: - type: string - pid: - type: number - - type: object - properties: - code: - type: string - command: - type: string - entity_id: - type: string - - type: object - properties: - code: - type: string - command: - type: string - process_name: - type: string - type: object - parameters: - oneOf: - - type: object - properties: - pid: - description: The process ID (PID) of the process to terminate. - minimum: 1 - type: number - - type: object - properties: - entity_id: - description: The entity ID of the process to terminate. - minLength: 1 - type: string - - type: object - properties: - process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. - type: string - Security_Endpoint_Management_API_KillProcessRouteRequestBody: - allOf: - - type: object + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + service: + additionalProperties: false + description: Elastic Common Schema (ECS) service fields collected on the entity. + type: object properties: - parameters: - oneOf: - - type: object - properties: - pid: - description: The process ID (PID) of the process to terminate. - example: 123 - minimum: 1 - type: integer - - type: object - properties: - entity_id: - description: The entity ID of the process to terminate. - example: abc123 - minLength: 1 - type: string - - type: object - properties: - process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. - example: Elastic - minLength: 1 - type: string + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + name: + description: Primary service name. + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - - parameters - Security_Endpoint_Management_API_Kuery: - description: A KQL string. - example: 'united.endpoint.host.os.name : ''Windows''' + - name + required: + - entity + Security_Entity_Analytics_API_StoreStatus: + description: The overall operational status of the Entity Store. + enum: + - not_installed + - installing + - running + - stopped + - error type: string - Security_Endpoint_Management_API_MDERunScriptParameters: - description: >- - Parameters for Run Script response action against Microsoft Defender - Endpoint agent type. - example: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - endpoint-id-1 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + type: object properties: - args: - description: Optional command line arguments for the script. - minLength: 1 - type: string - scriptName: - description: The name of the script to execute from the cloud storage. - minLength: 1 + message: type: string + status_code: + minimum: 400 + type: integer required: - - scriptName - title: Microsoft Defender Endpoint Run Script Parameters + - status_code + - message + Security_Entity_Analytics_API_TransformStatsMetadata: + description: Statistics from the underlying Elasticsearch transform. type: object - Security_Endpoint_Management_API_MemoryDump: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object + properties: + delete_time_in_ms: + description: Total time spent deleting documents, in milliseconds. + type: integer + documents_deleted: + description: Total number of documents deleted from the destination index. + type: integer + documents_indexed: + description: Total number of documents written to the destination index. + type: integer + documents_processed: + description: Total number of source documents processed. + type: integer + exponential_avg_checkpoint_duration_ms: + description: Exponential moving average of checkpoint duration, in milliseconds. + type: integer + exponential_avg_documents_indexed: + description: Exponential moving average of documents indexed per checkpoint. + type: integer + exponential_avg_documents_processed: + description: Exponential moving average of documents processed per checkpoint. + type: integer + index_failures: + description: Total number of failed index operations. + type: integer + index_time_in_ms: + description: Total time spent indexing documents, in milliseconds. + type: integer + index_total: + description: Total number of index operations. + type: integer + pages_processed: + description: Number of composite aggregation pages processed. + type: integer + processing_time_in_ms: + description: Total time spent processing results, in milliseconds. + type: integer + processing_total: + description: Total number of processing operations. + type: integer + search_failures: + description: Total number of failed search operations. + type: integer + search_time_in_ms: + description: Total time spent on search queries, in milliseconds. + type: integer + search_total: + description: Total number of search operations. + type: integer + trigger_count: + description: Number of times the transform has been triggered. + type: integer + required: + - pages_processed + - documents_processed + - documents_indexed + - trigger_count + - index_time_in_ms + - index_total + - index_failures + - search_time_in_ms + - search_total + - search_failures + - processing_time_in_ms + - processing_total + - exponential_avg_checkpoint_duration_ms + - exponential_avg_documents_indexed + - exponential_avg_documents_processed + Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + type: string + integrations: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + Security_Entity_Analytics_API_UserEntity: + additionalProperties: false + description: An entity record representing a user, stored in the Entity Store latest index. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object properties: - outputs: - additionalProperties: - type: object - properties: - content: - properties: - code: - type: string - disk_free_space: - description: >- - The free space on the host machine in bytes after the - memory dump is written to disk - type: number - file_size: - description: The size of the memory dump compressed file in bytes - type: string - path: - description: >- - The path to the memory dump compressed file on the - host machine - type: string - title: Memory dump output - type: object - type: object - parameters: - oneOf: - - properties: - type: - description: Kernel-level memory dump - enum: - - kernel - type: string - required: - - type - title: Kernel memory dump - type: object - - properties: - pid: - description: The process ID (PID) - type: number - type: - description: Process-level memory dump using a process ID - enum: - - process - type: string - required: - - type - - pid - title: Process memory dump with PID - type: object - - properties: - entity_id: - description: The process entity ID - type: string - type: - description: Process-level memory dump using an entity ID - enum: - - process - type: string - required: - - type - - entity_id - title: Process memory dump with entity ID - type: object - required: - - parameters - Security_Endpoint_Management_API_MemoryDumpRouteRequestBody: - allOf: - - type: object + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + user: + additionalProperties: false + description: Elastic Common Schema (ECS) user fields collected on the entity. + type: object properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 + domain: + description: Observed user domains. + items: + type: string + type: array + email: + description: Observed email addresses. + items: + type: string + type: array + full_name: + description: Observed full names of the user. + items: + type: string + type: array + hash: + description: Observed user hashes. + items: + type: string + type: array + id: + description: Observed user IDs. items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 + name: + description: Primary user name. + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + additionalProperties: false + roles: + description: Observed roles assigned to the user. items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - description: Dump the entire kernel memory. - type: object - properties: - type: - enum: - - kernel - type: string - required: - - type - - description: Dump the entire memory of a process using the PID. - type: object - properties: - pid: - type: number - type: - enum: - - process - type: string - required: - - type - - pid - - description: Dump the entire memory of a process using the entity ID. - type: object - properties: - entity_id: - type: string - type: - enum: - - process - type: string - required: - - type - - entity_id required: - - parameters - Security_Endpoint_Management_API_MetadataListResponse: - example: - data: - - host_status: healthy - last_checkin: '2023-07-04T15:47:57.432Z' - metadata: - '@timestamp': '2023-07-04T15:47:57.432173535Z' - agent: - build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab - id: 285297c6-3bff-4b83-9a07-f3e749801123 - type: endpoint - version: 7.16.0 - data_stream: - dataset: endpoint.metadata - namespace: default - type: metrics - ecs: - version: 1.11.0 - elastic: - agent: - id: 285297c6-3bff-4b83-9a07-f3e749801123 - Endpoint: - capabilities: - - isolation - configuration: - isolation: false - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - version: '3' - state: - isolation: false - status: enrolled - event: - action: endpoint_metadata - agent_id_status: verified - category: - - host - created: '2023-07-04T15:47:57.432173535Z' - dataset: endpoint.metadata - id: MNtSXK/SkhEBnmgt++++++7S - ingested: '2023-07-04T15:47:58Z' - kind: metric - module: endpoint - sequence: 400 - type: - - info - host: - architecture: x86_64 - hostname: david-Xubuntu - id: 0cfead88e2024bd8a27476352b5ab264 - ip: - - 127.0.0.1 - - '::1' - - 10.0.2.15 - - fe80::2ac7:8e15:b957:2fa1 - mac: - - 08:00:27:e6:78:8b - name: david-Xubuntu - os: - Ext: - variant: Ubuntu - family: ubuntu - full: Ubuntu 20.04.2 - kernel: >- - 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 - UTC 2021 - name: Linux - platform: ubuntu - type: linux - version: 20.04.2 - message: Endpoint metadata - policy_info: - agent: - applied: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 0 - configured: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - endpoint: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - revision: 2 - - host_status: healthy - last_checkin: '2023-07-04T15:44:31.491Z' - metadata: - '@timestamp': '2023-07-04T15:44:31.4917849Z' - agent: - build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 7.16.0 - data_stream: - dataset: endpoint.metadata - namespace: default - type: metrics - ecs: - version: 1.11.0 - elastic: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - Endpoint: - capabilities: - - isolation - configuration: - isolation: false - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - version: '3' - state: - isolation: false - status: enrolled - event: - action: endpoint_metadata - agent_id_status: verified - category: - - host - created: '2023-07-04T15:44:31.4917849Z' - dataset: endpoint.metadata - id: MNtRc++KoKHXXwlj+++++/N9 - ingested: '2023-07-04T15:44:33Z' - kind: metric - module: endpoint - sequence: 5159 - type: - - info - host: - architecture: x86_64 - hostname: WinDev2104Eval - id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 - ip: - - 10.0.2.15 - - fe80::21a6:63d3:d70e:e3ad - - 127.0.0.1 - - '::1' - mac: - - 08:00:27:b1:1d:5a - name: WinDev2104Eval - os: - Ext: - variant: Windows 10 Enterprise Evaluation - family: windows - full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) - kernel: 20H2 (10.0.19042.906) - name: Windows - platform: windows - type: windows - version: 20H2 (10.0.19042.906) - message: Endpoint metadata - policy_info: - agent: - applied: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 0 - configured: - id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 - revision: 3 - endpoint: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - revision: 2 - page: 0 - pageSize: 10 - sortDirection: desc - sortField: enrolled_at - total: 2 - type: object - properties: {} - Security_Endpoint_Management_API_Page: - default: 1 - description: Page number - example: 1 - minimum: 1 - type: integer - Security_Endpoint_Management_API_PageSize: - default: 10 - description: Number of items per page - example: 10 - maximum: 100 - minimum: 1 - type: integer - Security_Endpoint_Management_API_Parameters: - description: Parameters object + - name + required: + - entity + Security_Entity_Analytics_API_UserName: type: object - Security_Endpoint_Management_API_PendingActionDataType: - description: Number of pending actions of this type. - type: integer - Security_Endpoint_Management_API_PendingActionsSchema: - oneOf: - - type: object + properties: + entity_analytics_monitoring: + description: Entity analytics monitoring configuration for the user + type: object properties: - execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending execute actions. - get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending get-file actions. - isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending isolate actions. - kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending kill-process actions. - running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending running-processes (get processes) actions. - scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending scan actions. - suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending suspend-process actions. - unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending unisolate (release) actions. - upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - description: Number of pending upload actions. - - additionalProperties: true + labels: + description: Array of labels associated with the user + items: + type: object + properties: + field: + description: The field name for the label + type: string + source: + description: The source where this label was created (api, csv, or index_sync) + enum: + - api + - csv + - index_sync + type: string + value: + description: The value of the label + type: string + type: array + user: type: object - Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + properties: + name: + description: The name of the user. + type: string + Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: + example: + matchedEntities: 1 + status: success type: object properties: - note: - description: >- - A note associated with the protection updates for the given package - policy. + error: + description: Error message if the row failed to process + example: Invalid entity type type: string - Security_Endpoint_Management_API_RawScriptParameters: + matchedEntities: + description: Number of entities matched for this row + example: 1 + type: integer + status: + enum: + - success + - failure + - unmatched + example: success + type: string + required: + - status + - matchedEntities + Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: + example: + euid: user:john.doe + status: success type: object properties: - commandLine: - description: Command line arguments. - minLength: 1 + error: + description: Error message if the entity failed to process + example: Invalid entity type type: string - raw: - description: Raw script content. - minLength: 1 + euid: + description: The EUID of the entity + example: user:john.doe + type: string + status: + enum: + - success + - failure + - not_found + example: success type: string - timeout: - description: Timeout in seconds. - minimum: 1 - type: integer required: - - raw - Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse: + - euid + - status + Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: example: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: __agent__type__here_ - command: __command__name__here__ - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + euid: user:john.doe + status: success type: object properties: - data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - Security_Endpoint_Management_API_ResponseActionDetails: + error: + description: Error message if the entity failed to process + example: Invalid entity type + type: string + euid: + description: The EUID of the entity + example: user:john.doe + type: string + status: + enum: + - success + - failure + - not_found + example: success + type: string + required: + - euid + - status + Security_Entity_Analytics_API_WatchlistObject: + example: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + type: object + properties: + createdAt: + description: Timestamp indicating when the watchlist was created + format: date-time + type: string + description: + description: Description of the watchlist + type: string + entityCount: + description: Number of entities in the watchlist + type: number + entitySourceIds: + description: List of entity source IDs associated with the watchlist + items: + type: string + type: array + id: + description: The unique ID of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: The name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + type: number + updatedAt: + description: Timestamp indicating when the watchlist was last updated + format: date-time + type: string + required: + - name + - riskModifier + - managed + Security_Exceptions_API_BlocklistHashOrPathEntry: + type: object + properties: + field: + description: File hash or path field + enum: + - file.hash.md5 + - file.hash.sha1 + - file.hash.sha256 + - file.path + - file.path.caseless + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match_any for blocklists + enum: + - match_any + type: string + value: + description: Array of hash values or file paths + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + Security_Exceptions_API_BlocklistLinuxProperties: + description: Blocklist list item properties (Linux, code signature not supported). + type: object + properties: + entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + items: + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_blocklists + example: endpoint_blocklists + type: string + os_types: + description: Linux-only + items: + enum: + - linux + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_BlocklistMacProperties: + description: Blocklist list item properties (macOS, code signature not supported). type: object properties: - agents: - description: The agent IDs for the hosts that the response action was sent to + entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed items: - format: uuid + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_blocklists + example: endpoint_blocklists + type: string + os_types: + description: macOS-only + items: + enum: + - macos type: string + maxItems: 1 + minItems: 1 type: array - agentState: - additionalProperties: - format: uuid + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: Nested subject_name entries + items: type: object properties: - completedAt: - description: >- - The date and time the response action was completed for the - agent ID + field: + description: Certificate subject name + enum: + - subject_name type: string - isCompleted: - description: Whether the response action is completed for the agent ID - type: boolean - wasSuccessful: - description: Whether the response action was successful for the agent ID - type: boolean - description: >- - The state of the response action for each agent ID that it was sent - to - type: object - agentType: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - command: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' - completedAt: - description: The response action completion time - format: date-time - type: string - createdBy: - description: The user who created the response action - type: string - hosts: - additionalProperties: - format: uuid - type: object - properties: - name: - description: The host name + operator: + description: Must be the value "included" + enum: + - included type: string - description: >- - An object containing the host names associated with the agent IDs - the response action was sent to - type: object - id: - description: The response action ID - format: uuid - type: string - isComplete: - description: Whether the response action is complete - type: boolean - isExpired: - description: Whether the response action is expired - type: boolean - outputs: - additionalProperties: - description: The agent id - format: uuid - properties: - content: - description: >- - The response action output content for the agent ID. Exact - format depends on the response action command. - oneOf: - - type: object - - type: string type: + description: Match type for subject name enum: - - json - - text + - match + - match_any type: string + value: + oneOf: + - description: Single subject name (used with match) + type: string + - description: Array of subject names (used with match_any) + items: + type: string + minItems: 1 + type: array required: + - field - type - - content - title: Agent ID - type: object - description: > - The outputs of the response action for each agent ID that it was - sent to. Content different depending on the - - response action command and will only be present for agents that - have responded to the response action - type: object - parameters: - description: >- - The parameters of the response action. Content different depending - on the response action command - type: object - startedAt: - description: The response action start time - format: date-time + - value + - operator + minItems: 1 + type: array + field: + description: Windows code signature field + enum: + - file.Ext.code_signature type: string - status: - description: The response action status + type: + description: Must be nested for Windows code signature + enum: + - nested type: string - wasSuccessful: - description: Whether the response action was successful - type: boolean required: - - command - Security_Endpoint_Management_API_RunningProcesses: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne - type: object - Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: - description: Processes output for `agentType` of `endpoint` + - field + - type + - entries + Security_Exceptions_API_BlocklistWindowsProperties: + description: Blocklist list item properties (Windows, supports code signature). type: object properties: - code: - type: string entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + * Code signature entry: only 1 allowed items: - type: object - properties: - command: - type: string - entity_id: - type: string - pid: - type: number - user: - type: string + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' + minItems: 1 type: array - Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - - description: Processes output for `agentType` of `sentinel_one` - type: object - properties: - code: - type: string - Security_Endpoint_Management_API_Runscript: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri - - type: object - properties: - code: - type: string - stderr: - type: string - stdout: - type: string - type: object - parameters: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne - Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: - type: object - properties: - cloudFile: - type: string - commandLine: - type: string - hostPath: - type: string - raw: - type: string - timeout: - type: number - Security_Endpoint_Management_API_RunscriptParamsMicrosoft: - type: object - properties: - args: - type: string - scriptName: - type: string - Security_Endpoint_Management_API_RunscriptParamsSentinelOne: - type: object - properties: - scriptId: - type: string - scriptInput: - type: string - Security_Endpoint_Management_API_RunScriptRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - description: | - One of the following set of parameters must be provided - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters - required: - - parameters - Security_Endpoint_Management_API_Scan: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - type: object - properties: - code: - type: string - type: object - parameters: - type: object - properties: - path: - type: string - Security_Endpoint_Management_API_ScanRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - path: - description: The folder or file's full path (including the file name). - example: /usr/my-file.txt - type: string - required: - - path - required: - - parameters - Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: >- - Parameters for Run Script response action against SentinelOne agent - type. - example: - agent_type: sentinel_one - endpoint_ids: - - endpoint-id-1 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' - properties: - scriptId: - description: >- - The script ID from SentinelOne scripts library that will be - executed. - minLength: 1 - type: string - scriptInput: - description: The input parameter arguments for the script that was selected. - minLength: 1 + list_id: + enum: + - endpoint_blocklists + example: endpoint_blocklists type: string + os_types: + description: Windows-only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - scriptId - title: SentinelOne Run Script Parameters - type: object - Security_Endpoint_Management_API_SortDirection: - description: Determines the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Endpoint_Management_API_SortField: - description: Determines which field is used to sort the results. - enum: - - enrolled_at - - metadata.host.hostname - - host_status - - metadata.Endpoint.policy.applied.name - - metadata.Endpoint.policy.applied.status - - metadata.host.os.name - - metadata.host.ip - - metadata.agent.version - - last_checkin - example: enrolled_at - type: string - Security_Endpoint_Management_API_StartDate: - description: A start date in ISO 8601 format or Date Math format. - example: '2023-10-31T00:00:00.000Z' - type: string - Security_Endpoint_Management_API_SuccessResponse: - description: A generic successful response. + - list_id + Security_Exceptions_API_CreateExceptionListItemBase: type: object - Security_Endpoint_Management_API_SuspendProcess: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - oneOf: - - type: object - properties: - code: - type: string - command: - type: string - pid: - type: number - - type: object - properties: - code: - type: string - command: - type: string - entity_id: - type: string - type: object - parameters: - oneOf: - - type: object - properties: - pid: - description: The process ID (PID) of the process to terminate. - minimum: 1 - type: number - - type: object - properties: - entity_id: - description: The entity ID of the process to terminate. - minLength: 1 - type: string - Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - type: object - properties: - pid: - description: The process ID (PID) of the process to suspend. - example: 123 - minimum: 1 - type: integer - - type: object - properties: - entity_id: - description: The entity ID of the process to suspend. - example: abc123 - minLength: 1 - type: string - required: - - parameters - Security_Endpoint_Management_API_Type: - description: Type of response action - enum: - - automated - - manual - type: string - Security_Endpoint_Management_API_Types: - description: List of types of response actions - example: - - automated - - manual + properties: + comments: + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' + Security_Exceptions_API_CreateExceptionListItemBlocklistMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' + Security_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' - maxLength: 2 - minLength: 1 + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array - Security_Endpoint_Management_API_Unisolate: + Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - description: Details of an unisolate action response. + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_CreateExceptionListItemEventFilters: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_CreateExceptionListItemGeneric: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - example: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple type: object - Security_Endpoint_Management_API_UnisolateRouteResponse: + properties: + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + required: + - list_id + - entries + Security_Exceptions_API_CreateExceptionListItemHostIsolation: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' + Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: - action: - description: The action ID (legacy field, same as `data.id`). + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + format: date-time type: string - data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - Security_Endpoint_Management_API_Upload: - allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails - - type: object - properties: - outputs: - additionalProperties: - type: object - properties: - content: - type: object - properties: - code: - type: string - disk_free_space: - type: number - path: - type: string - type: object - parameters: - description: > - The parameters for upload returned on the details are derived - via the API from the file that + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + Security_Exceptions_API_EndpointArtifactTags: + default: [] + description: | + Tags for categorization. Special tags for scope control: + * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) + * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) + items: + type: string + type: array + Security_Exceptions_API_EndpointListProperties: + description: Elastic Endpoint exception list item properties. + type: object + properties: + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - was uploaded at the time that the response action was submitted - type: object - properties: - file_id: - type: string - file_name: - type: string - file_sha256: - type: string - file_size: - type: number - Security_Endpoint_Management_API_UploadRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - file: - description: The binary content of the file. - example: RWxhc3RpYw== - format: binary - type: string - parameters: - type: object - properties: - overwrite: - default: false - description: Overwrite the file on the host if it already exists. - example: false - type: boolean - required: - - parameters - - file - Security_Endpoint_Management_API_UserIds: - description: A list of user IDs. Max of 50. - example: - - user-id-1 - - user-id-2 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - - minLength: 1 + **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. + list_id: + enum: + - endpoint_list + example: endpoint_list type: string - Security_Endpoint_Management_API_WithOutputs: - description: >- - A list of action IDs that should include the complete output of the - action. Max of 50. - example: - - action-id-1 - - action-id-2 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - - minLength: 1 + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_EventFiltersProperties: + description: Event filters list item properties. + type: object + properties: + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for the event filter. + + **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) + + **Minimum requirement:** At least 1 entry required + list_id: + enum: + - endpoint_event_filters + example: endpoint_event_filters type: string - Security_Entity_Analytics_API_Asset: - additionalProperties: false - description: Asset metadata associated with the entity. + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_ExceptionList: type: object properties: - business_unit: - description: Business unit the asset belongs to. + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - description: The criticality level assigned to this asset. - nullable: true - environment: - description: Deployment environment (for example, production, staging). + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: - description: Unique identifier for the asset. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + immutable: + type: boolean + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. type: string - model: - description: Model name or number. + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + example: This list tracks allowlisted values. + type: string + Security_Exceptions_API_ExceptionListHumanId: + description: | + The exception list's human-readable string identifier. + + For endpoint artifacts, use one of the following values: + + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + example: simple_list + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: - description: Human-readable asset name. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. type: string - owner: - description: The owner of the asset. + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + updated_at: + description: Autogenerated date of last object update. + format: date-time type: string - serial_number: - description: Serial number of the asset. + updated_by: + description: Autogenerated value - user that last updated object. type: string - vendor: - description: Vendor or manufacturer. + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' + type: array + Security_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' + discriminator: + propertyName: type + Security_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match_any type: string - Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + value: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: - index: - type: integer - message: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - wildcard type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - message - - index - Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryNested: type: object properties: - failed: - type: integer - successful: - type: integer - total: - type: integer + entries: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string required: - - successful - - failed - - total - Security_Entity_Analytics_API_AssetCriticalityLevel: - description: The criticality level of the asset. + - type + - field + - entries + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact + - excluded + - included type: string - Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: >- - The criticality level of the asset for bulk upload. The value - `unassigned` is used to indicate that the criticality level is not - assigned and is only used for bulk upload. + Security_Exceptions_API_ExceptionListItemExpireTime: + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + example: simple_list_item + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + description: String array containing words and phrases to help categorize exception items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Exceptions_API_ExceptionListItemType: enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - - unassigned + - simple type: string - Security_Entity_Analytics_API_AssetCriticalityRecord: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts - - type: object - properties: - '@timestamp': - description: The time the record was created or updated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - required: - - '@timestamp' - example: - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Exceptions_API_ExceptionListName: + description: The name of the exception list. + example: My exception list + type: string + Security_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - asset - entity: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - id: - type: string - required: - - id - host: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: - type: string - required: - - name - service: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: - type: string - required: - - name - user: + error: type: object properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: + message: type: string + status_code: + type: integer required: - - name - required: - - asset - Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: - type: object - properties: - id_field: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: The field representing the ID. - example: host.name - id_value: - description: The ID value of the asset. - type: string + - status_code + - message + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - - id_value - - id_field - Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: + - error + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' + type: array + Security_Exceptions_API_ExceptionListTags: + description: String array containing words and phrases to help categorize exception containers. + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + description: The type of exception list to be created. Different list types may denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionNamespaceType: + description: | + Determines whether the exception container is available in all Kibana spaces or just the space + in which it is created, where: + + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. + + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. + enum: + - agnostic + - single + type: string + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + example: exception-list.attributes.name:%Detection%20List + type: string + Security_Exceptions_API_HostIsolationProperties: + description: Host isolation exceptions list item properties. type: object properties: - cleanup_successful: - example: false - type: boolean - errors: + entries: + description: Exactly one entry allowed for host isolation exceptions items: type: object properties: - error: + field: + description: Must be destination.ip + enum: + - destination.ip + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match + enum: + - match + type: string + value: + description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") type: string - seq: - type: integer required: - - seq - - error + - field + - type + - value + - operator + maxItems: 1 + minItems: 1 + type: array + list_id: + enum: + - endpoint_host_isolation_exceptions + example: endpoint_host_isolation_exceptions + type: string + os_types: + description: Must include all three operating systems (windows, linux, macos) + items: + enum: + - windows + - linux + - macos + type: string + maxItems: 3 + minItems: 3 type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - cleanup_successful - - errors - Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: + - list_id + Security_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_PlatformErrorResponse: type: object properties: - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - risk_engine_saved_object_configured: - example: false - type: boolean + error: + type: string + message: + type: string + statusCode: + type: integer required: - - risk_engine_saved_object_configured - - errors - Security_Entity_Analytics_API_CreateAssetCriticalityRecord: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality_level - Security_Entity_Analytics_API_DateRange: - description: Defines the lookback period for filtering source data by timestamp. + - statusCode + - error + - message + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: type: object properties: - end: - description: End of the lookback period (date math or ISO string, e.g. "now") + message: type: string - start: - description: >- - Start of the lookback period (date math or ISO string, e.g. - "now-10d") + status_code: + type: integer + required: + - status_code + - message + Security_Exceptions_API_TrustedAppHashEntry: + type: object + properties: + field: + description: Process hash field + enum: + - process.hash.md5 + - process.hash.sha1 + - process.hash.sha256 + type: string + operator: + enum: + - included + type: string + type: + description: Hash entries only support match type + enum: + - match + type: string + value: + description: Hash value (MD5, SHA1, or SHA256) type: string required: - - start - - end - Security_Entity_Analytics_API_EngineComponentResource: - description: >- - The type of Elasticsearch or Kibana resource backing an engine - component. - enum: - - entity_engine - - entity_definition - - index - - data_stream - - component_template - - index_template - - ingest_pipeline - - enrich_policy - - task - - transform - - ilm_policy - type: string - Security_Entity_Analytics_API_EngineComponentStatus: - description: >- - Status of an individual Elasticsearch or Kibana resource backing an - engine. + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: type: object properties: - errors: - description: Errors reported by this component, if any. + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted items: - type: object - properties: - message: - description: Detailed error message. - type: string - title: - description: Short error title. - type: string + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 type: array - health: - description: The health status of the component. + field: + description: macOS code signature field enum: - - green - - yellow - - red - - unavailable - - unknown - type: string - id: - description: Unique identifier for the component. + - process.code_signature type: string - installed: - description: Whether the component is currently installed. - type: boolean - metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' - resource: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource - required: - - id - - installed - - resource - Security_Entity_Analytics_API_EngineDataviewUpdateResult: - description: The result of applying data view index changes to a single engine. - type: object - properties: - changes: - description: The changes applied to the engine. - type: object - properties: - indexPatterns: - description: The updated list of index patterns now used by the engine. - items: - type: string - type: array type: - description: The entity type of the engine that was updated. + enum: + - nested type: string required: + - field - type - Security_Entity_Analytics_API_EngineDescriptor: - description: >- - Describes a single entity engine, including its configuration and - current status. + - entries + Security_Exceptions_API_TrustedAppPathEntry: type: object properties: - delay: - default: 1m - description: >- - The delay before the transform processes new data, allowing - late-arriving documents to be included. - example: 1m - pattern: '[smdh]$' - type: string - docsPerSecond: - description: >- - Throttle value for the number of documents processed per second. Use - -1 for no throttle. - type: integer - error: - description: Present when the engine status is `error`. Describes the failure. - type: object - properties: - action: - description: The lifecycle action that caused the error. - enum: - - init - type: string - message: - description: A human-readable error message. - type: string - required: - - message - - action - fieldHistoryLength: - description: The number of historical values retained per field. - example: 10 - type: integer - filter: - description: >- - An optional Kibana Query Language (KQL) filter applied to source - documents before aggregation. - example: 'host.name: "my-host"' - type: string - frequency: - default: 1m - description: How often the transform runs. - example: 1m - pattern: '[smdh]$' + field: + description: Process executable path field + enum: + - process.executable.caseless type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - lookbackPeriod: - default: 24h - description: How far back the transform looks when calculating aggregations. - example: 24h - pattern: '[smdh]$' + operator: + enum: + - included type: string - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - example: 180s - pattern: '[smdh]$' + type: + description: Path supports both match and wildcard types + enum: + - match + - wildcard type: string - timestampField: - description: The field used as the timestamp for source documents. - example: '@timestamp' + value: + description: Executable path type: string - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' required: + - field - type - - indexPattern - - status - - fieldHistoryLength - Security_Entity_Analytics_API_EngineMetadata: - additionalProperties: false - description: Internal metadata attached to an entity by the engine that produced it. + - value + - operator + Security_Exceptions_API_TrustedAppsLinuxProperties: + description: Trusted applications list item properties (Linux). type: object properties: - Type: - description: The engine type that produced this entity record. + entries: + description: Process hash or executable path entries (code signature not supported on Linux) + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps type: string - required: - - Type - Security_Entity_Analytics_API_EngineStatus: - description: The current operational status of an entity engine. - enum: - - installing - - started - - stopped - - updating - - error - type: string - Security_Entity_Analytics_API_EntitiesContainer: - description: A collection of entities to upsert in bulk. - type: object - properties: - entities: - description: The entities to create or update. + os_types: + description: Must be Linux only items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer' + enum: + - linux + type: string + maxItems: 1 + minItems: 1 type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - entities - Security_Entity_Analytics_API_Entity: - description: >- - An entity record from the Entity Store. The `entity` namespace is a - root-level field in the latest index, unlike source logs where it is - nested under `host`, `user`, or `service`. - oneOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' - Security_Entity_Analytics_API_EntityAnalyticsPrivileges: - type: object - properties: - has_all_required: - type: boolean - has_read_permissions: - type: boolean - has_write_permissions: - type: boolean - privileges: - type: object - properties: - elasticsearch: - type: object - properties: - cluster: - additionalProperties: - type: boolean - type: object - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - kibana: - additionalProperties: - type: boolean - type: object - required: - - elasticsearch - required: - - has_all_required - - privileges - Security_Entity_Analytics_API_EntityContainer: - description: A wrapper that pairs an entity type with the entity record to upsert. + - list_id + Security_Exceptions_API_TrustedAppsMacProperties: + description: Trusted applications list item properties (macOS). type: object properties: - record: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: The entity record to create or update. - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - description: The entity type of the record. + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be macOS only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - type - - record - Security_Entity_Analytics_API_EntityField: - additionalProperties: false - description: >- - Core entity fields shared across all entity types. The `entity` - namespace is a root-level field in the Entity Store latest index. + - list_id + Security_Exceptions_API_TrustedAppsWindowsProperties: + description: Trusted applications list item properties (Windows). type: object properties: - attributes: - additionalProperties: false - description: Boolean flags describing characteristics of the entity. - type: object - properties: - asset: - description: Whether the entity is classified as an asset. - type: boolean - managed: - description: >- - Whether the entity is managed (for example, via a directory - service). - type: boolean - mfa_enabled: - description: Whether multi-factor authentication is enabled for the entity. - type: boolean - privileged: - description: Whether the entity has elevated privileges. - type: boolean - behaviors: - additionalProperties: false - description: Boolean flags indicating observed behavioral signals. - type: object - properties: - brute_force_victim: - description: Whether the entity has been targeted by brute-force attacks. - type: boolean - new_country_login: - description: Whether the entity has logged in from a new country. - type: boolean - used_usb_device: - description: Whether the entity has used a USB device. - type: boolean - EngineMetadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' - id: - description: Unique identifier for this entity. - example: arn:aws:iam::123456789012:user/jane.doe - type: string - lifecycle: - additionalProperties: false - description: Timestamps tracking the entity lifecycle. - type: object - properties: - first_seen: - description: When the entity was first observed. - format: date-time - type: string - last_activity: - description: When the entity last generated activity. - format: date-time - type: string - last_seen: - description: When the entity was last observed. - format: date-time - type: string - name: - description: Human-readable name of the entity. - example: jane.doe - type: string - relationships: - additionalProperties: false - description: Connections between this entity and other entities. - type: object - properties: - accessed_frequently_by: - description: Entity IDs that frequently access this entity. - items: - type: string - type: array - accesses_frequently: - description: Entity IDs this entity accesses frequently. - items: - type: string - type: array - accesses_infrequently: - description: Entity IDs this entity accesses infrequently. - items: - type: string - type: array - communicates_with: - description: Entity IDs this entity communicates with. - items: - type: string - type: array - dependent_of: - description: Entity IDs that depend on this entity. - items: - type: string - type: array - depends_on: - description: Entity IDs this entity depends on. - items: - type: string - type: array - owned_by: - description: Entity IDs that own this entity. - items: - type: string - type: array - owns: - description: Entity IDs owned by this entity. - items: - type: string - type: array - supervised_by: - description: Entity IDs that supervise this entity. - items: - type: string - type: array - supervises: - description: Entity IDs supervised by this entity. - items: - type: string - type: array - risk: - additionalProperties: false - description: Risk scoring information for the entity. - type: object - properties: - calculated_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - source: - description: The source that produced this entity record. - type: string - sub_type: - description: Optional sub-type classification for the entity. - type: string - type: - description: The entity type. - example: user + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps type: string + os_types: + description: Must be Windows only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - id - Security_Entity_Analytics_API_EntityRiskLevels: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - Security_Entity_Analytics_API_EntityRiskScoreRecord: + - list_id + Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: type: object properties: - '@timestamp': - description: The time at which the risk score was calculated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - calculation_run_id: - description: Unique identifier for the scoring run that produced this document. - type: string - category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). - type: integer - category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. - format: double - type: number - category_2_count: - type: integer - category_2_score: - format: double - type: number - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - criticality_modifier: - format: double - type: number - id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. - example: host.name + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: Windows code signature field + enum: + - process.Ext.code_signature type: string - id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. - example: example.host + type: + enum: + - nested type: string - inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' - type: array - modifiers: - description: A list of modifiers that were applied to the risk score calculation. + required: + - field + - type + - entries + Security_Exceptions_API_TrustedDevicesMacProperties: + description: Trusted devices list item properties (macOS-only, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: - contribution: - format: double - type: number - metadata: - additionalProperties: true - type: object - modifier_value: - format: double - type: number - subtype: + field: + description: Device field to match against + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included type: string type: + description: Entry match type + enum: + - match + - wildcard + - match_any type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array required: + - field - type - - contribution + - value + - operator + minItems: 1 type: array - notes: + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: macOS-only items: + enum: + - macos type: string + maxItems: 1 + minItems: 1 type: array - related_entities: + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsMacProperties: + description: Trusted devices list item properties (Windows + macOS, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) items: type: object properties: - entity_id: + field: + description: Device field to match against (username not available for multi-OS) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name type: string - relationship_type: + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 type: array - score_type: - description: Distinguishes base, propagated, and resolution scores. + list_id: enum: - - base - - propagated - - resolution - type: string - required: - - '@timestamp' - - id_field - - id_value - - calculated_level - - calculated_score - - calculated_score_norm - - category_1_score - - category_1_count - - inputs - - notes - Security_Entity_Analytics_API_EntitySourceType: - enum: - - index - - entity_analytics_integration - - store - type: string - Security_Entity_Analytics_API_EntityType: - description: The type of entity. - enum: - - user - - host - - service - - generic - type: string - Security_Entity_Analytics_API_Filter: - type: object - properties: - kuery: - oneOf: - - type: string - - type: object - Security_Entity_Analytics_API_GenericEntity: - additionalProperties: false - description: >- - A generic entity record. Maps only the `entity` and `asset` namespaces. - Add additional field mappings here as needed. - type: object - properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + - endpoint_trusted_devices + example: endpoint_trusted_devices type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + os_types: + description: Must include both Windows and macOS (username field not allowed) + items: + enum: + - windows + - macos + type: string + maxItems: 2 + minItems: 2 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - entity - Security_Entity_Analytics_API_HostEntity: - additionalProperties: false - description: >- - An entity record representing a host, stored in the Entity Store latest - index. + - list_id + Security_Exceptions_API_TrustedDevicesWindowsProperties: + description: Trusted devices list item properties (Windows-only, allows username field). type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time - type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time - type: string - host: - additionalProperties: false - description: Elastic Common Schema (ECS) host fields collected on the entity. - type: object - properties: - architecture: - description: Observed CPU architectures. - items: - type: string - type: array - domain: - description: Observed host domains. - items: - type: string - type: array - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - hostname: - description: Observed hostnames. - items: - type: string - type: array - id: - description: Observed host IDs. - items: - type: string - type: array - ip: - description: Observed IP addresses. - items: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) + items: + type: object + properties: + field: + description: Device field to match against (user.name is Windows-only) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + - user.name type: string - type: array - mac: - description: Observed MAC addresses. - items: + operator: + description: Must be the value "included" + enum: + - included type: string - type: array - name: - description: Primary host name. - type: string - os: - additionalProperties: false - description: >- - Elastic Common Schema (ECS) host.os fields collected on the - entity latest index. - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - oneOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - oneOf: - - type: string - - items: - type: string - type: array - version: - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - type: - description: Observed host types. - items: + type: + description: Entry match type + enum: + - match + - wildcard + - match_any type: string - type: array - required: - - name - required: - - entity - Security_Entity_Analytics_API_IdField: - enum: - - host.name - - user.name - - service.name - - entity.id - type: string - Security_Entity_Analytics_API_IndexPattern: - description: >- - An additional Elasticsearch index pattern to include as a source for - entity data. Merged with the default data view indices when the engine - runs. - example: logs-* - type: string - Security_Entity_Analytics_API_InspectQuery: - description: Debug information about the Elasticsearch query executed. - type: object - properties: - dsl: - description: Elasticsearch query DSL that was executed. - items: - type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 type: array - response: - description: Raw Elasticsearch responses. + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must be Windows-only to allow username field items: + enum: + - windows type: string + maxItems: 1 + minItems: 1 type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - dsl - - response - Security_Entity_Analytics_API_Integrations: + - list_id + Security_Exceptions_API_UpdateExceptionListItemBase: type: object properties: - syncData: - description: integrations latest full sync and update syncData - type: object - properties: - lastFullSync: - description: Timestamp of the last full sync from integrations - format: date-time - type: string - lastUpdateProcessed: - description: Timestamp of the last update processed from integrations - format: date-time - type: string - syncMarkerIndex: - description: Index to read latest sync markers from + _version: + description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. type: string - Security_Entity_Analytics_API_Interval: - description: >- - Interval in which enrich policy runs. For example, `"1h"` means the rule - runs every hour. Must be less than or equal to half the duration of the - lookback period, - example: 1h - pattern: ^[1-9]\d*[smh]$ - type: string - Security_Entity_Analytics_API_Matcher: - type: object - properties: - fields: - items: - type: string - type: array - values: - description: > - Matcher values. Must be either an array of strings (e.g. group or - role names) or an array of booleans (e.g. integration-derived flags - like privileged_group_member). Mixed types are intentionally not - supported for simplicity and predictability. - oneOf: - - items: - type: string - type: array - - items: - type: boolean - type: array + comments: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - - fields - - values - Security_Entity_Analytics_API_Metadata: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata - Security_Entity_Analytics_API_MonitoredUserDoc: + - type + - name + - description + Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - - type: object - properties: - '@timestamp': - format: date-time - type: string - event: - type: object - properties: - '@timestamp': - format: date-time - type: string - ingested: - format: date-time - type: string - user: - type: object - properties: - entity: - type: object - properties: - attributes: - type: object - properties: - Privileged: - description: Indicates if the user is privileged. - type: boolean - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoredUserUpdateDoc: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: - entity_analytics_monitoring: - type: object - properties: - labels: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel - type: array + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: - type: string - labels: - type: object - properties: - source_ids: - items: - type: string - type: array - source_integrations: - items: - type: string - type: array - sources: - items: - enum: - - csv - - index_sync - - api - type: array - user: - type: object - properties: - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoringEngineDescriptor: - type: object - properties: - error: - type: object - properties: - message: - description: >- - Error message typically only present if the engine is in error - state - type: string - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - status - Security_Entity_Analytics_API_MonitoringEntitySource: + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' + type: array + Security_Exceptions_API_UpdateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties - - type: object + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_UpdateExceptionListItemEventFilters: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_UpdateExceptionListItemGeneric: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - example: + comments: [] + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + item_id: simple_list_item + name: Updated name + namespace_type: single + tags: [] + type: simple + type: object properties: - id: - type: string + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' required: - - type - - name - - id - - managed - Security_Entity_Analytics_API_MonitoringEntitySourceProperties: + - entries + Security_Exceptions_API_UpdateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties - - type: object - properties: - managed: - type: boolean - Security_Entity_Analytics_API_MonitoringLabel: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_FindListsCursor: + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_List: type: object properties: - field: - type: string - source: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - value: + created_at: + description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - required: - - field - - value - - source - Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: - description: The status of the Privilege Monitoring Engine - enum: - - started - - error - - disabled - - not_installed - type: string - Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: - type: object - properties: - index: - nullable: true - type: integer - message: + created_by: + description: Autogenerated value - user that created object. + example: elastic type: string - username: - nullable: true + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string - required: - - message - - index - - username - Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: - type: object - properties: - failedOperations: - type: integer - successfulOperations: - type: integer - totalOperations: - type: integer - uploaded: - type: integer - required: - - successfulOperations - - uploaded - - failedOperations - - totalOperations - Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: - type: object - properties: - full_error: + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - message: + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic type: string + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - message - - full_error - Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: - type: object - properties: - success: - type: boolean - Security_Entity_Analytics_API_RiskScoreInput: - description: A generic representation of a document contributing to a Risk Score. + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + description: Describes the value list. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItem: type: object properties: - category: - description: The risk category of the risk input document. - example: category_1 + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - contribution_score: - format: double - type: number - description: - description: A human-readable description of the risk input document. - example: 'Generated from Detection Engine Rule: Malware Prevention Alert' + created_at: + description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - entity_id: - description: The EUID of the entity within the graph that generated this alert. + created_by: + description: Autogenerated value - user that created object. + example: elastic type: string id: - description: The unique identifier (`_id`) of the original source document - example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string - index: - description: The unique index (`_index`) of the original source document - example: .internal.alerts-security.alerts-default-000001 + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - risk_score: - description: The weighted risk score of the risk input document. - format: double - maximum: 100 - minimum: 0 - type: number - timestamp: - description: The @timestamp of the risk input document. - example: '2017-07-21T17:32:28Z' + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - - index - - description - - category - Security_Entity_Analytics_API_ServiceEntity: - additionalProperties: false - description: >- - An entity record representing a service, stored in the Entity Store - latest index. + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + description: Value list item's identifier. + example: 54b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + example: List of bad IPs + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time - type: string - service: - additionalProperties: false - description: Elastic Common Schema (ECS) service fields collected on the entity. + cluster: + additionalProperties: + type: boolean type: object - properties: - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - name: - description: Primary service name. - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - required: - - name + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string required: - - entity - Security_Entity_Analytics_API_StoreStatus: - description: The overall operational status of the Entity Store. + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - - not_installed - - installing - - running - - stopped - - error + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text type: string - Security_Entity_Analytics_API_TaskManagerUnavailableResponse: - description: Task manager is unavailable + Security_Lists_API_ListVersion: + description: The document version number. + example: 1 + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. + example: WzIsMV0= + type: string + Security_Lists_API_PlatformErrorResponse: type: object properties: + error: + type: string message: type: string - status_code: - minimum: 400 + statusCode: type: integer required: - - status_code + - statusCode + - error - message - Security_Entity_Analytics_API_TransformStatsMetadata: - description: Statistics from the underlying Elasticsearch transform. - type: object - properties: - delete_time_in_ms: - description: Total time spent deleting documents, in milliseconds. - type: integer - documents_deleted: - description: Total number of documents deleted from the destination index. - type: integer - documents_indexed: - description: Total number of documents written to the destination index. - type: integer - documents_processed: - description: Total number of source documents processed. - type: integer - exponential_avg_checkpoint_duration_ms: - description: Exponential moving average of checkpoint duration, in milliseconds. - type: integer - exponential_avg_documents_indexed: - description: Exponential moving average of documents indexed per checkpoint. - type: integer - exponential_avg_documents_processed: - description: Exponential moving average of documents processed per checkpoint. - type: integer - index_failures: - description: Total number of failed index operations. - type: integer - index_time_in_ms: - description: Total time spent indexing documents, in milliseconds. - type: integer - index_total: - description: Total number of index operations. - type: integer - pages_processed: - description: Number of composite aggregation pages processed. - type: integer - processing_time_in_ms: - description: Total time spent processing results, in milliseconds. - type: integer - processing_total: - description: Total number of processing operations. - type: integer - search_failures: - description: Total number of failed search operations. - type: integer - search_time_in_ms: - description: Total time spent on search queries, in milliseconds. - type: integer - search_total: - description: Total number of search operations. - type: integer - trigger_count: - description: Number of times the transform has been triggered. - type: integer - required: - - pages_processed - - documents_processed - - documents_indexed - - trigger_count - - index_time_in_ms - - index_total - - index_failures - - search_time_in_ms - - search_total - - search_failures - - processing_time_in_ms - - processing_total - - exponential_avg_checkpoint_duration_ms - - exponential_avg_documents_indexed - - exponential_avg_documents_processed - Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: - type: object - properties: - enabled: - type: boolean - filter: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' - identifierField: - description: Field used to query the entity store for index-type sources - type: string - indexPattern: - type: string - integrationName: - type: string - integrations: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' - matchers: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' - type: array - name: - type: string - queryRule: - description: KQL query used to filter data from the provided index patterns - type: string - range: - $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' - Security_Entity_Analytics_API_UserEntity: - additionalProperties: false - description: >- - An entity record representing a user, stored in the Entity Store latest - index. + Security_Lists_API_SiemErrorResponse: type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + message: type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false + status_code: + type: integer + required: + - status_code + - message + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CopyPacksResponse: + description: The response for copying a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: + data: type: object properties: - ingested: - description: When the event was ingested into Elasticsearch. + created_at: format: date-time type: string - user: - additionalProperties: false - description: Elastic Common Schema (ECS) user fields collected on the entity. - type: object - properties: - domain: - description: Observed user domains. - items: - type: string - type: array - email: - description: Observed email addresses. - items: - type: string - type: array - full_name: - description: Observed full names of the user. - items: - type: string - type: array - hash: - description: Observed user hashes. - items: - type: string - type: array - id: - description: Observed user IDs. - items: - type: string - type: array - name: - description: Primary user name. + created_by: + nullable: true type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - additionalProperties: false - roles: - description: Observed roles assigned to the user. + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: - type: string + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string type: array - required: - - name - required: - - entity - Security_Entity_Analytics_API_UserName: - type: object - properties: - entity_analytics_monitoring: - description: Entity analytics monitoring configuration for the user - type: object - properties: - labels: - description: Array of labels associated with the user + saved_object_id: + description: The saved object ID of the copied pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. items: type: object properties: - field: - description: The field name for the label - type: string - source: - description: >- - The source where this label was created (api, csv, or - index_sync) - enum: - - api - - csv - - index_sync + key: type: string value: - description: The value of the label - type: string + type: number type: array - user: - type: object - properties: - name: - description: The name of the user. + updated_at: + format: date-time type: string - Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: - example: - matchedEntities: 1 - status: success - type: object - properties: - error: - description: Error message if the row failed to process - example: Invalid entity type - type: string - matchedEntities: - description: Number of entities matched for this row - example: 1 - type: integer - status: - enum: - - success - - failure - - unmatched - example: success - type: string - required: - - status - - matchedEntities - Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: - example: - euid: user:john.doe - status: success - type: object - properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success - type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - euid - - status - Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: + - data + Security_Osquery_API_CopySavedQueryResponse: + description: The response for copying a saved query. example: - euid: user:john.doe - status: success + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic type: object properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success - type: string + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + required: + - saved_object_id + - id required: - - euid - - status - Security_Entity_Analytics_API_WatchlistObject: + - data + Security_Osquery_API_CreateLiveQueryRequestBody: example: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; type: object properties: - createdAt: - description: Timestamp indicating when the watchlist was created - format: date-time - type: string - description: - description: Description of the watchlist - type: string - entityCount: - description: Number of entities in the watchlist - type: number - entitySourceIds: - description: List of entity source IDs associated with the watchlist - items: - type: string - type: array - id: - description: The unique ID of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system + agent_all: + description: When `true`, the query runs on all agents. type: boolean - name: - description: The name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - type: number - updatedAt: - description: Timestamp indicating when the watchlist was last updated - format: date-time - type: string - required: - - name - - riskModifier - - managed - Security_Exceptions_API_BlocklistHashOrPathEntry: - type: object - properties: - field: - description: File hash or path field - enum: - - file.hash.md5 - - file.hash.sha1 - - file.hash.sha256 - - file.path - - file.path.caseless - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Must be match_any for blocklists - enum: - - match_any - type: string - value: - description: Array of hash values or file paths + agent_ids: + description: A list of agent IDs to run the query on. items: type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - Security_Exceptions_API_BlocklistLinuxProperties: - description: Blocklist list item properties (Linux, code signature not supported). - type: object - properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - minItems: 1 type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists - type: string - os_types: - description: Linux-only + agent_platforms: + description: A list of agent platforms to run the query on. items: - enum: - - linux type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_BlocklistMacProperties: - description: Blocklist list item properties (macOS, code signature not supported). - type: object - properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - minItems: 1 type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists - type: string - os_types: - description: macOS-only + agent_policy_ids: + description: A list of agent policy IDs to run the query on. items: - enum: - - macos type: string - maxItems: 1 - minItems: 1 type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: - type: object - properties: - entries: - description: Nested subject_name entries + alert_ids: + description: A list of alert IDs associated with the live query. items: - type: object - properties: - field: - description: Certificate subject name - enum: - - subject_name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Match type for subject name - enum: - - match - - match_any - type: string - value: - oneOf: - - description: Single subject name (used with match) - type: string - - description: Array of subject names (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 + type: string type: array - field: - description: Windows code signature field - enum: - - file.Ext.code_signature - type: string - type: - description: Must be nested for Windows code signature - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_BlocklistWindowsProperties: - description: Blocklist list item properties (Windows, supports code signature). - type: object - properties: - entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - * Code signature entry: only 1 allowed + case_ids: + description: A list of case IDs associated with the live query. items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry - minItems: 1 + type: string type: array - list_id: - enum: - - endpoint_blocklists - example: endpoint_blocklists - type: string - os_types: - description: Windows-only + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + event_ids: + description: A list of event IDs associated with the live query. items: - enum: - - windows type: string - maxItems: 1 - minItems: 1 type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_CreateExceptionListItemBase: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties - Security_Exceptions_API_CreateExceptionListItemBlocklistMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties - Security_Exceptions_API_CreateExceptionListItemComment: + metadata: + description: Custom metadata object associated with the live query. + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + Security_Osquery_API_CreateLiveQueryResponse: + description: The response for creating a live query. + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agent_ids: [] + agent_platforms: [] + agent_policy_ids: [] + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + metadata: + execution_context: + name: osquery + url: /app/osquery/live_queries/new + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment - type: array - Security_Exceptions_API_CreateExceptionListItemEndpointList: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_CreateExceptionListItemEventFilters: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_CreateExceptionListItemGeneric: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - example: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + data: type: object properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags - default: [] + '@timestamp': + description: The timestamp when the action was created. + format: date-time + type: string + action_id: + description: The ID of the action. + type: string + agent_all: + description: Whether the query targets all agents. + type: boolean + agent_ids: + description: The agent IDs targeted by the action. + items: + type: string + type: array + agent_platforms: + description: The agent platforms targeted. + items: + type: string + type: array + agent_policy_ids: + description: The agent policy IDs targeted. + items: + type: string + type: array + agents: + description: The resolved list of agent IDs. + items: + type: string + type: array + expiration: + description: The expiration date of the action. + format: date-time + type: string + input_type: + description: The input type. + type: string + metadata: + description: Custom metadata associated with the action. + type: object + pack_id: + description: The pack ID if the query was run from a pack. + type: string + queries: + description: The queries in this action. + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + type: string + platform: + type: string + query: + type: string + saved_query_id: + type: string + timeout: + type: integer + version: + type: string + type: array + type: + description: The action type. + type: string + user_id: + description: The user who created the action. + type: string required: - - list_id - - entries - Security_Exceptions_API_CreateExceptionListItemHostIsolation: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties - Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties - Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties - Security_Exceptions_API_CreateRuleExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment - type: array - Security_Exceptions_API_CreateRuleExceptionListItemProps: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - Security_Exceptions_API_EndpointArtifactTags: - default: [] - description: > - Tags for categorization. Special tags for scope control: - - * `"policy:all"` - Global artifact (applies to all Elastic Defend - policies) - - * `"policy:"` - Private artifact (applies to specific Elastic - Defend policy only, where `` is the Elastic Defend - integration policy ID) - items: - type: string - type: array - Security_Exceptions_API_EndpointListProperties: - description: Elastic Endpoint exception list item properties. - type: object - properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for endpoint security exceptions (used to prevent - detection rule alerts). - - - **Fully flexible:** Supports any field name for maximum - compatibility with detection rules. No field restrictions are - enforced. - list_id: - enum: - - endpoint_list - example: endpoint_list - type: string - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_EventFiltersProperties: - description: Event filters list item properties. - type: object - properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for the event filter. - - - **Flexible field support:** Any event field name is allowed (e.g., - `process.name`, `file.path`, `event.action`, `dns.question.name`, - etc.) - - - **Minimum requirement:** At least 1 entry required - list_id: - enum: - - endpoint_event_filters - example: endpoint_event_filters - type: string - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + - action_id required: - - list_id - Security_Exceptions_API_ExceptionList: + - data + Security_Osquery_API_CreatePacksRequestBody: + example: + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + - fleet-server-policy + queries: + my_query: + ecs_mapping: + client.port: + field: port + tags: + value: + - tag1 + - tag2 + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + shards: + fleet-server-policy: 58 + my_policy_id: 35 type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. - type: string - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - immutable: - type: boolean - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListDescription: - description: Describes the exception list. - example: This list tracks allowlisted values. - type: string - Security_Exceptions_API_ExceptionListHumanId: - description: > - The exception list's human-readable string identifier. - - - For endpoint artifacts, use one of the following values: - - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) - example: simple_list - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListId: - description: Exception list's identifier. - example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItem: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_CreatePacksResponse: + description: The response for creating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string + data: + type: object + properties: + created_at: + description: The date and time the pack was created. + format: date-time + type: string + created_by: + description: The user who created the pack. + nullable: true + type: string + created_by_profile_uid: + description: The profile UID of the user who created the pack. + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: + type: string + value: + type: number + type: array + updated_at: + description: The date and time the pack was last updated. + format: date-time + type: string + updated_by: + description: The user who last updated the pack. + nullable: true + type: string + updated_by_profile_uid: + description: The profile UID of the user who last updated the pack. + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListItemComment: + - data + Security_Osquery_API_CreateSavedQueryRequestBody: + example: + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + version: 2.8.0 type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Exceptions_API_ExceptionListItemCommentArray: - description: | - Array of comment fields: - - - comment (string): Comments about the exception item. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' - type: array - Security_Exceptions_API_ExceptionListItemDescription: - description: Describes the exception list. - type: string - Security_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Exceptions_API_ExceptionListItemEntryList: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CreateSavedQueryResponse: + description: The response for creating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - list: + data: type: object properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: - $ref: '#/components/schemas/Security_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ListType' + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + description: An interval, in seconds, on which to run the query. May be returned as number or string. + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + description: Whether the saved query is prebuilt. + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + description: The saved object ID of the saved query. + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + description: The query timeout in seconds. + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The saved query version. + oneOf: + - type: integer + - type: string required: + - saved_object_id - id - - type - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string required: - - type - - field - - list - - operator - Security_Exceptions_API_ExceptionListItemEntryMatch: + - data + Security_Osquery_API_DefaultSuccessResponse: + example: {} type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchAny: + properties: {} + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields + example: + host.uptime: + field: total_seconds + type: object + Security_Osquery_API_ECSMappingArray: + description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). + items: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + type: array + Security_Osquery_API_ECSMappingArrayItem: + description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any + key: + description: The ECS field name. type: string value: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + Security_Osquery_API_ECSMappingArrayOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + nullable: true + Security_Osquery_API_ECSMappingItem: type: object properties: field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - wildcard + description: The ECS field to map to. + example: host.uptime type: string value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryNested: + description: The value to map to the ECS field. + example: total_seconds + oneOf: + - type: string + - items: + type: string + type: array + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + description: Enables the pack. + example: true + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryDetailsResponse: + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 0 + ecs_mapping: + host.uptime: + field: total_seconds + failed: 1 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + status: completed + successful: 0 + status: completed + user_id: elastic type: object properties: - entries: + data: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + pack_name: + type: string + prebuilt_pack: + type: boolean + queries: + description: The queries with their execution status. + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + docs: + description: Number of result documents. + type: integer + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + failed: + description: Number of failed queries. + type: integer + id: + type: string + pending: + description: Number of pending agents. + type: integer + query: + type: string + responded: + description: Total responded agents. + type: integer + saved_query_id: + type: string + status: + description: Status of this individual query. + enum: + - completed + - running + type: string + successful: + description: Number of successful agents. + type: integer + type: array + status: + description: Global status of the live query (completed, running). + enum: + - completed + - running + type: string + tags: + items: + type: string + type: array + user_id: + type: string + user_profile_uid: + type: string + Security_Osquery_API_FindLiveQueryResponse: + example: + data: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string - required: - - type - - field - - entries - Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - Security_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. - format: date-time - type: string - Security_Exceptions_API_ExceptionListItemHumanId: - description: Human readable string identifier, e.g. `trusted-linux-processes` - example: simple_list_item - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemId: - description: Exception's identifier. - example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListItemName: - description: Exception list name. - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListItemTags: - items: - description: >- - String array containing words and phrases to help categorize exception - items. - format: nonempty - minLength: 1 - type: string - type: array - Security_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Exceptions_API_ExceptionListMeta: - additionalProperties: true - description: Placeholder for metadata about the list container. + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + result_counts: + error_agents: 0 + responded_agents: 1 + successful_agents: 1 + total_rows: 42 + user_id: elastic + total: 1 type: object - Security_Exceptions_API_ExceptionListName: - description: The name of the exception list. - example: My exception list - type: string - Security_Exceptions_API_ExceptionListOsType: - description: Use this field to specify the operating system. - enum: - - linux - - macos - - windows - type: string - Security_Exceptions_API_ExceptionListOsTypeArray: - description: Use this field to specify the operating system. Only enter one value. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListsImportBulkError: + properties: + data: + type: object + properties: + items: + description: An array of live query action items. + items: + type: object + properties: + _source: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + queries: + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + type: string + query: + type: string + saved_query_id: + type: string + type: array + result_counts: + description: Result count statistics (present when withResultCounts is true). + type: object + properties: + error_agents: + type: integer + responded_agents: + type: integer + successful_agents: + type: integer + total_rows: + type: integer + user_id: + type: string + type: array + total: + description: The total number of live queries. + type: integer + Security_Osquery_API_FindPackResponse: + description: The details of a single query pack. + example: + data: + created_at: '2022-07-25T19:41:10.263Z' + created_by: elastic + description: '' + enabled: true + name: test_pack + namespaces: + - default + policy_ids: [] + queries: + uptime: + ecs_mapping: + message: + field: days + interval: 3600 + query: select * from uptime + read_only: false + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + shards: {} + type: osquery-pack + updated_at: '2022-07-25T20:12:01.455Z' + updated_by: elastic + version: 1 type: object properties: - error: + data: + description: The pack details. type: object properties: - message: + created_at: + format: date-time type: string - status_code: + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + namespaces: + description: The namespaces the pack belongs to. + items: + type: string + type: array + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: + description: The saved object type. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. type: integer required: - - status_code - - message - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - saved_object_id + - name required: - - error - Security_Exceptions_API_ExceptionListsImportBulkErrorArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError - type: array - Security_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. - items: - type: string - type: array - Security_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Exceptions_API_ExceptionListVersion: - description: The document version, automatically increasd on updates. - minimum: 1 - type: integer - Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. - enum: - - agnostic - - single - type: string - Security_Exceptions_API_FindExceptionListItemsFilter: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_FindExceptionListsFilter: - example: exception-list.attributes.name:%Detection%20List - type: string - Security_Exceptions_API_HostIsolationProperties: - description: Host isolation exceptions list item properties. + - data + Security_Osquery_API_FindPacksResponse: + description: A paginated list of query packs. + example: + data: + - created_at: '2023-10-31T00:00:00Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: My pack description + enabled: true + name: My Pack + policy_ids: [] + queries: + - ecs_mapping: + - key: host.uptime + value: + field: total_seconds + id: uptime + interval: 3600 + query: select * from uptime; + read_only: false + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2023-10-31T00:00:00Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + page: 1 + per_page: 10 + total: 1 type: object properties: - entries: - description: Exactly one entry allowed for host isolation exceptions + data: + description: An array of pack objects. items: type: object properties: - field: - description: Must be destination.ip - enum: - - destination.ip + created_at: + format: date-time type: string - operator: - description: Must be the value "included" - enum: - - included + created_by: + nullable: true type: string - type: - description: Must be match - enum: - - match + created_by_profile_uid: type: string - value: - description: >- - Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or - "10.0.0.0/8") + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: type: string + version: + description: The pack version number. + type: integer required: - - field - - type - - value - - operator - maxItems: 1 - minItems: 1 - type: array - list_id: - enum: - - endpoint_host_isolation_exceptions - example: endpoint_host_isolation_exceptions - type: string - os_types: - description: Must include all three operating systems (windows, linux, macos) - items: - enum: - - windows - - linux - - macos - type: string - maxItems: 3 - minItems: 3 + - saved_object_id + - name type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - - - - `keyword`: Many ECS fields are Elasticsearch keywords - - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of packs. type: integer required: - - statusCode - - error - - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: + - page + - per_page + - total + - data + Security_Osquery_API_FindSavedQueryDetailResponse: + description: The details of a single saved query. + example: + data: + created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + version: 2.8.0 type: object properties: - message: - type: string - status_code: - type: integer + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id required: - - status_code - - message - Security_Exceptions_API_TrustedAppHashEntry: + - data + Security_Osquery_API_FindSavedQueryResponse: + description: A paginated list of saved queries. + example: + data: + - created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + version: 2.8.0 + page: 1 + per_page: 100 + total: 11 type: object properties: - field: - description: Process hash field - enum: - - process.hash.md5 - - process.hash.sha1 - - process.hash.sha256 - type: string - operator: - enum: - - included - type: string - type: - description: Hash entries only support match type - enum: - - match - type: string - value: - description: Hash value (MD5, SHA1, or SHA256) - type: string + data: + description: An array of saved query objects. + items: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id + type: array + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of saved queries. + type: integer required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + - page + - per_page + - total + - data + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + example: + data: + edges: + - _id: doc1 + _source: {} + - _id: doc2 + _source: {} + total: 2 type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted - items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object + data: + type: object + properties: + edges: + description: The result rows from the query execution. + items: + type: object properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Must be the string 'true' - enum: - - 'true' + _id: type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 + _source: + description: The Elasticsearch document source containing query results. + type: object + type: array + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. + items: + type: object type: array - field: - description: macOS code signature field - enum: - - process.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedAppPathEntry: + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 type: object properties: - field: - description: Process executable path field - enum: - - process.executable.caseless - type: string - operator: - enum: - - included - type: string - type: - description: Path supports both match and wildcard types - enum: - - match - - wildcard - type: string - value: - description: Executable path - type: string - required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppsLinuxProperties: - description: Trusted applications list item properties (Linux). + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... type: object properties: - entries: - description: >- - Process hash or executable path entries (code signature not - supported on Linux) + data: + description: The list of unified history rows for the current page. items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - minItems: 1 + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. type: string - os_types: - description: Must be Linux only - items: - enum: - - linux - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_TrustedAppsMacProperties: - description: Trusted applications list item properties (macOS). + - data + - hasMore + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + example: '60' + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' + nullable: true + type: string + Security_Osquery_API_LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: The saved query ID, if the live query was based on a saved query. + type: string + source: + description: Whether this was a manually run live query or triggered by a rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string + required: + - sourceType + - source + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. + type: object + Security_Osquery_API_ObjectQueriesItem: type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be macOS only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppsWindowsProperties: - description: Trusted applications list item properties (Windows). + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_PackDescription: + description: The pack description. + example: Pack description + type: string + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + Security_Osquery_API_PackId: + description: The ID of the pack. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + description: The pack name. + example: my_pack + type: string + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + example: 1 + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + example: 20 + nullable: true + type: integer + Security_Osquery_API_Platform: + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. + example: linux,darwin + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + example: + - policyId1 + - policyId2 + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + example: select * from uptime; + type: string + Security_Osquery_API_QueryId: + description: The ID of the query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + example: false + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + example: Saved query description + type: string + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Windows only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted - items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: Windows code signature field - enum: - - process.Ext.code_signature + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. type: string - type: - enum: - - nested + packName: + description: The name of the pack containing the query. type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedDevicesMacProperties: - description: >- - Trusted devices list item properties (macOS-only, username not - supported). - type: object - properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) - items: - type: object - properties: - field: - description: Device field to match against - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + queryName: + description: The name of the query within the pack. type: string - os_types: - description: macOS-only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: >- - Trusted devices list item properties (Windows + macOS, username not - supported). - type: object - properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed, username not available when targeting both OS) - items: - type: object - properties: - field: - description: >- - Device field to match against (username not available for - multi-OS) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + queryText: + description: The SQL query that was executed. type: string - os_types: - description: Must include both Windows and macOS (username field not allowed) - items: - enum: - - windows - - macos - type: string - maxItems: 2 - minItems: 2 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: >- - Trusted devices list item properties (Windows-only, allows username - field). + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. + example: + policy_id: 50 + type: object + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + example: true + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + example: desc + type: string + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + example: createdAt + nullable: true + type: string + Security_Osquery_API_UnifiedHistoryRow: + discriminator: + mapping: + live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + propertyName: sourceType + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) - items: - type: object - properties: - field: - description: Device field to match against (user.name is Windows-only) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - - user.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. type: string - os_types: - description: Must be Windows-only to allow username field - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer required: - - list_id - Security_Exceptions_API_UpdateExceptionListItemBase: + - id + - timestamp + - queryText + - agentCount + Security_Osquery_API_UpdatePacksRequestBody: + example: + name: updated_my_pack_name type: object properties: - _version: - description: >- - The version ID, normally returned by the API when the item is - retrieved. Use it to ensure updates are made against the latest - version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray - default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemComment: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdatePacksResponse: + description: The response for updating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: updated_my_pack_name + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:40:16.297Z' + updated_by: elastic + version: 1 type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + Security_Osquery_API_UpdateSavedQueryRequestBody: + example: + id: updated_my_saved_query_name + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment - type: array - Security_Exceptions_API_UpdateExceptionListItemEndpointList: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_UpdateExceptionListItemEventFilters: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_UpdateExceptionListItemGeneric: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - example: - comments: [] - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - item_id: simple_list_item - name: Updated name - namespace_type: single - tags: [] - type: simple + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_UpdateSavedQueryResponse: + description: The response for updating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + id: updated_my_saved_query_name + interval: '60' + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:40:16.297Z' + updated_by: elastic + version: WzQzMTcsMV0= + type: object + properties: + data: type: object properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The saved query version. + type: string required: - - entries - Security_Exceptions_API_UpdateExceptionListItemHostIsolation: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Lists_API_FindListItemsCursor: - description: >- - Returns the items that come after the last item returned in the previous - call (use the `cursor` value returned in the previous call). This - parameter uses the `tie_breaker_id` field to ensure all items are sorted - and returned correctly. - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListItemsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_FindListsCursor: - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 + - saved_object_id + - id + required: + - data + Security_Osquery_API_Version: + description: Uses the Osquery versions greater than or equal to the specified version string. + example: 1.0.0 type: string - Security_Lists_API_FindListsFilter: - example: value:127.0.0.1 + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_AssociatedFilterType: + description: | + How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan type: string - Security_Lists_API_List: + Security_Timeline_API_BareNote: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: | + Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + nullable: true + type: string + note: + description: The text of the note + example: This is an example text + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + timelineId: + description: The `savedObjectId` of the timeline that this pinned event is associated with + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time + aggregatable: + nullable: true + type: boolean + category: + nullable: true type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic + columnHeaderType: + nullable: true type: string description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' + nullable: true + type: string + example: + nullable: true + type: string id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - immutable: - type: boolean - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + nullable: true + type: string + indexes: + items: + type: string + nullable: true + type: array name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + nullable: true type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time + placeholder: + nullable: true type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic + searchable: + nullable: true + type: boolean + type: + nullable: true type: string - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - type - - name - - description - - immutable - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListDescription: - description: Describes the value list. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListItem: + Security_Timeline_API_DataProviderQueryMatch: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic - type: string + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + nullable: true type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time + kqlQuery: + nullable: true type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic + name: + nullable: true type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - type - - list_id - - value - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListItemId: - description: Value list item's identifier. - example: 54b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListItemMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list item. - type: object - Security_Lists_API_ListItemPrivileges: + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: type: object properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: - type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - description: The value used to evaluate exceptions. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list. - type: object - Security_Lists_API_ListName: - description: Value list's name. - example: List of bad IPs - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: + excluded: + nullable: true type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: + id: + nullable: true type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - - - - `keyword`: Many ECS fields are Elasticsearch keywords - - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Lists_API_ListVersion: - description: The document version number. - example: 1 - minimum: 1 - type: integer - Security_Lists_API_ListVersionId: - description: > - The version id, normally returned by the API when the document is - retrieved. Use it ensure updates are done against the latest version. - example: WzIsMV0= + - default + - template type: string - Security_Lists_API_PlatformErrorResponse: + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: type: object properties: - error: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: type: string - message: + templateTimelineId: + nullable: true type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Lists_API_SiemErrorResponse: - type: object - properties: - message: + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: type: string - status_code: - type: integer required: - - status_code - - message - Security_Osquery_API_ArrayQueries: - description: An array of queries to run. - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CopyPacksResponse: - description: The response for copying a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. + example: + favoriteDate: 1741337636741 + userName: elastic type: object properties: - data: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: + example: + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' + type: object + properties: + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true type: object properties: - created_at: - format: date-time - type: string - created_by: + alias: nullable: true type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - saved_object_id: - description: The saved object ID of the copied pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number - type: array - updated_at: - format: date-time - type: string - updated_by: + controlledBy: nullable: true type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_CopySavedQueryResponse: - description: The response for copying a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - type: object - properties: - data: - type: object - properties: - created_at: - format: date-time + disabled: + nullable: true + type: boolean + field: + nullable: true type: string - created_by: + formattedValue: nullable: true type: string - created_by_profile_uid: + index: + nullable: true type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: + key: + nullable: true type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time + negate: + nullable: true + type: boolean + params: + nullable: true type: string - updated_by: + type: nullable: true type: string - updated_by_profile_uid: + value: + nullable: true type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_CreateLiveQueryRequestBody: - example: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: type: object properties: - agent_all: - description: When `true`, the query runs on all agents. - type: boolean - agent_ids: - description: A list of agent IDs to run the query on. - items: - type: string - type: array - agent_platforms: - description: A list of agent platforms to run the query on. - items: - type: string - type: array - agent_policy_ids: - description: A list of agent policy IDs to run the query on. - items: - type: string - type: array - alert_ids: - description: A list of alert IDs associated with the live query. - items: - type: string - type: array - case_ids: - description: A list of case IDs associated with the live query. - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - event_ids: - description: A list of event IDs associated with the live query. + notes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_Note' type: array - metadata: - description: Custom metadata object associated with the live query. - nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - Security_Osquery_API_CreateLiveQueryResponse: - description: The response for creating a live query. - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agent_ids: [] - agent_platforms: [] - agent_policy_ids: [] - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - metadata: - execution_context: - name: osquery - url: /app/osquery/live_queries/new - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + totalCount: + description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: type: object properties: - data: - type: object - properties: - '@timestamp': - description: The timestamp when the action was created. - format: date-time - type: string - action_id: - description: The ID of the action. - type: string - agent_all: - description: Whether the query targets all agents. - type: boolean - agent_ids: - description: The agent IDs targeted by the action. - items: + errors: + description: The list of failed Timeline imports + items: + type: object + properties: + error: + description: The error containing the reason why the timeline could not be imported + type: object + properties: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON + type: string + status_code: + description: The HTTP status code of the error + example: 400 + type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 type: string - type: array - agent_platforms: - description: The agent platforms targeted. + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true type: array - agent_policy_ids: - description: The agent policy IDs targeted. + globalNotes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true type: array - agents: - description: The resolved list of agent IDs. + pinnedEventIds: items: type: string + nullable: true type: array - expiration: - description: The expiration date of the action. - format: date-time - type: string - input_type: - description: The input type. + savedObjectId: + nullable: true type: string - metadata: - description: Custom metadata associated with the action. - type: object - pack_id: - description: The pack ID if the query was run from a pack. + version: + nullable: true type: string - queries: - description: The queries in this action. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - platform: - type: string - query: - type: string - saved_query_id: - type: string - timeout: - type: integer - version: - type: string - type: array - type: - description: The action type. + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e type: string - user_id: - description: The user who created the action. + version: + description: The version of the note + example: WzQ2LDFd type: string required: - - action_id - required: - - data - Security_Osquery_API_CreatePacksRequestBody: - example: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - - fleet-server-policy - queries: - my_query: - ecs_mapping: - client.port: - field: port - tags: - value: - - tag1 - - tag2 - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - shards: - fleet-server-policy: 58 - my_policy_id: 35 + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: type: object properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreatePacksResponse: - description: The response for creating a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: - data: - type: object - properties: - created_at: - description: The date and time the pack was created. - format: date-time + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true + type: string + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true + type: string + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true type: string - created_by: - description: The user who created the pack. + - items: + type: string nullable: true - type: string - created_by_profile_uid: - description: The profile UID of the user who created the pack. - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number type: array - updated_at: - description: The date and time the pack was last updated. - format: date-time - type: string - updated_by: - description: The user who last updated the pack. - nullable: true - type: string - updated_by_profile_uid: - description: The profile UID of the user who last updated the pack. - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' required: - - data - Security_Osquery_API_CreateSavedQueryRequestBody: - example: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - version: 2.8.0 + - timeline + - outcome + Security_Timeline_API_ResponseNote: type: object properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CreateSavedQueryResponse: - description: The response for creating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: type: object properties: - data: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true + type: string + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true + type: string + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true type: object properties: - created_at: - format: date-time - type: string - created_by: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true + type: string + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' + nullable: true + type: object + properties: + eventCategoryField: nullable: true type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - description: >- - An interval, in seconds, on which to run the query. May be - returned as number or string. - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - description: Whether the saved query is prebuilt. - type: boolean query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - description: The saved object ID of the saved query. + nullable: true type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - description: The query timeout in seconds. - type: integer - updated_at: - format: date-time + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true type: string - updated_by: + timestampField: nullable: true type: string - updated_by_profile_uid: + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all + nullable: true + type: string + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + example: + - .logs* + items: + type: string + nullable: true + type: array + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search + nullable: true + type: string + kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e + nullable: true + type: string + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + example: 12 + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true + type: string + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the Timeline + example: casetester + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: - description: The saved query version. - oneOf: - - type: integer - - type: string + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_DefaultSuccessResponse: - example: {} - type: object - properties: {} - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: >- - Map osquery results columns or static values to Elastic Common Schema - (ECS) fields + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. example: - host.uptime: - field: total_seconds - type: object - Security_Osquery_API_ECSMappingArray: - description: >- - ECS mapping in saved-object storage format (array of key-value pairs). - The find and copy pack endpoints return this format. The read endpoint - returns object format (ECSMapping). - items: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' - type: array - Security_Osquery_API_ECSMappingArrayItem: - description: ECS mapping item in saved-object storage format (key-value pair). - type: object - properties: - key: - description: The ECS field name. - type: string - value: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - Security_Osquery_API_ECSMappingArrayOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - nullable: true - Security_Osquery_API_ECSMappingItem: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: - field: - description: The ECS field to map to. - example: host.uptime - type: string - value: - description: The value to map to the ECS field. - example: total_seconds - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - description: Enables the pack. - example: true - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryDetailsResponse: - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 0 - ecs_mapping: - host.uptime: - field: total_seconds - failed: 1 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - status: completed - successful: 0 - status: completed - user_id: elastic + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid + example: + columnId: '@timestamp' + sortDirection: desc type: object properties: - data: - type: object + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - type: object properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e items: type: string + nullable: true type: array - expiration: - format: date-time - type: string - pack_id: - type: string - pack_name: - type: string - prebuilt_pack: - type: boolean - queries: - description: The queries with their execution status. + notes: + description: A list of all the notes that are associated to this Timeline. items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - docs: - description: Number of result documents. - type: integer - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - failed: - description: Number of failed queries. - type: integer - id: - type: string - pending: - description: Number of pending agents. - type: integer - query: - type: string - responded: - description: Total responded agents. - type: integer - saved_query_id: - type: string - status: - description: Status of this individual query. - enum: - - completed - - running - type: string - successful: - description: Number of successful agents. - type: integer + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true type: array - status: - description: Global status of the live query (completed, running). - enum: - - completed - - running - type: string - tags: + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f items: type: string + nullable: true type: array - user_id: - type: string - user_profile_uid: - type: string - Security_Osquery_API_FindLiveQueryResponse: - example: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - result_counts: - error_agents: 0 - responded_agents: 1 - successful_agents: 1 - total_rows: 42 - user_id: elastic - total: 1 - type: object - properties: - data: - type: object - properties: - items: - description: An array of live query action items. + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. items: - type: object - properties: - _source: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - queries: - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - query: - type: string - saved_query_id: - type: string - type: array - result_counts: - description: >- - Result count statistics (present when withResultCounts - is true). - type: object - properties: - error_agents: - type: integer - responded_agents: - type: integer - successful_agents: - type: integer - total_rows: - type: integer - user_id: - type: string + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true type: array - total: - description: The total number of live queries. - type: integer - Security_Osquery_API_FindPackResponse: - description: The details of a single query pack. - example: - data: - created_at: '2022-07-25T19:41:10.263Z' - created_by: elastic - description: '' - enabled: true - name: test_pack - namespaces: - - default - policy_ids: [] - queries: - uptime: - ecs_mapping: - message: - field: days - interval: 3600 - query: select * from uptime - read_only: false - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - shards: {} - type: osquery-pack - updated_at: '2022-07-25T20:12:01.455Z' - updated_by: elastic - version: 1 - type: object - properties: - data: - description: The pack details. - type: object + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object properties: - created_at: - format: date-time - type: string - created_by: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - namespaces: - description: The namespaces the pack belongs to. + type: array + noteIds: items: type: string + nullable: true type: array - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - type: - description: The saved object type. - type: string - updated_at: - format: date-time - type: string - updated_by: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - updated_by_profile_uid: + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: type: string version: - description: The pack version number. - type: integer + type: string required: - - saved_object_id - - name + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number required: - - data - Security_Osquery_API_FindPacksResponse: - description: A paginated list of query packs. - example: - data: - - created_at: '2023-10-31T00:00:00Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: My pack description - enabled: true - name: My Pack - policy_ids: [] - queries: - - ecs_mapping: - - key: host.uptime - value: - field: total_seconds - id: uptime - interval: 3600 - query: select * from uptime; - read_only: false - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2023-10-31T00:00:00Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - page: 1 - per_page: 10 - total: 1 + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized type: object properties: - data: - description: An array of pack objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of packs. - type: integer + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number required: - - page - - per_page - - total - - data - Security_Osquery_API_FindSavedQueryDetailResponse: - description: The details of a single saved query. - example: - data: - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - version: 2.8.0 + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden type: object properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id + error: + example: Forbidden + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number required: - - data - Security_Osquery_API_FindSavedQueryResponse: - description: A paginated list of saved queries. - example: - data: - - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: 2.8.0 - page: 1 - per_page: 100 - total: 11 + - statusCode + - error + - message + SLOs_404_response: + title: Not found type: object properties: - data: - description: An array of saved query objects. + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references items: type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: + description: Dashboard saved-object id type: string - version: - oneOf: - - type: integer - - type: string required: - - saved_object_id - id type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of saved queries. - type: integer + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array required: - - page - - per_page - - total - - data - Security_Osquery_API_GetLiveQueryResultsResponse: - description: The response for getting live query results. - example: - data: - edges: - - _id: doc1 - _source: {} - - _id: doc2 - _source: {} - total: 2 + - list + title: Bulk delete SLO request type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status properties: - data: - type: object - properties: - edges: - description: The result rows from the query execution. - items: - type: object - properties: - _id: - type: string - _source: - description: >- - The Elasticsearch document source containing query - results. - type: object - type: array - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + title: Bulk delete SLO response type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: - aggregations: - $ref: >- - #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. + error: + description: The error message if the bulk deletion operation failed + example: Task not found + type: string + isDone: + description: Indicates if the bulk deletion operation is completed + example: true + type: boolean + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO items: type: object + properties: + error: + description: The error message if the deletion operation failed for this SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 + title: The status of the bulk deletion type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: - data: - description: The query results data wrapper. + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. properties: - data: - description: The list of unified history rows for the current page. + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + title: Bulk Purge Rollup data response + type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: string type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response + type: object + properties: + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - - data - - hasMore - Security_Osquery_API_Interval: - description: An interval, in seconds, on which to run the query. - example: '60' - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - description: The kuery to filter the results by. - example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' - nullable: true - type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - id + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: - type: object properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: items: - type: string + $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array - agentPlatforms: - description: List of targeted agent platforms. + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: items: - type: string + $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array - agentPolicyIds: - description: List of targeted agent policy IDs. + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id items: type: string type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response + type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + type: string + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value + example: + - - service.name + - service.name + - - service.name + - service.environment + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production type: string - source: - description: >- - Whether this was a manually run live query or triggered by a - rule. - enum: - - Live - - Rule + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live + index: + description: The index used by APM metrics + example: metrics-apm*,apm* type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. + service: + description: The APM service name + example: o11y-app type: string - userProfileUid: - description: The user profile UID of the user who ran the query. + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request type: string required: - - sourceType - - source - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - description: An object of queries. - type: object - Security_Osquery_API_ObjectQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_PackDescription: - description: The pack description. - example: Pack description - type: string - Security_Osquery_API_PackDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - nullable: true - Security_Osquery_API_PackId: - description: The ID of the pack. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - description: The pack name. - example: my_pack - type: string - Security_Osquery_API_PageOrUndefined: - description: The page number to return. The default is 1. - example: 1 - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - description: The number of results to return per page. The default is 20. - example: 20 - nullable: true - type: integer - Security_Osquery_API_Platform: - description: >- - Restricts the query to a specified platform. The default is all - platforms. To specify multiple platforms, use commas. For example, - `linux,darwin`. - example: linux,darwin - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - description: A list of agents policy IDs. - example: - - policyId1 - - policyId2 - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - description: The SQL query you want to run. - example: select * from uptime; - type: string - Security_Osquery_API_QueryId: - description: The ID of the query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - description: Indicates whether the query is removed. - example: false - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryDescription: - description: The saved query description. - example: Saved query description - type: string - Security_Osquery_API_SavedQueryDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - nullable: true - Security_Osquery_API_SavedQueryId: - description: The ID of a saved query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type type: object properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. + environment: + description: The APM service environment or "*" + example: production type: string - scheduleId: - description: The schedule ID for the scheduled query. + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled + index: + description: The index used by APM metrics + example: metrics-apm*,apm* type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request type: string required: - - sourceType - - source - Security_Osquery_API_Shards: - additionalProperties: - type: number - description: >- - An object with shard configuration for policies included in the pack. - For each policy, set the shard configuration to a percentage (1–100) of - target hosts. - example: - policy_id: 50 - type: object - Security_Osquery_API_Snapshot: - description: Indicates whether the query is a snapshot. - example: true - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - description: Specifies the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Osquery_API_SortOrUndefined: - default: createdAt - description: The field that is used to sort the results. - example: createdAt - nullable: true - type: string - Security_Osquery_API_UnifiedHistoryRow: - discriminator: - mapping: - live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - propertyName: sourceType - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer required: - - id - - timestamp - - queryText - - agentCount - Security_Osquery_API_UpdatePacksRequestBody: - example: - name: updated_my_pack_name + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdatePacksResponse: - description: The response for updating a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: updated_my_pack_name - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: 1 + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type type: object properties: - data: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - updated_at: - format: date-time + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - updated_by: - nullable: true + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* type: string - updated_by_profile_uid: + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - version: - description: The pack version number. - type: integer - Security_Osquery_API_UpdateSavedQueryRequestBody: - example: - id: updated_my_saved_query_name - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_UpdateSavedQueryResponse: - description: The response for updating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - id: updated_my_saved_query_name - interval: '60' - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: WzQzMTcsMV0= + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type type: object properties: - data: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - created_at: - format: date-time + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - created_by: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - created_by_profile_uid: + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - updated_by: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - updated_by_profile_uid: + index: + description: The index or index pattern to use + example: my-service-* type: string - version: - description: The saved query version. + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not + type: object + properties: + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string required: - - saved_object_id - - id + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice + type: string required: - - data - Security_Osquery_API_Version: - description: >- - Uses the Osquery versions greater than or equal to the specified version - string. - example: 1.0.0 - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: > - How the note is associated with a Timeline saved object and/or an event - (`eventId`). `all`: no association-based restriction from this - parameter. `document_only`: document-linked notes (non-empty `eventId`) - without timeline association in the API's internal sense; post-filtering - drops notes without a usable `eventId`. `saved_object_only`: timeline - notes with no linked event (`eventId` empty or absent); post-filtering - keeps timeline-only notes. `document_and_saved_object`: notes on a - timeline and linked to an event; post-filtering enforces a real - `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter - than missing `eventId` in some cases). - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string - type: object properties: - eventId: - description: > - Elasticsearch document `_id` for the event or alert this note - refers to. Same value as the `documentIds` query parameter when - fetching notes via GET /api/note. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - nullable: true - type: string - note: - description: The text of the note - example: This is an example text - nullable: true - type: string - timelineId: - description: >- - The `savedObjectId` of the Timeline this note belongs to (not - the note's own ID). - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string - type: object properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that this pinned event is - associated with - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: type: string - required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + example: 5m type: string - placeholder: - nullable: true + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + example: 5m type: string - searchable: - nullable: true + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + example: true type: boolean - type: - nullable: true + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + example: 5m type: string - Security_Timeline_API_DataProviderQueryMatch: + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + example: event.ingested + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - name: - nullable: true + description: + description: The description of the SLO. + example: My SLO description type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array enabled: - nullable: true - type: boolean - excluded: - nullable: true + description: Indicate if the SLO is enabled + example: true type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' id: - nullable: true - type: string - kqlQuery: - nullable: true + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: - nullable: true + description: The name of the SLO. + example: My Service SLO type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: string type: array - savedObjectId: - type: string - templateTimelineId: - nullable: true + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' version: - type: string + description: The internal SLO version + example: 2 + type: number required: - - savedObjectId + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' + SLOs_slo_with_summary_response: + title: SLO response type: object properties: - exists: - nullable: true - type: string - match_all: - nullable: true + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - meta: - nullable: true - type: object - properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true - type: string - formattedValue: - nullable: true - type: string - index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true - type: string - value: - nullable: true - type: string - missing: - nullable: true + description: + description: The description of the SLO. + example: My SLO description type: string - query: - nullable: true + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - range: - nullable: true + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde type: string - script: - nullable: true + name: + description: The name of the SLO. + example: My Service SLO type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - description: >- - Number of notes returned (may be adjusted after the query when - `associatedFilter` applies post-filtering). + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - description: The list of failed Timeline imports + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags items: - type: object - properties: - error: - description: >- - The error containing the reason why the timeline could not be - imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - type: string + type: string type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 - type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 - type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e - type: string - version: - description: The version of the note - example: WzQ2LDFd - type: string - required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: - type: object - properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true + version: + description: The internal SLO version + example: 2 type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true - type: string - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - type: string - version: - description: The version of this pinned event - example: WzQ2LDFe - type: string - required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: - type: object + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data properties: - created: - description: >- - The time the pinned event was created, using a 13-digit Epoch - timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true - type: string - updated: - description: >- - The last time the pinned event was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true - type: string - Security_Timeline_API_QueryMatchResult: + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window type: object properties: - displayField: - nullable: true + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + example: 30d type: string - displayValue: - nullable: true + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string + required: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum type: string field: - nullable: true + description: The field of the metric. + example: processor.processed type: string - operator: - nullable: true + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' type: string - value: - oneOf: - - nullable: true - type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + example: percentile type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: >- - id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: >- - d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true + field: + description: The field of the metric. + example: processor.processed type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true + description: A description for the SLO. type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true - type: object - properties: - eventCategoryField: - nullable: true - type: string - query: - nullable: true - type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true - type: string - timestampField: - nullable: true - type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. type: string - excludedRowRendererIds: - description: >- - A list of row renderers that should not be used when in `Event - renderers` mode - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - description: A list of filters that should be applied to the query - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - description: >- - A list of index names to use in the query (e.g. when the default - data view has been modified) - example: - - .logs* + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: type: string - nullable: true type: array - kqlMode: - description: >- - Indicates whether the KQL bar filters the query results or searches - for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true - type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: >- - A unique ID (UUID) for Timeline templates. For Timelines, the value - is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: >- - Timeline template version number. For Timelines, the value is - `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true - type: string - updated: - description: >- - The last time the Timeline was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true - type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd - type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. - example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: >- - {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request type: object - properties: - filterQuery: - nullable: true - type: object - properties: - kuery: - nullable: true - type: object - properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true - type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc + Task_manager_health_Serverless_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_Serverless_APIs_health_response_serverless: + title: Task health response properties type: object properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - - type: object - properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: >- - A list of all the ids of notes that are associated to this - Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: >- - A list of all the ids of pinned events that are associated to - this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: >- - A list of all the pinned events that are associated to this - Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - savedObjectId: - type: string - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - SLOs_400_response: - title: Bad request + id: + type: string + last_update: + type: string + stats: + type: object + properties: + configuration: + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_configuration' + workload: + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_workload' + status: + type: string + timestamp: + type: string + Task_manager_health_Serverless_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. + type: object + bedrock_config: + title: Connector request properties for an Amazon Bedrock connector + description: Defines properties for connectors when type is `.bedrock`. type: object + required: + - apiUrl properties: - error: - example: Bad Request + apiUrl: type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' + description: The Amazon Bedrock request URL. + region: type: string - statusCode: - example: 400 - type: number + description: | + Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). + defaultModel: + type: string + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + crowdstrike_config: + title: Connector request config properties for a Crowdstrike connector required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized + - url + description: Defines config properties for connectors when type is `.crowdstrike`. type: object properties: - error: - example: Unauthorized + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + d3security_config: + title: Connector request properties for a D3 Security connector + description: Defines properties for connectors when type is `.d3security`. + type: object + required: + - url + properties: + url: type: string - statusCode: - example: 401 - type: number + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + email_config: + title: Connector request properties for an email connector + description: Defines properties for connectors when type is `.email`. required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden + - from type: object properties: - error: - example: Forbidden + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + nullable: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string - statusCode: - example: 403 - type: number + hasAuth: + description: | + Specifies whether a user and password are required inside the secrets configuration. + default: true + type: boolean + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + type: string + nullable: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. + type: string + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string + nullable: true + gemini_config: + title: Connector request properties for an Google Gemini connector + description: Defines properties for connectors when type is `.gemini`. + type: object required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found + - apiUrl + - gcpRegion + - gcpProjectID + properties: + apiUrl: + type: string + description: The Google Gemini request URL. + defaultModel: + type: string + description: The generative artificial intelligence model for Google Gemini to use. + default: gemini-2.5-pro + gcpRegion: + type: string + description: The GCP region where the Vertex AI endpoint enabled. + gcpProjectID: + type: string + description: The Google ProjectID that has Vertex AI endpoint enabled. + resilient_config: + title: Connector request properties for a IBM Resilient connector + required: + - apiUrl + - orgId + description: Defines properties for connectors when type is `.resilient`. type: object properties: - error: - example: Not Found + apiUrl: + description: The IBM Resilient instance URL. type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + orgId: + description: The IBM Resilient organization ID. type: string - statusCode: - example: 404 - type: number + index_config: + title: Connector request properties for an index connector required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + - index + description: Defines properties for connectors when type is `.index`. type: object properties: - error: - example: Conflict + executionTimeField: + description: A field that indicates when the document was indexed. + default: null type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + nullable: true + index: + description: The Elasticsearch index to be written to. type: string - statusCode: - example: 409 - type: number + refresh: + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + default: false + type: boolean + jira_config: + title: Connector request properties for a Jira connector required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.jira`. + type: object properties: - dashboards: - description: Array of dashboard references - items: - type: object - properties: - id: - description: Dashboard saved-object id - type: string - required: - - id - type: array - title: Artifacts + apiUrl: + description: The Jira instance URL. + type: string + projectKey: + description: The Jira project key. + type: string + defender_config: + title: Connector request properties for a Microsoft Defender for Endpoint connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_bulk_delete_request: - description: > - The bulk delete SLO request takes a list of SLOs Definition id to - delete. properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array + apiUrl: + type: string + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + clientId: + type: string + description: The application (client) identifier for your app in the Azure portal. + oAuthScope: + type: string + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + oAuthServerUrl: + type: string + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + genai_azure_config: + title: Connector request properties for an OpenAI connector that uses Azure OpenAI + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. + type: object required: - - list - title: Bulk delete SLO request + - apiProvider + - apiUrl + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Azure OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + genai_openai_config: + title: Connector request properties for an OpenAI connector + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. type: object - SLOs_bulk_delete_response: - description: > - The bulk delete SLO response returns a taskId that can be used to poll - for its status + required: + - apiProvider + - apiUrl properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + apiProvider: type: string - title: Bulk delete SLO response + description: The OpenAI API provider. + enum: + - OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + opsgenie_config: + title: Connector request properties for an Opsgenie connector + required: + - apiUrl + description: Defines properties for connectors when type is `.opsgenie`. type: object - SLOs_bulk_delete_status_response: - description: >- - Indicates if the bulk deletion is completed, with the detailed results - of the operation. properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true + pagerduty_config: + title: Connector request properties for a PagerDuty connector + description: Defines properties for connectors when type is `.pagerduty`. + type: object + properties: + apiUrl: + description: The PagerDuty event URL. + type: string + nullable: true + example: https://events.pagerduty.com/v2/enqueue + sentinelone_config: + title: Connector request properties for a SentinelOne connector + required: + - url + description: Defines properties for connectors when type is `.sentinelone`. + type: object + properties: + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + servicenow_config: + title: Connector request properties for a ServiceNow ITSM connector + required: + - apiUrl + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false type: boolean - results: - description: >- - The results of the bulk deletion operation, including the success - status and any errors for each SLO + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + usesTableApi: + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + default: true + type: boolean + servicenow_itom_config: + title: Connector request properties for a ServiceNow ITOM connector + required: + - apiUrl + description: Defines properties for connectors when type is `.servicenow-itom`. + type: object + properties: + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + slack_api_config: + title: Connector request properties for a Slack connector + description: Defines properties for connectors when type is `.slack_api`. + type: object + properties: + allowedChannels: + type: array + description: A list of valid Slack channels. items: type: object + required: + - id + - name + maxItems: 25 properties: - error: - description: >- - The error message if the deletion operation failed for this - SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + name: + type: string + description: The Slack channel name. + minLength: 1 + swimlane_config: + title: Connector request properties for a Swimlane connector + required: + - apiUrl + - appId + - connectorType + description: Defines properties for connectors when type is `.swimlane`. type: object - SLOs_bulk_purge_rollup_request: - description: > - The bulk purge rollup data request takes a list of SLO ids and a purge - policy, then deletes the rollup data according to the purge policy. This - API can be used to remove the staled data of an instance SLO that no - longer get updated. properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + type: string + enum: + - all + - alerts + - cases + mappings: + title: Connector mappings properties for a Swimlane connector + description: The field mapping. + type: object + properties: + alertIdConfig: + title: Alert identifier mapping + description: Mapping for the alert ID. + type: object + required: + - fieldType + - id + - key + - name properties: - age: - description: >- - The duration to determine which documents to purge, - formatted as {duration}{unit}. This value should be greater - than or equal to the time window of every SLO provided. - example: 7d + fieldType: type: string - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-age + description: The type of field in Swimlane. + id: type: string - - type: object + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseIdConfig: + title: Case identifier mapping + description: Mapping for the case ID. + type: object + required: + - fieldType + - id + - key + - name properties: - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-time + fieldType: type: string - timestamp: - description: >- - The timestamp to determine which documents to purge, - formatted in ISO. This value should be older than the - applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' + description: The type of field in Swimlane. + id: type: string - type: object + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseNameConfig: + title: Case name mapping + description: Mapping for the case name. + type: object + required: + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + commentsConfig: + title: Case comment mapping + description: Mapping for the case comments. + type: object + required: + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + descriptionConfig: + title: Case description mapping + description: Mapping for the case description. + type: object + required: + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + ruleNameConfig: + title: Rule name mapping + description: Mapping for the name of the alert's rule. + type: object + required: + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + severityConfig: + title: Severity mapping + description: Mapping for the severity. + type: object + required: + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + thehive_config: + title: Connector request properties for a TheHive connector + description: Defines configuration properties for connectors when type is `.thehive`. + type: object required: - - list - - purgePolicy - title: Bulk Purge Rollup data request + - url + properties: + organisation: + type: string + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + url: + type: string + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + tines_config: + title: Connector request properties for a Tines connector + description: Defines properties for connectors when type is `.tines`. type: object - SLOs_bulk_purge_rollup_response: - description: > - The bulk purge rollup data response returns a task id from the - elasticsearch deleteByQuery response. + required: + - url properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. type: string - title: Bulk Purge Rollup data response + torq_config: + title: Connector request properties for a Torq connector + description: Defines properties for connectors when type is `.torq`. type: object - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. + required: + - webhookIntegrationUrl properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id + auth_type: + title: Authentication type + type: string + nullable: true + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + description: | + The type of authentication to use: basic, SSL, or none. + ca: + title: Certificate authority + type: string + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + cert_type: + title: Certificate type + type: string + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + has_auth: + title: Has authentication + type: boolean + description: If true, a username and password for login type authentication must be provided. + default: true + verification_mode: + title: Verification mode + type: string + enum: + - certificate + - full + - none + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + webhook_config: + title: Connector request properties for a Webhook connector + description: Defines properties for connectors when type is `.webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: object + nullable: true + description: A set of key-value pairs sent as headers with the request. + method: type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + default: post + enum: + - post + - put + description: | + The HTTP request method, either `post` or `put`. + url: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + verificationMode: + $ref: '#/components/schemas/verification_mode' + cases_webhook_config: + title: Connector request properties for Webhook - Case Management connector required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: type: string - required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array - required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: '{"body": {{{case.comment}}}}' + createCommentMethod: + type: string + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + createCommentUrl: + type: string + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.id}}}/comment + createIncidentJson: + type: string + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + createIncidentMethod: + type: string + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + default: post + createIncidentResponseKey: + type: string + description: The JSON key in the create external case response that contains the case ID. + createIncidentUrl: + type: string + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + getIncidentResponseExternalTitleKey: + type: string + description: The JSON key in get external case response that contains the case title. + getIncidentUrl: + type: string + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: https://example.com/issue/{{{external.system.id}}} + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: string + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + updateIncidentJson: + type: string + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + updateIncidentMethod: + type: string + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + updateIncidentUrl: + type: string + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.ID}}} + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + type: string + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + xmatters_config: + title: Connector request properties for an xMatters connector + description: Defines properties for connectors when type is `.xmatters`. type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. + type: string + nullable: true + usesBasic: + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number - required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter + default: true + bedrock_secrets: + title: Connector secrets properties for an Amazon Bedrock connector + description: Defines secrets for connectors when type is `.bedrock`. type: object - SLOs_filter_meta: - description: Defines properties for a filter + required: + - accessKey + - secret properties: - alias: - nullable: true + accessKey: type: string - controlledBy: + description: The AWS access key for authentication. + secret: type: string - disabled: - type: boolean - field: + description: The AWS secret for authentication. + crowdstrike_secrets: + title: Connector secrets properties for a Crowdstrike connector + description: Defines secrets for connectors when type is `.crowdstrike`. + type: object + required: + - clientId + - clientSecret + properties: + clientId: + description: The CrowdStrike API client identifier. type: string - group: + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. type: string - index: + d3security_secrets: + title: Connector secrets properties for a D3 Security connector + description: Defines secrets for connectors when type is `.d3security`. + required: + - token + type: object + properties: + token: type: string - isMultiIndex: - type: boolean - key: + description: The D3 Security token. + email_secrets: + title: Connector secrets properties for an email connector + description: Defines secrets for connectors when type is `.email`. + type: object + properties: + clientSecret: type: string - negate: - type: boolean - params: - type: object - type: + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + password: type: string - value: + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + user: type: string - title: FilterMeta - type: object - SLOs_find_slo_definitions_response: - description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + gemini_secrets: + title: Connector secrets properties for a Google Gemini connector + description: Defines secrets for connectors when type is `.gemini`. type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. + required: + - credentialsJson properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: + credentialsJson: type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response - type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + resilient_secrets: + title: Connector secrets properties for IBM Resilient connector + required: + - apiKeyId + - apiKeySecret + description: Defines secrets for connectors when type is `.resilient`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiKeyId: + type: string + description: The authentication key ID for HTTP Basic authentication. + apiKeySecret: type: string + description: The authentication key secret for HTTP Basic authentication. + jira_secrets: + title: Connector secrets properties for a Jira connector required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - apiToken + - email + description: Defines secrets for connectors when type is `.jira`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiToken: + description: The Jira API authentication token for HTTP basic authentication. type: string + email: + description: The account email for HTTP Basic authentication. + type: string + teams_secrets: + title: Connector secrets properties for a Microsoft Teams connector + description: Defines secrets for connectors when type is `.teams`. + type: object required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - webhookUrl + properties: + webhookUrl: + type: string + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + genai_secrets: + title: Connector secrets properties for an OpenAI connector + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + apiKey: + type: string + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + certificateData: + type: string + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + privateKeyData: + type: string + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + caData: type: string + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + opsgenie_secrets: + title: Connector secrets properties for an Opsgenie connector required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type + - apiKey + description: Defines secrets for connectors when type is `.opsgenie`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "good" metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "total" metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. type: string + pagerduty_secrets: + title: Connector secrets properties for a PagerDuty connector + description: Defines secrets for connectors when type is `.pagerduty`. + type: object required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type + - routingKey + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. + type: string + sentinelone_secrets: + title: Connector secrets properties for a SentinelOne connector + description: Defines secrets for connectors when type is `.sentinelone`. type: object + required: + - token properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' - type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' - type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom + token: + description: The A SentinelOne API token. + type: string + servicenow_secrets: + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. + type: object + properties: + clientSecret: + type: string + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + password: + type: string + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + privateKey: type: string + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + privateKeyPassword: + type: string + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + username: + type: string + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + slack_api_secrets: + title: Connector secrets properties for a Web API Slack connector + description: Defines secrets for connectors when type is `.slack`. required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type + - token type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - discriminator: - mapping: - avg: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - cardinality: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - doc_count: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - last_value: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - max: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - min: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - percentile: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - std_deviation: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - sum: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - propertyName: aggregation - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice + token: + type: string + description: Slack bot user OAuth token. + swimlane_secrets: + title: Connector secrets properties for a Swimlane connector + description: Defines secrets for connectors when type is `.swimlane`. + type: object + properties: + apiToken: + description: Swimlane API authentication token. type: string + thehive_secrets: + title: Connector secrets properties for a TheHive connector + description: Defines secrets for connectors when type is `.thehive`. required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + - apiKey + type: object + properties: + apiKey: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' + description: The API key for authentication in TheHive. + tines_secrets: + title: Connector secrets properties for a Tines connector + description: Defines secrets for connectors when type is `.tines`. + type: object + required: + - email + - token + properties: + email: + description: The email used to sign in to Tines. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + token: + description: The Tines API token. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + torq_secrets: + title: Connector secrets properties for a Torq connector + description: Defines secrets for connectors when type is `.torq`. type: object + required: + - token properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m + token: + description: The secret of the webhook authentication header. type: string - required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. + crt: + title: Certificate + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + key: + title: Certificate key + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + pfx: + title: Personal information exchange + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + webhook_secrets: + title: Connector secrets properties for a Webhook connector + description: Defines secrets for connectors when type is `.webhook`. + type: object properties: - frequency: - default: 1m - description: >- - The interval between checks for changes in the source data. The - minimum value is 1m and the maximum is 59m. The default value is 1 - minute. - example: 5m + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - preventInitialBackfill: - default: false - description: >- - Start aggregating data from the time the SLO is created, instead of - backfilling data from the beginning of the time window. - example: true - type: boolean - syncDelay: - default: 1m - description: >- - The time delay in minutes between the current time and the latest - source data time. Increasing the value will delay any alerting. The - default value is 1 minute. The minimum value is 1m and the maximum - is 359m. It should always be greater then source index refresh - interval. - example: 5m + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - syncField: - description: >- - The date field that is used to identify new documents in the source. - It is strongly recommended to use a field that contains the ingest - timestamp. If you use a different field, you might need to set the - delay such that it accounts for data transmission delays. When - unspecified, we use the indicator timestamp field. - example: event.ingested + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + cases_webhook_secrets: + title: Connector secrets properties for Webhook - Case Management connector + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - title: Settings + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + xmatters_secrets: + title: Connector secrets properties for an xMatters connector + description: Defines secrets for connectors when type is `.xmatters`. type: object - SLOs_slo_definition_response: - title: SLO definition response + properties: + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. + type: string + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + genai_openai_other_config: + title: Connector request properties for an OpenAI connector with Other provider + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. type: object + required: + - apiProvider + - apiUrl + - defaultModel properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + apiProvider: type: string - description: - description: The description of the SLO. - example: My SLO description + description: The OpenAI API provider. + enum: + - Other + apiUrl: type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: The OpenAI-compatible API endpoint. + defaultModel: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + description: The default model to use for requests. + certificateData: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags + description: PEM-encoded certificate content. + minLength: 1 + privateKeyData: + type: string + description: PEM-encoded private key content. + minLength: 1 + caData: + type: string + description: PEM-encoded CA certificate content. + minLength: 1 + verificationMode: + type: string + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + default: full + headers: + type: object + description: Custom headers to include in requests. + additionalProperties: + type: string + defender_secrets: + title: Connector secrets properties for a Microsoft Defender for Endpoint connector + required: + - clientSecret + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + type: object + properties: + clientSecret: + description: The client secret for your app in the Azure portal. + type: string + run_acknowledge_resolve_pagerduty: + title: PagerDuty connector parameters + description: Test an action that acknowledges or resolves a PagerDuty alert. + type: object + required: + - dedupKey + - eventAction + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. + type: string + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - acknowledge + - resolve + run_documents: + title: Index connector parameters + description: Test an action that indexes a document into Elasticsearch. + type: object + required: + - documents + properties: + documents: + type: array + description: The documents in JSON format for index connectors. + items: + type: object + additionalProperties: true + run_message_email: + title: Email connector parameters + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. + type: object + required: + - message + - subject + properties: + bcc: + type: array items: type: string + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + cc: type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + items: + type: string + description: | + A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + message: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: The email message text. Markdown format is supported. + subject: + type: string + description: The subject line of the email. + to: + type: array + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + items: + type: string + run_message_serverlog: + title: Server log connector parameters + description: Test an action that writes an entry to the Kibana server log. + type: object required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response + - message + properties: + level: + type: string + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + default: info + message: + type: string + description: The message for server log connectors. + run_message_slack: + title: Slack connector parameters + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object + required: + - message properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + message: type: string - description: - description: The description of the SLO. - example: My SLO description + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + run_trigger_pagerduty: + title: PagerDuty connector parameters + description: Test an action that triggers a PagerDuty alert. + type: object + required: + - eventAction + properties: + class: + description: The class or type of the event. type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + example: cpu load + component: + description: The component of the source machine that is responsible for the event. type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + example: eth0 + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string - name: - description: The name of the SLO. - example: My Service SLO + maxLength: 255 + eventAction: + description: The type of event. type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string + enum: + - trigger + group: + description: The logical grouping of components of a service. + type: string + example: app-stack + links: + description: A list of links to add to the event. type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + items: + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + severity: + description: The severity of the event on the affected system. type: string - version: - description: The internal SLO version - example: 2 - type: number + enum: + - critical + - error + - info + - warning + default: info + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + type: string + maxLength: 1024 + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + format: date-time + run_addevent: + title: The addEvent subaction + type: object + required: + - subAction + description: The `addEvent` subaction for ServiceNow ITOM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - addEvent + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + additional_info: + type: string + description: Additional information about the event. + description: + type: string + description: The details about the event. + event_class: + type: string + description: A specific instance of the source. + message_key: + type: string + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + metric_name: + type: string + description: The name of the metric. + node: + type: string + description: The host that the event was triggered for. + resource: + type: string + description: The name of the resource. + severity: + type: string + description: The severity of the event. + source: + type: string + description: The name of the event source type. + time_of_event: + type: string + description: The time of the event. + type: + type: string + description: The type of event. + run_closealert: + title: The closeAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeAlert + subActionParams: + type: object + required: + - alias + properties: + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + note: + type: string + description: Additional information for the alert. + source: + type: string + description: The display name for the source of the alert. + user: + type: string + description: The display name for the owner. + run_closeincident: + title: The closeIncident subaction + type: object + required: + - subAction + - subActionParams + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeIncident + subActionParams: + type: object + required: + - incident + properties: + incident: + type: object + anyOf: + - required: + - correlation_id + - required: + - externalId + properties: + correlation_id: + type: string + nullable: true + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + default: '{{rule.id}}:{{alert.id}}' + externalId: + type: string + nullable: true + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + run_createalert: + title: The createAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - createAlert + subActionParams: + type: object + properties: + actions: + type: array + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. + description: + type: string + description: A description that provides detailed information about the alert. + details: + type: object + description: The custom properties of the alert in Opsgenie connectors. + additionalProperties: true + example: + key1: value1 + key2: value2 + entity: + type: string + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + message: + type: string + description: The alert message in Opsgenie connectors. + note: + type: string + description: Additional information for the alert in Opsgenie connectors. + priority: + type: string + description: The priority level for the alert in Opsgenie connectors. + enum: + - P1 + - P2 + - P3 + - P4 + - P5 + responders: + type: array + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + username: + type: string + description: A valid email address for the user. + severity: + type: integer + minimum: 1 + maximum: 4 + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + source: + type: string + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + sourceRef: + type: string + description: A source reference for the alert in TheHive connectors. + tags: + type: array + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + title: + type: string + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + type: + type: string + description: The type of alert in TheHive connectors. + user: + type: string + description: The display name for the owner. + visibleTo: + type: array + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + type: object + required: + - type + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: Valid values are `team` and `user`. + enum: + - team + - user + username: + type: string + description: The user name. This property is required only when the `type` is `user`. + run_fieldsbyissuetype: + title: The fieldsByIssueType subaction + type: object required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - subAction + - subActionParams + description: The `fieldsByIssueType` subaction for Jira connectors. properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary - type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + subAction: + type: string + description: The action to test. + enum: + - fieldsByIssueType + subActionParams: + type: object + required: + - id + properties: + id: + type: string + description: The Jira issue type identifier. + example: 10024 + run_getagentdetails: + title: The getAgentDetails subaction type: object + required: + - subAction + - subActionParams + description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d + subAction: type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. + description: The action to test. enum: - - rolling - - calendarAligned - example: rolling - type: string - required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - getAgentDetails + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - ids + properties: + ids: + type: array + description: An array of CrowdStrike agent identifiers. + items: + type: string + run_getagents: + title: The getAgents subaction type: object + required: + - subAction + description: The `getAgents` subaction for SentinelOne connectors. properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + description: The action to test. + enum: + - getAgents + run_getchoices: + title: The getChoices subaction type: object + required: + - subAction + - subActionParams + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + description: The action to test. + enum: + - getChoices + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - fields + properties: + fields: + type: array + description: An array of fields. + items: + type: string + run_getfields: + title: The getFields subaction type: object + required: + - subAction + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - percentile: - description: The percentile value. - example: 95 - type: number + description: The action to test. + enum: + - getFields + run_getincident: + title: The getIncident subaction + type: object + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + - subAction + - subActionParams properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + subAction: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request + description: The action to test. + enum: + - getIncident + subActionParams: + type: object + required: + - externalId + properties: + externalId: + type: string + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + example: 71778 + run_issue: + title: The issue subaction type: object - Task_manager_health_Serverless_APIs_configuration: - description: > - This object summarizes the current configuration of Task Manager. This - includes dynamic configurations that change over time, such as - `poll_interval` and `max_workers`, which can adjust in reaction to - changing load on the system. + required: + - subAction + description: The `issue` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issue + subActionParams: + type: object + required: + - id + properties: + id: + type: string + description: The Jira issue identifier. + example: 71778 + run_issues: + title: The issues subaction type: object - Task_manager_health_Serverless_APIs_health_response_serverless: - title: Task health response properties + required: + - subAction + - subActionParams + description: The `issues` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issues + subActionParams: + type: object + required: + - title + properties: + title: + type: string + description: The title of the Jira issue. + run_issuetypes: + title: The issueTypes subaction type: object + required: + - subAction + description: The `issueTypes` subaction for Jira connectors. properties: - id: + subAction: type: string - last_update: + description: The action to test. + enum: + - issueTypes + run_postmessage: + title: The postMessage subaction + type: object + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: type: string - stats: + description: The action to test. + enum: + - postMessage + subActionParams: type: object + description: The set of configuration properties for the action. properties: - configuration: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_configuration - workload: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_workload - status: - type: string - timestamp: + channelIds: + type: array + maxItems: 1 + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + channels: + type: array + deprecated: true + description: | + The name of a channel that your Slack app has access to. + maxItems: 1 + items: + type: string + text: + type: string + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + run_pushtoservice: + title: The pushToService subaction + type: object + required: + - subAction + - subActionParams + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: type: string - Task_manager_health_Serverless_APIs_workload: - description: > - This object summarizes the work load across the cluster, including the - tasks in the system, their types, and current status. + description: The action to test. + enum: + - pushToService + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + comments: + type: array + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + type: object + properties: + comment: + type: string + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + commentId: + type: integer + description: A unique identifier for the comment. + incident: + type: object + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + type: string + nullable: true + maxLength: 20 + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + alertId: + type: string + description: The alert identifier for Swimlane connectors. + caseId: + type: string + description: The case identifier for the incident for Swimlane connectors. + caseName: + type: string + description: The case name for the incident for Swimlane connectors. + category: + type: string + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_display: + type: string + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_id: + type: string + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + description: + type: string + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + externalId: + type: string + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + id: + type: string + description: The external case identifier for Webhook - Case Management connectors. + impact: + type: string + description: The impact of the incident for ServiceNow ITSM connectors. + issueType: + type: integer + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + labels: + type: array + items: + type: string + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + malware_url: + type: string + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + otherFields: + type: object + additionalProperties: true + maxProperties: 20 + description: | + Custom field identifiers and their values for Jira connectors. + parent: + type: string + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + priority: + type: string + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + ruleName: + type: string + description: The rule name for Swimlane connectors. + severity: + type: integer + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + short_description: + type: string + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + status: + type: string + description: The status of the incident for Webhook - Case Management connectors. + subcategory: + type: string + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + summary: + type: string + description: A summary of the incident for Jira connectors. + tags: + type: array + items: + type: string + description: A list of tags for TheHive and Webhook - Case Management connectors. + title: + type: string + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + urgency: + type: string + description: The urgency of the incident for ServiceNow ITSM connectors. + run_validchannelid: + title: The validChannelId subaction type: object + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: + type: string + description: The action to test. + enum: + - validChannelId + subActionParams: + type: object + required: + - channelId + properties: + channelId: + type: string + description: The Slack channel identifier. + example: C123ABC456 securitySchemes: apiKeyAuth: - description: >- - You must create an API key and use the encoded value in the request - header. To learn about creating keys, go to [API - keys](https://www.elastic.co/docs/current/serverless/api-keys). + description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys). in: header name: Authorization type: apiKey -security: - - apiKeyAuth: [] -tags: - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: > - Configure APM source maps. A source map allows minified files to be mapped - back to original source code--allowing you to maintain the speed advantage - of minified code, without losing the ability to quickly and easily debug - your application. - - For best results, uploading source maps should become a part of your - deployment procedure, and not something you only do when you see unhelpful - errors. That's because uploading source maps after errors happen won't - make old errors magically readable--errors must occur again for source - mapping to occur. - name: APM sourcemaps - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - description: Machine learning - name: ml - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: >- - https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - Use the Attack discovery APIs to generate and manage Attack discoveries. - Attack Discovery leverages large language models (LLMs) to analyze alerts - in your environment and identify threats. Each "discovery" represents a - potential attack and describes relationships among multiple alerts to tell - you which users and hosts are involved, how alerts correspond to the MITRE - ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: > - Use the detections APIs to create and manage detection rules. Detection - rules search events and external alerts sent to Elastic Security and - generate detection alerts from any hits. Alerts are displayed on the - **Alerts** page and can be assigned and triaged, using the alert status to - mark them as open, closed, or acknowledged. - - - This API supports both key-based authentication and basic authentication. - - - To use key-based authentication, create an API key, then specify the key - in the header of your API calls. - - - To use basic authentication, provide a username and password; this - automatically creates an API key that matches the current user’s - privileges. - - - In both cases, the API key is subsequently used for authorization when the - rule runs. - - > warn - - > If the API key used for authorization has different privileges than the - key that created or most recently updated a rule, the rule behavior might - change. - - - > If the API key that created a rule is deleted, or the user that created - the rule becomes inactive, the rule will stop running. - - - To create and run rules, the user must meet specific requirements for the - Kibana space. Refer to the [Detections - requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) - for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: > - Exceptions are associated with detection and endpoint rules, and are used - to prevent a rule from generating an alert from incoming events, even when - the rule's other criteria are met. They can help reduce the number of - false positives and prevent trusted processes and network activity from - generating unnecessary alerts. - - - Exceptions are made up of: - - - * **Exception containers**: A container for related exceptions. Generally, - a single exception container contains all the exception items relevant for - a subset of rules. For example, a container can be used to group together - network-related exceptions that are relevant for a large number of network - rules. The container can then be associated with all the relevant rules. - - * **Exception items**: The query (fields, values, and logic) used to - prevent rules from generating alerts. When an exception item's query - evaluates to `true`, the rule does not generate an alert. - - - For detection rules, you can also use lists to define rule exceptions. A - list holds multiple values of the same Elasticsearch data type, such as IP - addresses. These values are used to determine when an exception prevents - an alert from being generated. - - > info - - > You cannot use lists with endpoint rule exceptions. - - - > info - - > Only exception containers can be associated with rules. You cannot - directly associate an exception item or a list container with a rule. To - use list exceptions, create an exception item that references the relevant - list container. - - - ## Exceptions requirements - - - Before you can start working with exceptions that use value lists, you - must create the `.lists` and `.items` data streams for the relevant Kibana - space. To do this, use the [Create list data - streams](../operation/operation-createlistindex) endpoint. Once these data - streams are created, your role needs privileges to manage rules. For a - complete list of requirements, refer to [Enable and access - detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: > - Lists can be used with detection rule exceptions to define values that - prevent a rule from generating alerts. - - - Lists are made up of: - - - * **List containers**: A container for values of the same Elasticsearch - data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception - prevents an alert from being generated. - - - All list items in the same list container must be of the same data type, - and each item defines a single value. For example, an IP list container - named `internal-ip-addresses-southport` contains five items, where each - item defines one internal IP address: - - 1. `192.168.1.1` - - 2. `192.168.1.3` - - 3. `192.168.1.18` - - 4. `192.168.1.12` - - 5. `192.168.1.7` - - - To use these IP addresses as values for defining rule exceptions, use the - Security exceptions API to [create an exception list - item](../operation/operation-createexceptionlistitem) that references the - `internal-ip-addresses-southport` list. - - > info - - > Lists cannot be added directly to rules, nor do they define the - operators used to determine when exceptions are applied (`is in list`, `is - not in list`). Use an exception item to define the operator and associate - it with an [exception - container](../operation/operation-createexceptionlist). You can then add - the exception container to a rule's `exceptions_list` object. +x-topics: + - title: Kibana spaces + content: | + Spaces enable you to organize your dashboards and other saved objects into meaningful categories. + You can use the default space or create your own spaces. + To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. + For example: - ## Lists requirements + ```bash + curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + ``` + If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - Before you can start using lists, you must create the `.lists` and - `.items` data streams for the relevant Kibana space. To do this, use the - [Create list data streams](../operation/operation-createlistindex) - endpoint. Once these data streams are created, your role needs privileges - to manage rules. Refer to [Enable and access - detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) - for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - - description: >- - Task manager APIs enable you to check the health of the Kibana task - manager, which is used by features such as alerting, actions, and - reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: >- - https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager + To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 5c6ebb89421ae..4d9f56d69aad5 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -2,68 +2,38 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: > - The Kibana REST APIs enable you to manage resources such as connectors, data - views, and saved objects. - + description: | + The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. - - Each request that you make happens in isolation from other calls and must - include all of the necessary information for Kibana to fulfill the - + Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. - - API requests return JSON output, which is a format that is machine-readable - and works well for automation. - + API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - - GET: Fetches the information. - - PATCH: Applies partial modifications to the existing information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. - + You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: - ``` - GET kbn:/api/data_views - ``` + For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - For more information about the console, refer to [Run API - requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - - - NOTE: Access to internal Kibana API endpoints will be restricted in Kibana - version 9.0. Please move any integrations to publicly documented APIs. - + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. ## Documentation source and versions + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - - - This documentation contains work-in-progress information for future Elastic - Stack releases. + This documentation contains work-in-progress information for future Elastic Stack releases. title: Kibana APIs version: '' x-doc-license: @@ -71,904 +41,1834 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: / - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 +security: + - apiKeyAuth: [] + - basicAuth: [] +tags: + - name: agent builder + description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + **Elastic Agent Builder requires an Enterprise subscription.** + externalDocs: + description: Agent Builder docs + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + x-displayName: Agent Builder + - name: alerting + description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: | + Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. + For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. + name: APM sourcemaps + - description: | + Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. + name: cases + externalDocs: + description: Cases documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases + x-displayName: Cases + - name: connectors + description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + x-displayName: Connectors + - name: Data streams + description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - name: Elastic Agent actions + description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + x-displayName: Elastic Agent actions + - name: Elastic Agent binary download sources + description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + x-displayName: Elastic Agent binary download sources + - name: Elastic Agent policies + description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + x-displayName: Elastic Agent policies + - name: Elastic Agent status + description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + x-displayName: Elastic Agent status + - name: Elastic Agents + description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + x-displayName: Elastic Agents + - name: Elastic Package Manager (EPM) + description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - name: Fleet cloud connectors + description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + x-displayName: Fleet cloud connectors + - name: Fleet enrollment API keys + description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + x-displayName: Fleet enrollment API keys + - name: Fleet internals + description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + x-displayName: Fleet internals + - name: Fleet outputs + description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + x-displayName: Fleet outputs + - name: Fleet package policies + description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + x-displayName: Fleet package policies + - name: Fleet proxies + description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + x-displayName: Fleet proxies + - name: Fleet remote synced integrations + description: | + Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster: + * Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output. + * Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations. + externalDocs: + description: Automatic integrations synchronization documentation + url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization + - name: Fleet Server hosts + description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + x-displayName: Fleet Server hosts + - name: Fleet service tokens + description: | + Enables you to create tokens for Fleet service authentication and authorization. + x-displayName: Fleet service tokens + - name: Fleet uninstall tokens + description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + x-displayName: Fleet uninstall tokens + - description: | + Programmatically integrate with Logstash configuration management. + > warn + > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. + externalDocs: + description: Centralized pipeline management + url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management + name: logstash + x-displayName: Logstash configuration management + - name: maintenance-window + description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + x-displayName: Maintenance windows + - name: Message Signing Service + description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - name: roles + x-displayName: Roles + description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles + - name: saved objects + x-displayName: Saved objects + description: | + Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + * [Data views](../group/endpoint-data-views) + * [Spaces](../group/endpoint-spaces) + * [Short URLs](../group/endpoint-short-url) + + Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions. + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - name: Security entity store + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: Manage Kibana short URLs. + name: short url + x-displayName: Short URLs + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - name: spaces + x-displayName: Spaces + description: Manage your Kibana spaces. + externalDocs: + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + description: Space overview + - name: streams + description: | + Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: + * **Wired** streams are managed by Kibana. They route documents to child streams based on + field conditions and support custom field mappings and processing steps. + + * **Classic** streams map to existing Elasticsearch data streams. You can add processing + steps to classic streams without changing their underlying index template. + + * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate + data from multiple streams into a single logical view without duplicating documents. + x-displayName: Streams + externalDocs: + description: Streams documentation + url: https://www.elastic.co/docs/solutions/observability/streams + - name: synthetics + x-displayName: Synthetics + description: Synthetics APIs enable you to check the status of your services and applications. + externalDocs: + description: Synthetic monitoring + url: https://www.elastic.co/docs/solutions/observability/synthetics + - name: system + x-displayName: System + description: | + Get information about the system status, resource usage, features, and installed plugins. + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - description: | + The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release. + > warn + > This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL: + > * Self-managed URL pattern: `https://localhost:5601` + > * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` + name: upgrade + x-displayName: Upgrade assistant + - description: Uptime APIs enable you to view and update uptime monitoring settings. + externalDocs: + description: Uptime monitoring + url: https://www.elastic.co/docs/solutions/observability/uptime + name: uptime + x-displayName: Uptime + - name: user session + x-displayName: User session management + description: | + Enables you to invalidate user sessions for security and session management purposes. + - name: workflows + description: | + Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. + + Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. + externalDocs: + description: Workflows documentation + url: https://www.elastic.co/docs/explore-analyze/workflows + x-displayName: Workflows paths: - /api/alerting/_health: - get: - description: > - You must have `read` privileges for the **Management > Stack Rules** - feature or for at least one of the **Analytics > Discover**, **Analytics - > Machine Learning**, **Observability**, or **Security** features. - operationId: getAlertingHealth - responses: - '200': - content: - application/json: - examples: - getAlertingHealthResponse: - $ref: '#/components/examples/Alerting_get_health_response' - schema: - type: object - properties: - alerting_framework_health: - description: > - Three substates identify the health of the alerting - framework: `decryption_health`, `execution_health`, and - `read_health`. - type: object - properties: - decryption_health: - description: The timestamp and status of the rule decryption. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - execution_health: - description: The timestamp and status of the rule run. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - read_health: - description: The timestamp and status of the rule reading events. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - has_permanent_encryption_key: - description: >- - If `false`, the encrypted saved object plugin does not - have a permanent encryption key. - example: true - type: boolean - is_sufficiently_secure: - description: If `false`, security is enabled but TLS is not. - example: true - type: boolean - description: Indicates a successful call. - '401': - content: - application/json: - examples: - healthUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_health_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the alerting framework health - tags: - - alerting - /api/alerting/rule_types: + /api/actions/connector_types: get: - description: > - If you have `read` privileges for one or more Kibana features, the API - response contains information about the appropriate rule types. For - example, there are rule types associated with the **Management > Stack - Rules** feature, **Analytics > Discover** and **Machine Learning** - features, **Observability** features, and **Security** features. To get - rule types associated with the **Stack Monitoring** feature, use the - `monitoring_user` built-in role. - operationId: getRuleTypes + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types + parameters: + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string responses: '200': content: application/json: - examples: - getRuleTypesResponse: - $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: + additionalProperties: false type: object properties: - action_groups: - description: > - An explicit list of groups for which the rule type can - schedule actions, each with the action group's unique ID - and human readable name. Rule actions validation uses - this configuration to ensure that groups are valid. - items: - type: object - properties: - id: - type: string - name: - type: string - type: array - action_variables: - description: > - A list of action variables that the rule type makes - available via context and state in action parameter - templates, and a short human readable description. When - you create a rule in Kibana, it uses this information to - prompt you for these variables in action parameter - editors. - type: object - properties: - context: - items: - type: object - properties: - description: - type: string - name: - type: string - useWithTripleBracesInTemplates: - type: boolean - type: array - params: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - state: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - alerts: - description: > - Details for writing alerts as data documents for this - rule type. - type: object - properties: - context: - description: | - The namespace for this rule type. - enum: - - ml.anomaly-detection - - observability.apm - - observability.logs - - observability.metrics - - observability.slo - - observability.threshold - - observability.uptime - - security - - stack - type: string - dynamic: - description: Indicates whether new fields are added dynamically. - enum: - - 'false' - - runtime - - strict - - 'true' - type: string - isSpaceAware: - description: > - Indicates whether the alerts are space-aware. If - true, space-specific alert indices are used. - type: boolean - mappings: - type: object - properties: - fieldMap: - additionalProperties: - $ref: >- - #/components/schemas/Alerting_fieldmap_properties - description: > - Mapping information for each field supported in - alerts as data documents for this rule type. For - more information about mapping parameters, refer - to the Elasticsearch documentation. - type: object - secondaryAlias: - description: > - A secondary alias. It is typically used to support - the signals alias for detection rules. - type: string - shouldWrite: - description: > - Indicates whether the rule should write out alerts - as data. - type: boolean - useEcs: - description: > - Indicates whether to include the ECS component - template for the alerts. - type: boolean - useLegacyAlerts: - default: false - description: > - Indicates whether to include the legacy component - template for the alerts. - type: boolean - authorized_consumers: - description: >- - The list of the plugins IDs that have access to the rule - type. - type: object - properties: - alerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - apm: - type: object - properties: - all: - type: boolean - read: - type: boolean - discover: - type: object - properties: - all: - type: boolean - read: - type: boolean - infrastructure: - type: object - properties: - all: - type: boolean - read: - type: boolean - logs: - type: object - properties: - all: - type: boolean - read: - type: boolean - ml: - type: object - properties: - all: - type: boolean - read: - type: boolean - monitoring: - type: object - properties: - all: - type: boolean - read: - type: boolean - siem: - type: object - properties: - all: - type: boolean - read: - type: boolean - slo: - type: object - properties: - all: - type: boolean - read: - type: boolean - stackAlerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - uptime: - type: object - properties: - all: - type: boolean - read: - type: boolean - category: - description: >- - The rule category, which is used by features such as - category-specific maintenance windows. - enum: - - management - - observability - - securitySolution - type: string - default_action_group_id: - description: The default identifier for the rule type group. - type: string - does_set_recovery_context: - description: >- - Indicates whether the rule passes context variables to - its recovery action. + allow_multiple_system_actions: + description: Indicates whether multiple instances of the same system action connector can be used in a single rule. type: boolean - enabled_in_license: - description: >- - Indicates whether the rule type is enabled or disabled - based on the subscription. + enabled: + description: Indicates whether the connector is enabled. type: boolean - has_alerts_mappings: - description: >- - Indicates whether the rule type has custom mappings for - the alert data. + enabled_in_config: + description: Indicates whether the connector is enabled in the Kibana configuration. type: boolean - has_fields_for_a_a_d: + enabled_in_license: + description: Indicates whether the connector is enabled through the license. type: boolean id: - description: The unique identifier for the rule type. + description: The identifier for the connector. type: string - is_exportable: - description: >- - Indicates whether the rule type is exportable in **Stack - Management > Saved Objects**. + is_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_system_action_type: + description: Indicates whether the action is a system action. type: boolean minimum_license_required: - description: The subscriptions required to use the rule type. - example: basic + description: The minimum license required to enable the connector. + enum: + - basic + - standard + - gold + - platinum + - enterprise + - trial type: string name: - description: The descriptive name of the rule type. + description: The name of the connector type. type: string - producer: - description: >- - An identifier for the application that produces this - rule type. - example: stackAlerts + source: + description: The source of the connector type definition. + enum: + - yml + - spec + - stack type: string - recovery_action_group: - description: >- - An action group to use when an alert goes from an active - state to an inactive one. - type: object - properties: - id: - type: string - name: - type: string - rule_task_timeout: - example: 5m + sub_feature: + description: Indicates the sub-feature type the connector is grouped under. + enum: + - endpointSecurity type: string + supported_feature_ids: + description: The list of supported features + items: + type: string + type: array + required: + - id + - name + - enabled + - enabled_in_config + - enabled_in_license + - minimum_license_required + - supported_feature_ids + - is_system_action_type + - is_deprecated + - source type: array - description: Indicates a successful call. - '401': - content: - application/json: examples: - ruleTypesUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_rule_types_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the rule types + getConnectorTypesServerlessResponse: + $ref: '#/components/examples/get_connector_types_generativeai_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector types tags: - - alerting - /api/apm/agent_keys: - post: - description: > - Create a new agent key for APM. + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/_oauth_callback: + get: + description: |- + **Spaces method and path for this operation:** - The user creating an APM agent API key must have at least the - `manage_own_api_key` cluster privilege and the APM application-level - privileges that it wishes to grant. +
get /s/{space_id}/api/actions/connector/_oauth_callback
- After it is created, you can copy the API key (Base64 encoded) and use - it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. + operationId: get-actions-connector-oauth-callback parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true - responses: - '200': - content: - application/json: - examples: - createAgentKeyResponse1: - $ref: >- - #/components/examples/APM_UI_agent_keys_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + - description: The authorization code returned by the OAuth provider. + in: query + name: code + required: false + schema: + type: string + - description: The state parameter for CSRF protection. + in: query + name: state + required: false + schema: + type: string + - description: Error code if the authorization failed. + in: query + name: error + required: false + schema: + type: string + - description: Human-readable error description. + in: query + name: error_description + required: false + schema: + type: string + - description: Session state from the OAuth provider (e.g., Microsoft). + in: query + name: session_state + required: false + schema: + type: string + responses: + '200': + description: Returns an HTML callback page. + '302': + description: Redirects to the return URL with authorization result query parameters. + '401': + description: User is not authenticated. + summary: Handle OAuth callback + tags: + - connectors + x-state: Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/_oauth_callback_script: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the OAuth callback script + operationId: get-actions-connector-oauth-callback-script + parameters: [] + responses: + '200': + description: Returns the OAuth callback script + summary: '' + tags: [] + x-state: Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + getConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector information tags: - - APM agent keys - /api/apm/fleet/apm_server_schema: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by Fleet - integrations to push the APM Server configuration schema. Do not use for - new integrations. It stores the provided schema object as a Kibana saved - object. If Fleet migration is not available on the current deployment, - the API returns a 404. - operationId: saveApmServerSchema + operationId: post-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + maxLength: 36 + minLength: 1 + type: string requestBody: content: application/json: schema: + additionalProperties: false type: object properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + - connector_type_id + examples: + createEmailConnectorRequest: + $ref: '#/components/examples/create_email_connector_request' + createIndexConnectorRequest: + $ref: '#/components/examples/create_index_connector_request' + createWebhookConnectorRequest: + $ref: '#/components/examples/create_webhook_connector_request' + createXmattersConnectorRequest: + $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: >- - #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false - description: The response body is intentionally empty for this endpoint. type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + createEmailConnectorResponse: + $ref: '#/components/examples/create_email_connector_response' + createIndexConnectorResponse: + $ref: '#/components/examples/create_index_connector_response' + createWebhookConnectorResponse: + $ref: '#/components/examples/create_webhook_connector_response' + createXmattersConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema + description: Indicates that this call is forbidden. + summary: Create a connector tags: - - APM server schema - /api/apm/services/{serviceName}/annotation: - post: - description: Create a new annotation for a specific service. - operationId: createAnnotation + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. in: path - name: serviceName + name: id required: true schema: type: string requestBody: content: application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true + additionalProperties: false + type: object + properties: + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + examples: + updateIndexConnectorRequest: + $ref: '#/components/examples/update_index_connector_request' responses: '200': - content: - application/json: - examples: - createAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + description: Indicates a successful call. '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation + description: Indicates that this call is forbidden. + summary: Update a connector tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - /api/apm/services/{serviceName}/annotation/search: - get: - description: Search for annotations related to a specific service. - operationId: getAnnotation + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/actions/connector/{id}/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - in: path - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false + - description: An identifier for the connector. + in: path + name: id + required: true schema: - format: date-time type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + examples: + runIndexConnectorRequest: + $ref: '#/components/examples/run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/run_jira_connector_request' + runServerLogConnectorRequest: + $ref: '#/components/examples/run_servicenow_itom_connector_request' + runSlackConnectorRequest: + $ref: '#/components/examples/run_slack_api_connector_request' + runSwimlaneConnectorRequest: + $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + runIndexConnectorResponse: + $ref: '#/components/examples/run_index_connector_response' + runJiraConnectorResponse: + $ref: '#/components/examples/run_jira_connector_response' + runServerLogConnectorResponse: + $ref: '#/components/examples/run_server_log_connector_response' + runServiceNowITOMConnectorResponse: + $ref: '#/components/examples/run_servicenow_itom_connector_response' + runSlackConnectorResponse: + $ref: '#/components/examples/run_slack_api_connector_response' + runSwimlaneConnectorResponse: + $ref: '#/components/examples/run_swimlane_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Run a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connectors: + get: + operationId: get-actions-connectors + parameters: [] + responses: + '200': content: application/json: schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations + items: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + referenced_by_count: + description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. + type: number + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + - referenced_by_count + type: array + examples: + getConnectorsResponse: + $ref: '#/components/examples/get_connectors_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get all connectors tags: - - APM annotations - /api/apm/settings/agent-configuration: - delete: - description: > - Delete an existing agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When successful, the - configuration is removed and, if Fleet is enabled, APM package policies - are synchronized accordingly. - operationId: deleteAgentConfiguration + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-a2a-agentid parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - deleteAgentConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 - schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true + a2aTaskRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' + value: + id: task-123 + jsonrpc: '2.0' + method: complete + params: + messages: + - content: Hello from A2A protocol + role: user + schema: {} responses: '200': content: application/json: examples: - deleteAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_delete_agent_configurations_response - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration + a2aTaskResponseExample: + description: Example response from A2A Task Endpoint with results of task execution + value: + id: task-123 + jsonrpc: '2.0' + result: + conversation_id: conv-456 + response: + message: Hello! How can I help you today? + type: response + description: Indicates a successful response + summary: Send A2A task tags: - - APM agent configuration + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/a2a/{agentId}.json: get: - description: > - Retrieve all agent configurations. You must have `read` privileges for - the APM and User Experience feature in Kibana. If agent configuration is - not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-a2a-agentid.json parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The unique identifier of the agent to get A2A metadata for. + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - getAgentConfigurationsResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': + a2aAgentCardResponseExample: + description: Example response card of Elastic AI Agent + value: + capabilities: + pushNotifications: false + stateTransitionHistory: false + streaming: false + defaultInputModes: + - text/plain + defaultOutputModes: + - text/plain + description: Elastic AI Agent + name: Elastic AI Agent + protocolVersion: 0.3.0 + provider: + organization: Elastic + url: https://elastic.co + securitySchemes: + authorization: + description: Authentication token + in: header + name: Authorization + type: apiKey + skills: + - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. + examples: [] + id: platform.core.search + inputModes: + - text/plain + - application/json + name: platform.core.search + outputModes: + - text/plain + - application/json + tags: + - tool + supportsAuthenticatedExtendedCard: false + url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent + version: 0.1.0 + description: Indicates a successful response + summary: Get A2A agent card + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/a2a/{agentId}.json + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents + parameters: [] + responses: + '200': content: application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations + examples: + listAgentsResponseExample: + description: Example response that returns one built-in Elastic agent and one created by the user + value: + results: + - configuration: + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Elastic AI Agent + id: elastic-ai-agent + name: Elastic AI Agent + type: chat + - avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: List agents tags: - - APM agent configuration - put: - description: > - Create or update an agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When updating an - existing configuration, the `?overwrite=true` query parameter is - required. If the configuration already exists and `overwrite` is not set - to `true`, the API returns a 400 error. When successful and Fleet is - enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string requestBody: content: application/json: examples: - createUpdateAgentConfigurationRequestExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 + createAgentRequestExample: + description: Example request for creating a custom agent with special prompt and tools + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true + additionalProperties: false + type: object + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + type: object + properties: + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Optional system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. + type: string + maxItems: 100 + type: array + required: + - tools + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + required: + - id + - name + - description + - configuration responses: '200': content: application/json: examples: - createUpdateAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration + createAgentResponseExample: + description: Example response returning the definition of an agent created as a result of the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Create an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/agent_name: - get: - description: Retrieve `agentName` for a service. - operationId: getAgentNameForService + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + }' + - lang: Console + source: | + POST kbn://api/agent_builder/agents + { + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{agent_id}/consumption: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents-agent-id-consumption parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent. + in: path + name: agent_id required: true schema: type: string + requestBody: + content: + application/json: + examples: + consumptionDefaultExample: + description: Get consumption data for an agent with default pagination + value: + size: 25 + sort_field: updated_at + sort_order: desc + consumptionFilteredExample: + description: Get consumption data filtered by username with warnings + value: + has_warnings: true + size: 10 + sort_field: total_tokens + sort_order: desc + usernames: + - elastic + - admin + schema: + additionalProperties: false + type: object + properties: + has_warnings: + description: Filter to conversations with or without high-token warnings. + type: boolean + search: + description: Free-text search filter on conversation title. + type: string + search_after: + description: Cursor for pagination. Pass the search_after value from the previous response. + items: + nullable: true + maxItems: 10000 + type: array + size: + default: 25 + description: Number of results per page. + maximum: 100 + minimum: 1 + type: number + sort_field: + default: updated_at + description: Field to sort results by. + enum: + - updated_at + - total_tokens + - round_count + type: string + sort_order: + default: desc + description: Sort direction. + enum: + - asc + - desc + type: string + usernames: + description: Filter results to conversations by these usernames. + items: + type: string + maxItems: 10000 + type: array responses: '200': content: application/json: - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': + examples: + consumptionResponseExample: + description: Example response with per-conversation token usage data + value: + aggregations: + total_with_warnings: 0 + usernames: + - elastic + - admin + results: + - conversation_id: conv-abc123 + created_at: '2025-03-01T10:00:00Z' + llm_calls: 8 + round_count: 5 + title: Help me search my data + token_usage: + input_tokens: 15000 + output_tokens: 3000 + total_tokens: 18000 + updated_at: '2025-03-01T10:15:00Z' + user: + id: uid-1 + username: elastic + warnings: [] + - conversation_id: conv-def456 + created_at: '2025-03-02T14:00:00Z' + llm_calls: 20 + round_count: 12 + title: Analyze server logs + token_usage: + input_tokens: 250000 + output_tokens: 8000 + total_tokens: 258000 + updated_at: '2025-03-02T14:30:00Z' + user: + id: uid-2 + username: admin + warnings: + - input_tokens: 250000 + round_id: round-7 + type: high_input_tokens + search_after: + - 1709391000000 + - '2025-03-02T14:30:00Z' + total: 2 + description: Indicates a successful response + summary: Get agent consumption data + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -H "elastic-api-version: 2023-10-31" \ + -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' + - lang: Console + source: | + POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption + {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: delete-agent-builder-agents-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to delete. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service + examples: + deleteAgentResponseExample: + description: Example response showing that deletion of the agent has been successful + value: + success: true + description: Indicates a successful response + summary: Delete an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/environments: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/agents/{id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Retrieve the available environments for a given service, to be used in - agent configuration. You must have `read` privileges for the APM and - User Experience feature in Kibana. If `serviceName` is omitted, - environments across all services are returned. - operationId: getEnvironmentsForService + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: >- - The name of the service. If omitted, environments across all - services are returned. - example: opbeans-node - in: query - name: serviceName + - description: The unique identifier of the agent to retrieve. + in: path + name: id + required: true schema: type: string responses: @@ -976,109 +1876,263 @@ paths: content: application/json: examples: - getEnvironmentsForServiceResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_environments_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service + getAgentByIdResponseExample: + description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Get an agent by ID tags: - - APM agent configuration - /api/apm/settings/agent-configuration/search: - post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by APM agents to - fetch their configuration and mark it as applied. Do not use for new - integrations. It searches for a single agent configuration matching the - given service, and optionally updates the `applied_by_agent` field when - the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to update. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - searchSingleConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 + createAgentRequestExample: + description: Example request for updating custom agent + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true + additionalProperties: false + type: object + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + type: object + properties: + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Updated system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. + type: string + maxItems: 100 + type: array + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string responses: '200': content: application/json: examples: - searchSingleConfigurationResponse1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_search_agent_configuration_response - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration + updateAgentResponseExample: + description: Example response returning the agent definition with the changes applied from the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Update an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/view: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id} + { + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations: get: - description: > - Retrieve a single agent configuration matching the given service name - and environment. You must have `read` privileges for the APM and User - Experience feature in Kibana. If no matching configuration is found, the - API returns a 404. - operationId: getSingleAgentConfiguration + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name - schema: - type: string - - description: Service environment - example: prod + - description: Optional agent ID to filter conversations by a specific agent. in: query - name: environment + name: agent_id + required: false schema: type: string responses: @@ -1086,1460 +2140,11090 @@ paths: content: application/json: examples: - getSingleAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_single_agent_configuration_response - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration + listConversationsResponseExample: + description: Example response containing the list of conversations with all agents + value: + results: + - agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: List conversations tags: - - APM agent configuration - /api/apm/sourcemaps: - get: - description: > - Get an array of Fleet artifacts, including source map uploads. You must - have `read` or `all` Kibana privileges for the APM and User Experience - feature. - operationId: getSourceMaps + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: Number of records per page - in: query - name: perPage + example: 'true' + type: string + - description: The unique identifier of the conversation to delete. + in: path + name: conversation_id + required: true schema: - type: number + type: string responses: '200': content: application/json: examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': + deleteConversationResponseExample: + description: Example response showing that deletion of conversation has been successful + value: + success: true + description: Indicates a successful response + summary: Delete conversation by ID + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/conversations/{conversation_id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id + parameters: + - description: The unique identifier of the conversation to retrieve. + in: path + name: conversation_id + required: true + schema: + type: string + responses: + '200': content: application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps + examples: + getConversationByIdResponseExample: + description: Example response containing the contents of a convesation with the chat agent + value: + agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + rounds: + - id: 170ec3b2-0f5a-4538-8b60-549572386d2a + input: + message: Hello, how are you? + response: + message: |- + Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. + + Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? + steps: [] + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: Get conversation by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl + - lang: curl source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - post: - description: > - Upload a source map for a specific service and version. You must have - `all` Kibana privileges for the APM and User Experience feature. - - The maximum payload size is `1mb`. If you attempt to upload a source map - that exceeds the maximum payload size, you will get a 413 error. Before - uploading source maps that exceed this default, change the maximum - payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations/{conversation_id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: Whether to include deleted attachments in the list. + in: query + name: include_deleted + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - uploadSourceMapResponse1: - $ref: >- - #/components/examples/APM_UI_source_maps_upload_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map + listAttachmentsResponseExample: + description: Example response containing active attachments for a conversation + value: + results: + - active: true + current_version: 2 + description: My text file + id: attachment-1 + type: text + versions: + - content_hash: abc123 + created_at: '2025-01-01T10:00:00.000Z' + data: Initial content + estimated_tokens: 3 + version: 1 + - content_hash: def456 + created_at: '2025-01-01T11:00:00.000Z' + data: Updated content + estimated_tokens: 3 + version: 2 + - active: true + current_version: 1 + description: Configuration data + id: attachment-2 + type: json + versions: + - content_hash: ghi789 + created_at: '2025-01-01T12:00:00.000Z' + data: + key: value + nested: + field: 123 + estimated_tokens: 15 + version: 1 + total_token_estimate: 21 + description: Indicates a successful response + summary: List conversation attachments tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: > - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - - -H 'Content-Type: multipart/form-data' \ - - -H 'kbn-xsrf: true' \ - - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - - -F 'service_name="foo"' \ + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** - -F 'service_version="1.0.0"' \ +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F - 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - /api/apm/sourcemaps/{id}: - delete: - description: > - Delete a previously uploaded source map. You must have `all` Kibana - privileges for the APM and User Experience feature. - operationId: deleteSourceMap + Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. in: path - name: id + name: conversation_id required: true schema: type: string + requestBody: + content: + application/json: + examples: + createHiddenAttachmentExample: + description: Example request for creating a hidden attachment + value: + data: Internal system data + description: System context + hidden: true + type: text + createJsonAttachmentExample: + description: Example request for creating a JSON attachment with custom ID + value: + data: + configuration: + enabled: true + threshold: 50 + metadata: + source: user_input + description: Application settings + id: custom-attachment-id + type: json + createTextAttachmentExample: + description: Example request for creating a text attachment + value: + data: This is the content of my text attachment + description: Meeting notes + type: text + schema: + additionalProperties: false + type: object + properties: + data: + description: The attachment data/content. Required unless origin is provided. + nullable: true + description: + description: Human-readable description of the attachment. + type: string + hidden: + description: Whether the attachment should be hidden from the user. + type: boolean + id: + description: Optional custom ID for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. + type: string + type: + description: The type of the attachment (e.g., text, esql, visualization). + type: string + required: + - type + - data responses: '200': content: application/json: examples: - deleteSourceMapResponseExample1: - $ref: >- - #/components/examples/APM_UI_source_maps_delete_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map + createAttachmentResponseExample: + description: Example response returning the created attachment + value: + attachment: + active: true + current_version: 1 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: This is the content of my text attachment + estimated_tokens: 12 + version: 1 + description: Indicates a successful response + summary: Create conversation attachment tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: > - curl -X DELETE - "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: + delete: + description: |- + **Spaces method and path for this operation:** - -H 'Content-Type: application/json' \ +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- -H 'kbn-xsrf: true' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord + Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. + type: string + - description: The unique identifier of the attachment to delete. + in: path + name: attachment_id + required: true + schema: + type: string + - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query - name: refresh + name: permanent required: false schema: - enum: - - wait_for - type: string + type: boolean responses: '200': content: application/json: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record + examples: + permanentDeleteAttachmentResponseExample: + description: Example response for permanent delete (cannot be restored) + value: + permanent: true + success: true + softDeleteAttachmentResponseExample: + description: Example response for soft delete (can be restored) + value: + permanent: false + success: true + description: Indicates a successful response + summary: Delete conversation attachment tags: - - Security Entity Analytics API - get: - description: Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + type: string + - description: The unique identifier of the attachment to rename. + in: path + name: attachment_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + renameAttachmentExample: + description: Example request for renaming an attachment + value: + description: Updated attachment name + schema: + additionalProperties: false + type: object + properties: + description: + description: The new description/name for the attachment. + type: string + required: + - description responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record + examples: + renameAttachmentResponseExample: + description: Example response returning the renamed attachment (version unchanged) + value: + attachment: + active: true + current_version: 1 + description: Updated attachment name + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Content remains the same + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Rename attachment tags: - - Security Entity Analytics API - post: - description: > - Create or update an asset criticality record for a specific entity. + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- If a record already exists for the specified entity, that record is - overwritten with the specified value. If a record doesn't exist for the - specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: + examples: + updateAttachmentContentExample: + description: Example request for updating attachment content + value: + data: This is the updated content + updateAttachmentWithDescriptionExample: + description: Example request for updating both content and description + value: + data: New content version + description: Updated meeting notes - v2 schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true + additionalProperties: false + type: object + properties: + data: + description: The new attachment data/content. + nullable: true + description: + description: Optional new description for the attachment. + type: string + required: + - data responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record + examples: + updateAttachmentResponseExample: + description: Example response returning the updated attachment with new version + value: + attachment: + active: true + current_version: 2 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-abc + created_at: '2025-01-06T10:00:00.000Z' + data: Original content + estimated_tokens: 10 + version: 1 + - content_hash: sha256-def + created_at: '2025-01-06T11:00:00.000Z' + data: This is the updated content + estimated_tokens: 12 + version: 2 + new_version: 2 + description: Indicates a successful response + summary: Update conversation attachment tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: post: - description: > - Bulk upsert up to 1000 asset criticality records. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
- If asset criticality records already exist for the specified entities, - those records are overwritten with the specified values. If asset - criticality records don't exist for the specified entities, new records - are created. - operationId: BulkUpsertAssetCriticalityRecords + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to restore. + in: path + name: attachment_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + restoreAttachmentResponseExample: + description: Example response returning the restored attachment + value: + attachment: + active: true + current_version: 1 + description: Restored attachment + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Restored content + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Restore deleted attachment + tags: + - agent builder + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: + examples: + updateOriginExample: + description: Example request for linking an attachment to a saved visualization + value: + origin: abc123 schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 + additionalProperties: false type: object properties: - records: - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array + origin: + description: The origin string (e.g., saved object ID for visualizations and dashboards). + type: string required: - - records + - origin responses: '200': content: application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records + examples: + updateOriginResponseExample: + description: Example response returning the attachment with updated origin + value: + attachment: + active: true + current_version: 1 + description: Sales chart + id: att-123 + origin: abc123 + type: visualization + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: + chart_type: bar + esql: FROM sales | STATS count=COUNT(*) BY month + query: Show monthly sales + visualization: {} + estimated_tokens: 50 + version: 1 + success: true + description: Indicates a successful response + summary: Update attachment origin tags: - - Security Entity Analytics API - /api/asset_criticality/list: + - agent builder + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/stale: get: - description: List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments-stale parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false - schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' - type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: type: string responses: '200': content: application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records + examples: + checkStaleAttachmentsResponseExample: + description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' + value: + attachments: + - id: att-text-meeting-notes + is_stale: false + - id: att-lens-active-users + is_stale: false + - error: Origin could not be resolved + id: att-query-attachment + is_stale: false + - data: This is the content of my text attachment + hidden: false + id: att-text-runbook + is_stale: true + origin: document:hr-onboarding-v2 + type: text + description: Indicates a successful response + summary: Check attachment staleness tags: - - Security Entity Analytics API - /api/attack_discovery/_bulk: + - agent builder + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/converse: post: - description: >- - Performs bulk updates on multiple Attack discoveries, including workflow - status changes and visibility settings. This endpoint allows efficient - batch processing of alert modifications without requiring individual API - calls for each alert. - operationId: PostAttackDiscoveryBulk + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - example: - update: - enable_field_rendering: false - ids: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true + examples: + converseRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + connector_id: my-connector-id + input: What is Elasticsearch? + converseRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: What is Elasticsearch? schema: + additionalProperties: false type: object properties: - update: - description: >- - Configuration object containing all parameters for the bulk - update operation - type: object - properties: - enable_field_rendering: - default: false - description: >- - Enables a markdown syntax used to render pivot fields, - for example `{{ user.name james }}`. When disabled, the - same example would be rendered as `james`. This is - primarily used for Attack Discovery views within Kibana. - Defaults to `false`. - example: false + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. items: - type: string + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids type: array - kibana_alert_workflow_status: - description: >- - When provided, update the kibana.alert.workflow_status - of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: >- - When provided, update the visibility of the alert, as - determined by the kibana.alert.attack_discovery.users - field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: >- - When true, returns the updated Attack discoveries with - text replacements applied to the detailsMarkdown, - entitySummaryMarkdown, summaryMarkdown, and title - fields. This substitutes anonymized values with - human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids - required: - - update - description: Bulk update parameters for Attack discoveries - required: true + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object responses: '200': content: application/json: - example: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - workflow_status: acknowledged - schema: - type: object - properties: - data: - description: >- - Array of updated Attack Discovery alert objects. Each item - includes the applied modifications from the bulk update - request. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries + examples: + converseResponseExample: + description: Example response containing the chain of events representing a conversation with the agent + value: + conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 + response: + message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. + steps: + - reasoning: Searching for official documentation or content that explains what Elasticsearch is + type: reasoning + - params: + query: what is elasticsearch definition overview introduction + progression: + - message: Selecting the best target for this query + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ + tool_id: platform.core.search + type: tool_call + description: Indicates a successful response + summary: Send chat message tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl + - agent builder + x-codeSamples: + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - /api/attack_discovery/_find: - get: - description: >- - Find Attack discoveries that match the search criteria. Supports free - text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind + -X POST "${KIBANA_URL}/api/agent_builder/converse" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent"}' + - lang: Console + source: | + POST kbn://api/agent_builder/converse + { + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent" + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/converse/async: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete` + +

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse-async parameters: - - description: >- - Filter results to Attack discoveries that include any of the - provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: >- - Filter results to Attack discoveries created by any of the provided - human readable connector names. Note that values must match the - human readable `connector_name` property of an Attack discovery, - e.g. "GPT-5 Chat", which are distinct from `connector_id` values - used to generate Attack discoveries. - in: query - name: connector_names - required: false - schema: - items: - type: string - type: array - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - End of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: >- - If `true`, the response will include `unique_alert_ids` and - `unique_alert_ids_count` aggregated across the matched Attack - discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: >- - Number of Attack discoveries to return per page (used for - pagination). Defaults to 10. - example: 10 + requestBody: + content: + application/json: + examples: + converseAsyncRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + input: Hello + converseAsyncRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: Hello + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': + content: + text/event-stream: + examples: + converseAsyncResponseExample: + description: Example stream containing the chain of events representing a conversation with the agent + value: + - data: + data: + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + event: conversation_id_set + - data: + data: + reasoning: Starting with a general search to understand what content is available. + event: reasoning + - data: + data: + params: + query: latest documents + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + tool_id: platform.core.search + event: tool_call + - data: + data: + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + event: tool_result + - data: + data: + round: + id: a5692d54-bc06-4a6e-aea1-412779c73f66 + input: + message: Hello + response: + message: Hello! How can I help you today? + event: round_complete + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "Hello again let us have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/converse/async + { + "input": "Hello again let's have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. + To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-mcp + parameters: + - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. in: query - name: per_page + name: namespace required: false schema: - default: 10 - minimum: 1 - type: integer - - description: >- - Free-text search query applied to relevant text fields of Attack - discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false + type: string + requestBody: + content: + application/json: + examples: + mcpInitializeRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' + value: + id: 1 + jsonrpc: '2.0' + method: initialize + params: + capabilities: {} + clientInfo: + name: test-client + version: 1.0.0 + protocolVersion: '2024-11-05' + schema: {} + responses: + '200': + content: + application/json: + examples: + mcpInitializeResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + id: 1 + jsonrpc: '2.0' + result: + capabilities: + tools: + listChanged: true + protocolVersion: '2024-11-05' + serverInfo: + name: elastic-mcp-server + version: 0.0.1 + description: Indicates a successful response + summary: MCP server + tags: + - agent builder + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins + parameters: [] + responses: + '200': + content: + application/json: + examples: + listPluginsResponseExample: + description: Example response that returns one installed plugin + value: + results: + - created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: List plugins + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins/{pluginId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an installed plugin by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:write. + operationId: delete-agent-builder-plugins-pluginid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: >- - Whether to filter by shared visibility. If omitted, both shared and - privately visible Attack discoveries are returned. Use `true` to - return only shared discoveries, `false` to return only those visible - to the current user. - in: query - name: shared - required: false + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true schema: - type: boolean - - description: >- - Whether to filter by scheduled or ad-hoc attack discoveries. If - omitted, both types of attack discoveries are returned. Use `true` - to return only scheduled discoveries or `false` to return only - ad-hoc discoveries. + type: string + - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. in: query - name: scheduled + name: force required: false schema: + default: false type: boolean - - description: >- - Field used to sort results. See `AttackDiscoveryFindSortField` for - allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField - default: '@timestamp' - - description: >- - Sort order direction `asc` for ascending or `desc` for descending. - Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: >- - Start of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + responses: + '200': + content: + application/json: + examples: + deletePluginResponseExample: + description: Example response showing that deletion of the plugin has been successful + value: + success: true + description: Indicates a successful response + summary: Delete a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/plugins/{id} + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific plugin by ID.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins-pluginid + parameters: + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true schema: type: string - - description: >- - Filter by alert workflow status. Provide one or more of the allowed - workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false - schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean responses: '200': content: application/json: - example: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: >- - List of human readable connector names that are present in - the matched Attack discoveries. Useful for building client - filters or summaries. - items: - type: string - type: array - data: - description: >- - Array of matched Attack discovery objects. Each item - follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: >- - Total number of Attack discoveries matching the query - (across all pages). - type: integer - unique_alert_ids: - description: >- - List of unique alert IDs aggregated from the matched - Attack discoveries. Only present if - `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: >- - Number of unique alert IDs across all matched Attack - discoveries. Only present if - `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': + examples: + getPluginByIdResponseExample: + description: Example response returning a single installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Get a plugin by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins/{id} + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/plugins/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.

[Required authorization] Route required privileges: agentBuilder:write. + operationId: post-agent-builder-plugins-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installPluginFromGithubExample: + description: Example request for installing a plugin from a GitHub URL + value: + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + installPluginFromZipExample: + description: Example request for installing a plugin from a direct zip URL + value: + url: https://my-server.example.com/my-plugin.zip + installPluginWithNameOverrideExample: + description: Example request for installing a plugin with a custom name + value: + plugin_name: my-custom-plugin-name + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + schema: + additionalProperties: false + type: object + properties: + plugin_name: + description: Optional name override for the plugin. Defaults to the manifest name. + type: string + url: + description: URL to install the plugin from (GitHub URL or direct zip URL). + type: string + required: + - url + responses: + '200': content: application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria + examples: + installPluginResponseExample: + description: Example response returning the definition of the installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Install a plugin tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl + - agent builder + x-codeSamples: + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/_generate: + -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/plugins/install + { + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + } + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/skills: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available skills (built-in and user-created).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills + parameters: + - description: Set to true to include skills from plugins. + in: query + name: include_plugins + required: false + schema: + default: false + type: boolean + responses: {} + summary: List skills + tags: + - agent builder + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Initiates the generation of attack discoveries by analyzing security - alerts using AI. Returns an execution UUID that can be used to track the - generation progress and retrieve results. Results may also be retrieved - via the find endpoint. - operationId: PostAttackDiscoveryGenerate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new user-defined skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: post-agent-builder-skills + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - example: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig - required: true + additionalProperties: false + type: object + properties: + content: + description: Skill instructions content (markdown). + type: string + description: + description: Description of what the skill does. + type: string + id: + description: Unique identifier for the skill. + type: string + name: + description: Human-readable name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + default: [] + description: Tool IDs from the tool registry that this skill references. + items: + description: Tool ID from the tool registry. + type: string + maxItems: 100 + type: array + required: + - id + - name + - description + - content + responses: {} + summary: Create a skill + tags: + - agent builder + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/skills/{skillId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: delete-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: - example: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier for the attack discovery generation - process. Use this UUID to track the generation progress - and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': + examples: + deleteSkillResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/skills/{skillId} + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific skill by ID.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills-skillid + parameters: + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + responses: {} + summary: Get a skill by id + tags: + - agent builder + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing user-created skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: put-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + content: + description: Updated skill instructions content. + type: string + description: + description: Updated description. + type: string + name: + description: Updated name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + description: Updated tool IDs from the tool registry. + items: + description: Updated tool ID. + type: string + maxItems: 100 + type: array + responses: {} + summary: Update a skill + tags: + - agent builder + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools + parameters: [] + responses: + '200': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. + examples: + listToolsResponseExample: + description: Example response returning a list of existing tools + value: + results: + - configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + - configuration: {} + description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. + id: platform.core.get_document_by_id + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + id: + description: ID of the document to retrieve + type: string + index: + description: Name of the index to retrieve the document from + type: string + required: + - id + - index + tags: [] + type: builtin + - configuration: {} + description: |- + Execute an ES|QL query and return the results in a tabular format. + + **IMPORTANT**: This tool only **runs** queries; it does not write them. + Think of this as the final step after a query has been prepared. + + You **must** get the query from one of two sources before calling this tool: + 1. The output of the `platform.core.generate_esql` tool (if the tool is available). + 2. A verbatim query provided directly by the user. + + Under no circumstances should you invent, guess, or modify a query yourself for this tool. + If you need a query, use the `platform.core.generate_esql` tool first. + id: platform.core.execute_esql + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + query: + description: The ES|QL query to execute + type: string + required: + - query + tags: [] + type: builtin + - configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + - configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: List tools + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: post-agent-builder-tools + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createEsqlToolRequest: + description: Example request to create an ESQL query tool with a pre-defined query + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + tags: + - analytics + - finance + type: esql + createIndexSearchToolRequest: + description: Example request to create an index_search tool with a pre-defined index pattern + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + tags: + - search + - finance + type: index_search + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: '' + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + - mcp + type: string + required: + - id + - type + - configuration + responses: + '200': + content: + application/json: + examples: + createEsqlToolExample: + description: Example response returning a definition of ESQL tool created + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + createIndexSearchToolExample: + description: Example response returning a definition of search tool tool created + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Create a tool tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl + - agent builder + x-codeSamples: + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" + -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "example-esql-tool", + "type": "esql", + "description": "Example ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools + { + "id": "example-esql-tool", + "type": "esql", + "description": "An ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.dataset", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "caiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.module", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.outcome", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "c6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.Ext.original.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "daiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "d6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "e6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "faiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "f6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.original_time", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.risk_score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.description", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "g6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.references", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "haiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hqiJW5gB4U27o8XO8oLg" + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-tools-execute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + executeBuiltinEsqlToolRequest: + description: Example request executing platform.core.execute_esql tool + value: + tool_id: platform.core.execute_esql + tool_params: + query: FROM financial_trades | LIMIT 3 + executeBuiltinToolRequest: + description: Example request executing platform.core.get_document_by_id tool + value: + tool_id: platform.core.get_document_by_id + tool_params: + id: TRD-20250805-0820a89f + index: financial_trades + executeCustomEsqlToolRequest: + description: Example request executing custom example-esql-tool tool + value: + tool_id: example-esql-tool + tool_params: + limit: 3 + startTime: '2024-01-01T00:00:00Z' + executeIndexSearchToolRequest: + description: Example request executing custom example-index-search-tool tool + value: + tool_id: example-index-search-tool + tool_params: + nlQuery: find trades with high execution prices above 100 + schema: + additionalProperties: false + type: object + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: + nullable: true + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params + responses: + '200': + content: + application/json: + examples: + executeBuiltinEsqlToolExample: + description: Example response calling built-in platform.core.execute_esql tool + value: + results: + - data: + esql: FROM financial_trades | LIMIT 3 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: FROM financial_trades | LIMIT 3 + source: esql + values: + - - ACC00179-1f91 + - 43.77000045776367 + - CVX + - sell + - - ACC00407-0bbb + - 660.4199829101562 + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - KO + - buy + tool_result_id: xTpT + type: esql_results + executeBuiltinToolExample: + description: Example response calling built-in platform.core.get_document_by_id tool + value: + results: + - data: + content: + account_id: ACC00271-fb5c + execution_price: 488.54 + execution_timestamp: '2025-08-05T08:04:11.649855' + last_updated: '2025-09-15T13:23:36' + order_status: executed + order_type: market + quantity: 131 + status_reason: fully_filled + symbol: EWL + trade_cost: 63998.74 + trade_id: TRD-20250805-0820a89f + trade_type: sell + partial: false + reference: + id: TRD-20250805-0820a89f + index: financial_trades + type: resource + executeCustomEsqlToolExample: + description: Example response calling custom example-esql-tool tool + value: + results: + - data: + columns: + - name: trade_count + type: long + - name: avg_price + type: double + - name: symbol + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + source: esql + values: + - - 2115 + - 89.33911587329621 + - US_T_BOND_20YR + - - 2112 + - 104.20854155945055 + - INTL_CORP_ASIA_D + - - 2105 + - 89.93244177666526 + - INTL_CORP_EU_B + tool_result_id: Voy8 + type: esql_results + executeIndexSearchToolExample: + description: Example response calling custom example-index-search-tool tool + value: + results: + - data: + esql: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: execution_timestamp + type: date + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + source: esql + values: + - - ACC00407-0bbb + - 660.4199829101562 + - '2020-09-25T11:06:08.687Z' + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - '2025-08-07T21:56:45.377Z' + - KO + - buy + - - ACC00407-0bbb + - 132.8800048828125 + - '2020-11-19T04:39:13.655Z' + - JAP_JGB_10YR + - sell + tool_result_id: uE8y + type: esql_results + description: Indicates a successful response + summary: Run a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?"} + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools/_execute + { + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?" + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools/{toolId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: delete-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to delete. + in: path + name: toolId + required: true + schema: + type: string + - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteAgentResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/tools/{toolId} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools-toolid + parameters: + - description: The unique identifier of the tool to retrieve. + in: path + name: toolId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBuiltinToolExample: + description: Example response returning built-in platform.core.search tool + value: + configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + getEsqlToolExample: + description: Example response returning custom example-esql-tool tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + getIndexSearchToolExample: + description: Example response returning custom example-index-search-tool tool + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Get a tool by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools/{toolId} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: put-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to update. + in: path + name: toolId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateEsqlToolRequest: + description: Example request to update the custom ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + tags: + - analytics + - finance + - reporting + updateIndexSearchToolRequest: + description: Example request to update the custom Search tool + value: + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + tags: + - search + - finance + - compliance + - reporting + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateEsqlToolExample: + description: Example response showing the updated ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the enhanced query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: string + required: + - startTime + - symbolPattern + - limit + tags: + - analytics + - finance + - reporting + type: esql + updateIndexSearchToolExample: + description: Example response showing the updated Search tool + value: + configuration: + pattern: financial_* + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + - compliance + - reporting + type: index_search + description: Indicates a successful response + summary: Update a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/tools/{toolId} + { + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" }, - { - "timestamp": "2025-07-30T13:33:44.029Z", + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/_health: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/_health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. + operationId: getAlertingHealth + responses: + '200': + content: + application/json: + examples: + getAlertingHealthResponse: + $ref: '#/components/examples/Alerting_get_health_response' + schema: + type: object + properties: + alerting_framework_health: + description: | + Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. + type: object + properties: + decryption_health: + description: The timestamp and status of the rule decryption. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + execution_health: + description: The timestamp and status of the rule run. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + read_health: + description: The timestamp and status of the rule reading events. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + has_permanent_encryption_key: + description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. + example: true + type: boolean + is_sufficiently_secure: + description: If `false`, security is enabled but TLS is not. + example: true + type: boolean + description: Indicates a successful call. + '401': + content: + application/json: + examples: + healthUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_health_response' + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule_types: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. + operationId: getRuleTypes + responses: + '200': + content: + application/json: + examples: + getRuleTypesResponse: + $ref: '#/components/examples/Alerting_get_rule_types_response' + schema: + items: + type: object + properties: + action_groups: + description: | + An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. + items: + type: object + properties: + id: + type: string + name: + type: string + type: array + action_variables: + description: | + A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. + type: object + properties: + context: + items: + type: object + properties: + description: + type: string + name: + type: string + useWithTripleBracesInTemplates: + type: boolean + type: array + params: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + state: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + alerts: + description: | + Details for writing alerts as data documents for this rule type. + type: object + properties: + context: + description: | + The namespace for this rule type. + enum: + - ml.anomaly-detection + - observability.apm + - observability.logs + - observability.metrics + - observability.slo + - observability.threshold + - observability.uptime + - security + - stack + type: string + dynamic: + description: Indicates whether new fields are added dynamically. + enum: + - 'false' + - runtime + - strict + - 'true' + type: string + isSpaceAware: + description: | + Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. + type: boolean + mappings: + type: object + properties: + fieldMap: + additionalProperties: + $ref: '#/components/schemas/Alerting_fieldmap_properties' + description: | + Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. + type: object + secondaryAlias: + description: | + A secondary alias. It is typically used to support the signals alias for detection rules. + type: string + shouldWrite: + description: | + Indicates whether the rule should write out alerts as data. + type: boolean + useEcs: + description: | + Indicates whether to include the ECS component template for the alerts. + type: boolean + useLegacyAlerts: + default: false + description: | + Indicates whether to include the legacy component template for the alerts. + type: boolean + authorized_consumers: + description: The list of the plugins IDs that have access to the rule type. + type: object + properties: + alerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + apm: + type: object + properties: + all: + type: boolean + read: + type: boolean + discover: + type: object + properties: + all: + type: boolean + read: + type: boolean + infrastructure: + type: object + properties: + all: + type: boolean + read: + type: boolean + logs: + type: object + properties: + all: + type: boolean + read: + type: boolean + ml: + type: object + properties: + all: + type: boolean + read: + type: boolean + monitoring: + type: object + properties: + all: + type: boolean + read: + type: boolean + siem: + type: object + properties: + all: + type: boolean + read: + type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean + stackAlerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + uptime: + type: object + properties: + all: + type: boolean + read: + type: boolean + category: + description: The rule category, which is used by features such as category-specific maintenance windows. + enum: + - management + - observability + - securitySolution + type: string + default_action_group_id: + description: The default identifier for the rule type group. + type: string + does_set_recovery_context: + description: Indicates whether the rule passes context variables to its recovery action. + type: boolean + enabled_in_license: + description: Indicates whether the rule type is enabled or disabled based on the subscription. + type: boolean + has_alerts_mappings: + description: Indicates whether the rule type has custom mappings for the alert data. + type: boolean + has_fields_for_a_a_d: + type: boolean + id: + description: The unique identifier for the rule type. + type: string + is_exportable: + description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. + type: boolean + minimum_license_required: + description: The subscriptions required to use the rule type. + example: basic + type: string + name: + description: The descriptive name of the rule type. + type: string + producer: + description: An identifier for the application that produces this rule type. + example: stackAlerts + type: string + recovery_action_group: + description: An action group to use when an alert goes from an active state to an inactive one. + type: object + properties: + id: + type: string + name: + type: string + rule_task_timeout: + example: 5m + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + ruleTypesUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_rule_types_response' + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the rule types + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}: + delete: + operationId: delete-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRuleResponse: + description: A response that contains information about an index threshold rule. + summary: Get an index threshold rule + value: + actions: [] + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + mute_all: false + muted_alert_ids: [] + name: my alert + notify_when: onActionGroupChange + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: post-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createEsQueryEsqlRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - frequency: + notify_when: onActiveAlert + summary: false + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + consumer: stackAlerts + name: my Elasticsearch query ESQL rule + params: + esqlQuery: + esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createEsQueryKqlRuleRequest: + description: Create an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query + schedule: + interval: 1m + createEsQueryRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (DSL) + value: + actions: + - frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + - frequency: + notify_when: onActionGroupChange + summary: false + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + consumer: alerts + name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createIndexThresholdRuleRequest: + description: | + Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 48de3460-f401-11ed-9f8e-399c75a2deeb + params: + level: info + message: |- + Rule '{{rule.name}}' is active for group '{{context.group}}': + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + alert_delay: + active: 3 + consumer: alerts + name: my rule + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + createTrackingContainmentRuleRequest: + description: | + Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. + summary: Tracking containment rule + value: + consumer: alerts + name: my tracking rule + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField": '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + rule_type_id: .geo-containment + schedule: + interval: 1h + schema: + anyOf: + - discriminator: + propertyName: rule_type_id + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + - additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + responses: + '200': + content: + application/json: + examples: + createEsQueryEsqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActiveAlert + summary: false + throttle: null + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + uuid: bfe370a3-531b-4855-bbe6-ad739f578844 + api_key_created_by_user: false + api_key_owner: elastic + consumer: stackAlerts + created_at: '2023-11-01T19:00:10.453Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-11-01T19:00:10.453Z' + status: pending + id: e0d62360-78e8-11ee-9177-f7d404c8c945 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query ESQL rule + notify_when: null + params: + aggType: count + esqlQuery: + esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 + excludeHitsFromPreviousRun": true, + groupBy: all + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 + tags: [] + throttle: null + updated_at: '2023-11-01T19:00:10.453Z' + updated_by: elastic", + createEsQueryKqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-07-14T20:24:50.729Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-07-14T20:24:50.729Z' + status: pending + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query KQL rule" + notify_when: null + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1m + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + tags: [] + throttle: null + updated_at: '2023-07-14T20:24:50.729Z' + updated_by: elastic + createEsQueryRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). + summary: Elasticsearch query rule (DSL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-08-22T00:03:38.263Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-08-22T00:03:38.263Z' + status: pending + id: 58148c70-407f-11ee-850e-c71febc4ca7f + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query rule + notify_when: null + params: + aggType: count + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + groupBy: all + index: + - kibana_sample_data_logs + searchType: esQuery + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + tags: [] + throttle: null + updated_at: '2023-08-22T00:03:38.263Z' + updated_by: elastic + createIndexThresholdRuleResponse: + description: The response for successfully creating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group} : + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + alert_delay: + active: 3 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-06-08T17:20:31.632Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2022-06-08T17:20:31.632Z' + status: pending + id: 41893910-6bca-11eb-9e0d-85d233e3ee35 + mute_all: false + muted_alert_ids: [] + name: my rule + notify_when: null + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 + tags: + - cpu + throttle: null + updated_at: '2022-06-08T17:20:31.632Z' + updated_by: elastic + createTrackingContainmentRuleResponse: + description: The response for successfully creating a tracking containment rule. + summary: Tracking containment rule + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-02-14T19:52:55.920Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 74 + last_execution_date: '2024-02-15T03:25:38.125Z' + status: ok + id: b6883f9d-5f70-4758-a66e-369d7c26012f + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: my tracking rule + next_run: '2024-02-15T03:26:38.033Z' + notify_when: null + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField: '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + revision: 1 + rule_type_id: .geo-containment + running: false + schedule: + interval: 1h + scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f + tags: [] + throttle: null + updated_at: '2024-02-15T03:24:32.574Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuleRequest: + description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + name: new name + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + schedule: + interval: 1m + tags: [] + schema: + additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + items: + description: The tags for the rule. + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - schedule + responses: + '200': + content: + application/json: + examples: + updateRuleResponse: + description: The response for successfully updating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-03-26T23:13:20.985Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 52 + last_execution_date: '2024-03-26T23:22:51.390Z' + status: ok + id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: new name + next_run: '2024-03-26T23:23:51.316Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea + tags: [] + throttle: null + updated_at: '2024-03-26T23:22:59.949Z' + updated_by: elastic + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_disable: + post: + operationId: post-alerting-rule-id-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + disableRuleRequest: + description: A request that disables a rule and untracks all alerts that were generated by the rule. + summary: Disable a rule and untrack its alerts + value: + untrack: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + x-oas-optional: true + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_enable: + post: + operationId: post-alerting-rule-id-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_mute_all: + post: + operationId: post-alerting-rule-id-mute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: post-alerting-rule-id-unmute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: post-alerting-rule-id-update-api-key + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/snooze_schedule: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Identifier of the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + snoozeRuleRecurringRequest: + description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. + summary: Snooze a rule on a recurring weekly schedule + value: + schedule: + custom: + duration: 8h + recurring: + every: 1w + occurrences: 4 + onWeekDay: + - MO + start: '2025-03-17T09:00:00.000Z' + timezone: UTC + snoozeRuleRequest: + description: A request that snoozes a rule for 24 hours starting now. + summary: Snooze a rule for 24 hours + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + schema: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - schedule + responses: + '200': + content: + application/json: + examples: + snoozeRuleResponse: + description: A response that contains the created snooze schedule. + summary: Snooze schedule response + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 + schema: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + required: + - schedule + required: + - body + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule + tags: + - alerting + x-state: Generally available; added in 8.19.0 + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-mute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + - description: Whether to validate the existence of the alert. + in: query + name: validate_alerts_existence + required: false + schema: + type: boolean + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: + delete: + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule + tags: + - alerting + x-state: Generally available; added in 8.19.0 + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/_find: + get: + operationId: get-alerting-rules-find + parameters: + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + items: + type: string + type: array + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + findConditionalActionRulesResponse: + description: A response that contains information about an index threshold rule. + summary: Index threshold rule + value: + data: + - actions: + - frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 9dca3e00-74f5-11ed-9801-35303b735aef + params: + connector_type_id: .server-log + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 48 + last_execution_date: '2022-12-06T01:44:23.983Z' + status: ok + id: 3583a470-74f6-11ed-9801-35303b735aef + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: my alert + next_run: '2022-12-06T01:45:23.912Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + schedule: + interval: 1m + scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + findRulesResponse: + description: A response that contains information about a security rule that has conditional actions. + summary: Security rule + value: + data: + - actions: + - alerts_filter: + query: + filters: + - $state: + store: appState + meta: + alias: null + disabled: false + field: client.geo.region_iso_code + index: c4bdca79-e69e-4d80-82a1-e5192c621bea + key: client.geo.region_iso_code + negate: false + params: + query: CA-QC + type: phrase + query: + match_phrase: + client.geo.region_iso_code: CA-QC + kql: '' + timeframe: + days: + - 7 + hours: + end: '17:00' + start: '08:00' + timezone: UTC + connector_type_id: .index + frequency: + notify_when: onActiveAlert + summary: true + throttle: null + group: default + id: 49eae970-f401-11ed-9f8e-399c75a2deeb + params: + documents: + - alert_id: + '[object Object]': null + context_message: + '[object Object]': null + rule_id: + '[object Object]': null + rule_name: + '[object Object]': null + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: siem + created_at: '2023-05-16T15:50:28.358Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 166 + last_execution_date: '2023-05-16T20:26:49.590Z' + status: ok + id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: + - Rule execution completed successfully + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: security_rule + next_run: '2023-05-16T20:27:49.507Z' + notify_when: null + params: + author: [] + description: A security threshold rule. + exceptionsList: [] + falsePositives: [] + filters: [] + from: now-3660s + immutable: false + index: + - kibana_sample_data_logs + language: kuery + license: '' + maxSignals: 100 + meta: + from: 1h + kibana_siem_app_url: https://localhost:5601/app/security + outputIndex: '' + query: '*' + references: [] + riskScore: 21 + riskScoreMapping: [] + ruleId: an_internal_rule_id + severity: low + severityMapping: [] + threat: [] + threshold: + cardinality: [] + field: + - bytes + value: 1 + to: now + type: threshold + version: 1 + revision: 1 + rule_type_id: siem.thresholdRule + running: false + schedule: + interval: 1m + scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + tags: [] + throttle: null + updated_at: '2023-05-16T20:25:42.559Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_find: + post: + operationId: post-alerting-rules-backfill-find + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The end date for filtering backfills. + in: query + name: end + required: false + schema: + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: The number of backfills to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: A comma-separated list of rule identifiers. + in: query + name: rule_ids + required: false + schema: + type: string + - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. + in: query + name: initiator + required: false + schema: + enum: + - user + - system + type: string + - description: The start date for filtering backfills. + in: query + name: start + required: false + schema: + type: string + - description: The field to sort backfills by. + in: query + name: sort_field + required: false + schema: + enum: + - createdAt + - start + type: string + - description: The sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + findBackfillResponse: + summary: Find backfills response + value: + data: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + page: 1 + per_page: 10 + total: 1 + schema: + additionalProperties: false + type: object + properties: + data: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Find backfills for rules + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_schedule: + post: + operationId: post-alerting-rules-backfill-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + scheduleBackfillRequest: + summary: Schedule a backfill for an index threshold rule + value: + - ranges: + - end: '2024-01-02T00:00:00.000Z' + start: '2024-01-01T00:00:00.000Z' + rule_id: 3583a470-74f6-11ed-9801-35303b735aef + schema: + items: + additionalProperties: false + type: object + properties: + ranges: + items: + additionalProperties: false + type: object + properties: + end: + type: string + start: + type: string + required: + - start + - end + type: array + rule_id: + type: string + run_actions: + type: boolean + required: + - rule_id + - ranges + maxItems: 100 + minItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + scheduleBackfillResponse: + summary: Schedule backfill response + value: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + items: + anyOf: + - additionalProperties: false + type: object + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + - additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + rule: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + status: + type: number + required: + - message + - rule + required: + - error + type: array + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Schedule a backfill for rules + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/{id}: + delete: + operationId: delete-alerting-rules-backfill-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Delete a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rules-backfill-id + parameters: + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBackfillResponse: + summary: Get a backfill for an index threshold rule + value: + created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + additionalProperties: false + type: object + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Get a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAgentKeyResponse1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key + tags: + - APM agent keys + x-metaTags: + - content: Kibana + name: product_name + /api/apm/fleet/apm_server_schema: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. + operationId: saveApmServerSchema + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + schema: + type: object + properties: + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true + responses: + '200': + content: + application/json: + examples: + saveApmServerSchemaResponseExample1: + $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema + tags: + - APM server schema + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation + tags: + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation/search: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations + tags: + - APM annotations + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + deleteAgentConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true + responses: + '200': + content: + application/json: + examples: + deleteAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + responses: + '200': + content: + application/json: + examples: + getAgentConfigurationsResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + examples: + createUpdateAgentConfigurationRequestExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/environments: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. + operationId: getEnvironmentsForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service. If omitted, environments across all services are returned. + example: opbeans-node + in: query + name: serviceName + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnvironmentsForServiceResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/search: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + searchSingleConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true + responses: + '200': + content: + application/json: + examples: + searchSingleConfigurationResponse1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. + operationId: getSingleAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name + schema: + type: string + - description: Service environment + example: prod + in: query + name: environment + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getSingleAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. + operationId: getSourceMaps + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page + schema: + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getSourceMapsResponse1: + $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_source_maps_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. + The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/APM_UI_upload_source_map_object' + required: true + responses: + '200': + content: + application/json: + examples: + uploadSourceMapResponse1: + $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: multipart/form-data' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ + -F 'service_name="foo"' \ + -F 'service_version="1.0.0"' \ + -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/sourcemaps/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. + operationId: deleteSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: Source map identifier + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteSourceMapResponseExample1: + $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an asset criticality record for a specific entity. + + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - type: object + properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/bulk: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upsert up to 1000 asset criticality records. + + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object + properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. + operationId: PostAttackDiscoveryBulk + requestBody: + content: + application/json: + example: + update: + enable_field_rendering: false + ids: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true + schema: + type: object + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + type: object + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + type: boolean + ids: + description: Array of Attack Discovery IDs to update + example: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries + required: true + responses: + '200': + content: + application/json: + example: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + workflow_status: acknowledged + schema: + type: object + properties: + data: + description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind + parameters: + - description: Filter results to Attack discoveries that include any of the provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + example: false + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. + in: query + name: scheduled + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + example: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. + operationId: PostAttackDiscoveryGenerate + requestBody: + content: + application/json: + example: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true + responses: + '200': + content: + application/json: + example: + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.name", "allowed": true, @@ -3095,43 +13779,28287 @@ paths: "connectorId": "12345678-1234-1234-1234-123456789012", "actionTypeId": ".gen-ai" }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - /api/attack_discovery/generations: + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + example: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Get the latest Attack Discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + example: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + example: 75 + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + example: 2 + type: number + discoveries: + description: The number of attack discoveries that were generated during this execution. + example: 3 + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + example: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + example: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack Discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack Discovery schedule and all associated configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-code-samples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + example: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + example: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + example: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/cases: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_ids' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete cases + tags: + - cases + x-code-samples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. + operationId: updateCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + updateCaseRequest: + $ref: '#/components/examples/Cases_update_case_request' + schema: + $ref: '#/components/schemas/Cases_update_case_request' + responses: + '200': + content: + application/json: + examples: + updateCaseResponse: + $ref: '#/components/examples/Cases_update_case_response' + schema: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. + operationId: createCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createCaseRequest: + $ref: '#/components/examples/Cases_create_case_request' + schema: + $ref: '#/components/schemas/Cases_create_case_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseResponse: + $ref: '#/components/examples/Cases_create_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Create a case + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: findCasesDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_assignees_filter' + - $ref: '#/components/parameters/Cases_category' + - $ref: '#/components/parameters/Cases_defaultSearchOperator' + - $ref: '#/components/parameters/Cases_from' + - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_reporters' + - $ref: '#/components/parameters/Cases_search' + - $ref: '#/components/parameters/Cases_searchFields' + - $ref: '#/components/parameters/Cases_severity' + - $ref: '#/components/parameters/Cases_sortField' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_status' + - $ref: '#/components/parameters/Cases_tags' + - $ref: '#/components/parameters/Cases_to' + responses: + '200': + content: + application/json: + examples: + findCaseResponse: + $ref: '#/components/examples/Cases_find_case_response' + schema: + type: object + properties: + cases: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + maxItems: 10000 + type: array + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Search cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns case details. The response does not include a comments property; use the find case comments API to retrieve comments. The totalComment field reflects the actual number of user comments on the case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: getCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getDefaultCaseResponse: + $ref: '#/components/examples/Cases_get_case_response' + getDefaultObservabilityCaseResponse: + $ref: '#/components/examples/Cases_get_case_observability_response' + schema: + $ref: '#/components/schemas/Cases_case_response_get_case' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case information + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/alerts: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/alerts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseAlertsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getCaseAlertsResponse: + $ref: '#/components/examples/Cases_get_case_alerts_response' + schema: + items: + $ref: '#/components/schemas/Cases_alert_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get all alerts for a case + tags: + - cases + x-state: Technical preview + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete all case comments and alerts + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. + operationId: updateCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + updateCaseCommentRequest: + $ref: '#/components/examples/Cases_update_comment_request' + schema: + $ref: '#/components/schemas/Cases_update_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + updateCaseCommentResponse: + $ref: '#/components/examples/Cases_update_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. + operationId: addCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + createCaseCommentRequest: + $ref: '#/components/examples/Cases_add_comment_request' + schema: + $ref: '#/components/schemas/Cases_add_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseCommentResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: findCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + responses: + '200': + content: + application/json: + examples: + findCaseCommentsResponse: + $ref: '#/components/examples/Cases_find_case_comments_response' + schema: + $ref: '#/components/schemas/Cases_find_comments_response' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case comments + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/{commentId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete a case comment or alert + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: getCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '200': + content: + application/json: + examples: + getCaseCommentResponse: + $ref: '#/components/examples/Cases_get_comment_response' + schema: + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/connector/{connectorId}/_push: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. + operationId: pushCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_connector_id' + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + pushCaseRequest: + summary: Push a case to an external service. No request body is required. + value: null + schema: + nullable: true + type: object + responses: + '200': + content: + application/json: + examples: + pushCaseResponse: + $ref: '#/components/examples/Cases_push_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Push a case to an external service + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/files: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/files
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - The location of the file that is being uploaded. + operationId: addCaseFileDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + multipart/form-data: + examples: + addCaseFileRequest: + summary: Attach a plain text file named "my_attachment". + value: + filename: my_attachment + schema: + $ref: '#/components/schemas/Cases_add_case_file_request' + required: true + responses: + '200': + content: + application/json: + examples: + addCaseFileResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Attach a file to a case + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" \ + --form "file=@/path/to/my_attachment.txt" \ + --form "filename=my_attachment" + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/user_actions/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/user_actions/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: findCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_user_action_types' + responses: + '200': + content: + application/json: + examples: + findCaseActivityResponse: + $ref: '#/components/examples/Cases_find_case_activity_response' + schema: + type: object + properties: + page: + type: integer + perPage: + type: integer + total: + type: integer + userActions: + items: + $ref: '#/components/schemas/Cases_user_actions_find_response_properties' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case activity + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/alerts/{alertId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/alerts/{alertId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCasesByAlertDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_alert_id' + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getCasesByAlertResponse: + summary: Cases associated with a given alert. + value: + - createdAt: '2020-02-19T23:06:33.798Z' + description: Investigating suspicious activity + id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + status: open + title: security_case + totals: + alerts: 1 + events: 0 + userComments: 0 + schema: + items: + $ref: '#/components/schemas/Cases_related_case' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get cases for an alert + tags: + - cases + x-state: Technical preview + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get setting details such as the closure type, custom fields, templates, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. + operationId: getCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getConfigurationResponse: + $ref: '#/components/examples/Cases_get_case_configuration_response' + schema: + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. + operationId: setCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setCaseConfigRequest: + $ref: '#/components/examples/Cases_set_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_set_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + setCaseConfigResponse: + $ref: '#/components/examples/Cases_set_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/{configurationId}: + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/configure/{configurationId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. + operationId: updateCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_configuration_id' + requestBody: + content: + application/json: + examples: + updateCaseConfigurationRequest: + $ref: '#/components/examples/Cases_update_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_update_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + updateCaseConfigurationResponse: + $ref: '#/components/examples/Cases_update_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/connectors/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure/connectors/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. + operationId: findCaseConnectorsDefaultSpace + responses: + '200': + content: + application/json: + examples: + findConnectorResponse: + $ref: '#/components/examples/Cases_find_connector_response' + schema: + items: + type: object + properties: + actionTypeId: + $ref: '#/components/schemas/Cases_connector_types' + config: + additionalProperties: true + type: object + properties: + apiUrl: + type: string + projectKey: + type: string + id: + type: string + isDeprecated: + type: boolean + isMissingSecrets: + type: boolean + isPreconfigured: + type: boolean + name: + type: string + referencedByCount: + type: integer + maxItems: 1000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case connectors + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/reporters: + get: + description: | + Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. + operationId: getCaseReportersDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getReportersResponse: + $ref: '#/components/examples/Cases_get_reporters_response' + schema: + items: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case creators + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/tags: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseTagsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getTagsResponse: + $ref: '#/components/examples/Cases_get_tags_response' + schema: + items: + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case tags + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view/{viewId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update fields presentation metadata such as count, customLabel, customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_get_default_data_view_response' + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the impact of swapping saved object references from one data view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/index: + delete: + operationId: DeleteAlertsIndex + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + schema: + type: string + description: Index does not exist response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: ReadAlertsIndex + responses: + '200': + content: + application/json: + examples: + success: + value: + index_mapping_outdated: false + name: .alerts-security.alerts-default + schema: + type: object + properties: + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Reads the alert index name if it exists + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates an index for Elastic Security alerts. Calling this API is not + required for the detection engine to function properly. You can create + rules and alerts without calling this API. + operationId: CreateAlertsIndex + responses: + '200': + content: + application/json: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Create an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: | + FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + summary: Threshold rule + value: + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: | + Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: Checks for bad IP addresses listed in the ip-threat-list index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: New terms rule that creates alerts a new IP address is detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: esql rule that creates alerts from events that match an Excel parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Checks for bad IP addresses listed in the ip-threat-list index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: | + FROM logs* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: The following request set alert suppression to the rules with the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: The following request set alert suppression to threshold rules with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: The following request triggers the filling of gaps for the specified rule ids and time range + summary: Fill Gaps - Manually trigger the filling of gaps for specified rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: | + event.kind:alert and not event.module:(endgame or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + schema: + nullable: true + type: object + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: Gap auto fill scheduler ID used to determine gap fill status for rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + required: + - page + - perPage + - total + - data + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + requestBody: + content: + application/json: + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules/prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install and update all Elastic prebuilt detection rules and Timelines. + + This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. + When you call this endpoint, it will: + - Install any new prebuilt detection rules that are not currently installed in your system. + - Update any existing prebuilt detection rules that have been modified or improved by Elastic. + - Install any new prebuilt Timelines that are not currently installed in your system. + - Update any existing prebuilt Timelines that have been modified or improved by Elastic. + + This ensures that your detection engine is always up-to-date with the latest rules and Timelines, + providing you with the most current and effective threat detection capabilities. + operationId: InstallPrebuiltRulesAndTimelines + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_installed: 112 + rules_updated: 0 + timelines_installed: 5 + timelines_updated: 2 + schema: + additionalProperties: false + type: object + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged/_status: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/prepackaged/_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the status of all Elastic prebuilt detection rules and Timelines. + + This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_custom_installed: 0 + rules_installed: 0 + rules_not_installed: 112 + rules_not_updated: 0 + timelines_installed: 0 + timelines_not_installed: 0 + timelines_not_updated: 0 + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: The total number of available prebuilt rules that are not installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: The total number of available prebuilt timelines that are not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/preview: + post: + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + discriminator: + propertyName: type + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + required: true + responses: + '200': + content: + application/ndjson: + examples: + add: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + - bulk: 0, + - search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 76, + total: 1, + updated: 1, + version_conflicts: 0, + description: Indicates a successful call. + '400': + description: Invalid request. + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/finalize_migration: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/finalize_migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. + The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, + finalize it. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json: + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to finalize. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to finalize + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - completed: true + destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' + type: array + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Finalize detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration: + delete: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of + the migration process. A successful migration will result in both the old and new indices being present. + As such, the old, orphaned index can (and likely should) be deleted. + + While you can delete these indices manually, + the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted + after 30 days. It also deletes other artifacts specific to the migration implementation. + operationId: AlertsMigrationCleanup + requestBody: + content: + application/json: + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to cleanup. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' + type: array + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Clean up detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiate a migration of detection alerts. + Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json: + examples: + singleIndex: + value: + index: + - .siem-signals-default-000001 + schema: + allOf: + - type: object + properties: + index: + description: Array of index names to migrate. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + required: + - index + - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' + description: Alerts migration parameters + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000001, + migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d + migration_index: .siem-signals-default-000001-r000016 + schema: + type: object + properties: + indices: + items: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' + - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration_status: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/signals/migration_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: | + Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes + before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + example: now-30d + format: date-math + type: string + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000002 + is_outdated: true + migrations: + - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + status: pending + updated: '2021-01-06T20:41:37.173Z' + version: 16 + signal_versions: + - count: 100 + version: 15 + - count: 87 + version: 16 + version: 15 + - index: .siem-signals-default-000003 + is_outdated: false + migrations: [] + signal_versions: + - count: 54 + version: 16 + version: 16 + schema: + type: object + properties: + indices: + items: + $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Retrieve the status of detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: '2025-01-17T08:00:00.000Z' + lte: '2025-01-18T07:59:59.999Z' + runtime_mappings: {} + size: 0 + schema: + $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/encrypted_saved_objects/_rotate_key: + post: + description: | + Superuser role required. + + If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: rotateEncryptionKey + parameters: + - description: | + Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: | + Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. + in: query + name: type + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' + schema: + type: object + properties: + failed: + description: | + Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. + type: number + successful: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + + NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. + type: number + total: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + type: number + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + '429': + content: + application/json: + schema: + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '409': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + > info + > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: Cancel a response action on a Microsoft Defender for Endpoint host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/memory_dump: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/memory_dump
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: The package policy ID to create or update the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + '500': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + example: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new privileged user to be monitored by the Privilege Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 1 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the details of an existing monitored privileged user by their document ID. + operationId: UpdatePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + - type: object + properties: + entitySources: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves the details of an entity analytics watchlist by its unique identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row + with a "type" column (user, host, service, or generic) and one or more ECS identity + fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. + + Matched entities are added to the watchlist and their `entity.attributes.watchlists` + field is updated in the entity store. + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assigns the provided entities to the specified watchlist using a "manual" source label. + The entities must already exist in the entity store. + + If an entity is already on the watchlist, no new document is created — the "manual" label + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' + type: array + not_found: + description: Number of entities not found in the manual watchlist assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize the entire Entity Store, creating engines for all or specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: The Entity Store was successfully initialized, creating host and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: The entity type of the engine ('user', 'host', 'service', 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: Returns a list with one running host engine and one stopped user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the engine descriptor for a specific entity type, including its configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: Returns the engine descriptor for a host engine that is currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: A host engine was successfully initialized and is now in the installing state. + summary: Host engine initialized + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start a previously stopped entity engine, resuming transform processing for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: The engine was successfully started and is now processing data. + summary: Engine started successfully + value: + started: true + schema: + type: object + properties: + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop a running entity engine, pausing transform processing for the given entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: The engine was successfully stopped and is no longer processing data. + summary: Engine stopped successfully + value: + stopped: true + schema: + type: object + properties: + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: All running engines were successfully updated with the current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': + content: + application/json: + examples: + partialSuccessExample: + description: The host engine was updated but the user engine failed due to insufficient privileges. + summary: One engine failed + value: + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false + schema: + type: object + properties: + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: An unexpected error occurred while applying data view indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. + type: string + statusCode: + description: HTTP status code. + type: number + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/{entityType}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity in Entity Store. + The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. + operationId: DeleteSingleEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: Conflict. The entity was updated while another update was happening in ElasticSearch + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: If true, returns a detailed status of each engine including all its components. + example: true + in: query + name: include_components + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + entityStoreRunning: + description: The Entity Store is running with both host and user engines started and using default settings. + summary: Entity Store running with two engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running + schema: + type: object + properties: + engines: + description: Per-engine status information. + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - type: object + properties: + components: + description: Detailed component-level status. Only included when include_components is true. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: array + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + description: The overall status of the Entity Store. + required: + - status + - engines + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionType: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedListId: + value: + _version: WzMsMV0= + created_at: '2025-01-09T01:05:23.019Z' + created_by: elastic + description: This is a sample detection type exception with an autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: '2025-01-09T01:05:23.020Z' + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: '2025-01-09T01:10:36.369Z' + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: '2025-01-09T01:10:36.369Z' + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: '2025-01-09T01:07:49.658Z' + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: '2025-01-09T01:07:49.658Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json: + schema: + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection + type: object + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleList: + value: + _version: WzExLDFd + created_at: '2025-01-07T20:43:55.264Z' + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: '2025-01-07T21:32:03.726Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_duplicate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_duplicate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true + type: string + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzExNDY1LDFd + created_at: '2025-01-09T16:19:50.280Z' + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: '2025-01-09T16:19:50.280Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + '405': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson: + examples: + exportSavedObjectsResponse: + value: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + schema: + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: list_id: Required, namespace_type: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: | + Filters the returned results according to the value of the specified field. + + Uses the `so type.field name:field` value syntax, where `so type` can be: + + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleLists: + value: + data: + - _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + withErrors: + value: + errors: + - error: + message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' + status_code: 400 + list_id: (unknown list_id) + - error: + message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, + schema: + type: object + properties: + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: Exception item's identifier. Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + simpleExceptionItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + schema: + example: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem + parameters: + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an exception item and associate it with the specified exception list. + > info + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedItemId: + value: + _version: WzYsMV0= + comments: [] + created_at: '2025-01-09T01:16:23.322Z' + created_by: elastic + description: This is a sample exception that has no item_id so it is autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: '2025-01-09T01:16:23.322Z' + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: '2025-01-09T01:31:12.614Z' + created_by: elastic + description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: '2025-01-09T01:31:12.614Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: \"simple_list_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + simpleListItem: + value: + _version: WzEyLDFd + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:34:50.233Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: item_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - in: query + name: search + required: false + schema: + example: host.name + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:12:25.512Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/summary: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/summary
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" + type: string + responses: + '200': + content: + application/json: + examples: + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exceptions/shared: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exceptions/shared
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json: + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + required: + - name + - description + required: true + responses: + '200': + content: + application/json: + examples: + sharedList: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/features: + get: + description: | + Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. + operationId: get-features + responses: + '200': + content: + application/json: + examples: + getFeaturesExample: + value: | + { + "features": [ + { + "name": "tasks", + "description": "Manages task results" + }, + { + "name": "security", + "description": "Manages configuration for Security features, such as users and roles" + }, + { + "name": "searchable_snapshots", + "description": "Manages caches and configuration for searchable snapshots" + }, + { + "name": "logstash_management", + "description": "Enables Logstash Central Management pipeline storage" + }, + { + "name": "transform", + "description": "Manages configuration and state for transforms" + }, + { + "name": "kibana", + "description": "Manages Kibana configuration and reports" + }, + { + "name": "synonyms", + "description": "Manages synonyms" + }, + { + "name": "async_search", + "description": "Manages results of async searches" + }, + { + "name": "ent_search", + "description": "Manages configuration for Enterprise Search features" + }, + { + "name": "machine_learning", + "description": "Provides anomaly detection and forecasting functionality" + }, + { + "name": "geoip", + "description": "Manages data related to GeoIP database downloader" + }, + { + "name": "watcher", + "description": "Manages Watch definitions and state" + }, + { + "name": "fleet", + "description": "Manages configuration for Fleet" + }, + { + "name": "enrich", + "description": "Manages data related to Enrich policies" + }, + { + "name": "inference_plugin", + "description": "Inference plugin for managing inference services and inference" + } + ] + } + schema: + type: object + description: Indicates a successful call + summary: Get features + tags: + - system + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] + responses: + '200': + content: + application/json: + examples: + getDownloadSourcesExample: + description: List of agent binary download sources + value: + items: + - host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent binary download sources + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDownloadSourceRequestExample: + description: Create a new agent binary download source + value: + host: https://my-custom-host.example.com/downloads/ + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host + responses: + '200': + content: + application/json: + examples: + postDownloadSourceExample: + description: The created agent binary download source + value: + item: + host: https://my-custom-host.example.com/downloads/ + id: download-source-id-2 + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteDownloadSourceExample: + description: The download source was successfully deleted + value: + id: download-source-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getDownloadSourceExample: + description: An agent binary download source + value: + item: + host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: sourceId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putDownloadSourceRequestExample: + description: Update an agent binary download source + value: + host: https://updated-host.example.com/downloads/ + is_default: false + name: Updated download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host + responses: + '200': + content: + application/json: + examples: + putDownloadSourceExample: + description: The updated agent binary download source + value: + item: + host: https://updated-host.example.com/downloads/ + id: download-source-id-1 + is_default: false + name: Updated download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Download source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + type: number + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - in: query + name: showUpgradeable + required: false + schema: + type: boolean + - in: query + name: kuery + required: false + schema: + type: string + - description: use withAgentCount instead + in: query + name: noAgentCount + required: false + schema: + deprecated: true + type: boolean + - description: get policies with agent count + in: query + name: withAgentCount + required: false + schema: + type: boolean + - description: get full policies with package policies populated + in: query + name: full + required: false + schema: + type: boolean + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPoliciesExample: + description: List of agent policies + value: + items: + - description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: sys_monitoring + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postAgentPolicyRequestExample: + description: Create a new agent policy + value: + description: A sample agent policy + monitoring_enabled: + - logs + - metrics + name: My agent policy + namespace: default + schema: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + responses: + '200': + content: + application/json: + examples: + postAgentPolicyExample: + description: The created agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json: + examples: + postBulkGetAgentPoliciesExample: + description: The requested agent policies + value: + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more agent policies were not found + value: + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyExample: + description: An agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putAgentPolicyRequestExample: + description: Update an agent policy + value: + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default + schema: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + responses: + '200': + content: + application/json: + examples: + putAgentPolicyExample: + description: The updated agent policy + value: + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy + value: + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 + schema: + additionalProperties: false + type: object + properties: + currentVersions: + items: + additionalProperties: false + type: object + properties: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades + items: + type: string + maxItems: 1000 + type: array + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version + type: number + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades + items: + type: string + maxItems: 1000 + type: array + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version + type: number + version: + description: Agent version + type: string + required: + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents + maxItems: 10000 + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get auto upgrade agent status + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name + value: + description: A copy of the original agent policy + name: Copy of my agent policy + schema: + additionalProperties: false + type: object + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + responses: + '200': + content: + application/json: + examples: + postCopyAgentPolicyExample: + description: The copied agent policy + value: + item: + description: A copy of the original agent policy + id: agent-policy-id-copy-1 + is_managed: false + is_protected: false + name: Copy of my agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + description: Indicates this is a short-lived verifier policy used for OTel permission verification. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getDownloadAgentPolicyExample: + description: The agent policy download response + value: + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' + schema: + type: string + description: Successful response — returns the agent policy as a YAML file download + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getFullAgentPolicyExample: + description: The full agent policy configuration + value: + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy + value: + item: + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID + value: + agentPolicyId: agent-policy-id-1 + schema: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + responses: + '200': + content: + application/json: + examples: + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted + value: + id: agent-policy-id-1 + name: My agent policy + schema: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/outputs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + responses: + '200': + content: + application/json: + examples: + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies + value: + items: + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs for agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status + parameters: + - in: query + name: policyId + required: false + schema: + type: string + - in: query + name: policyIds + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentStatusExample: + description: Agent status summary for an agent policy + value: + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 + schema: + additionalProperties: false + type: object + properties: + results: + additionalProperties: false + type: object + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + required: + - results + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent status summary + tags: + - Elastic Agent status + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status/data: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data + parameters: + - in: query + name: agentsIds + required: true + schema: + items: + type: string + maxItems: 10000 + type: array + - in: query + name: pkgName + required: false + schema: + type: string + - in: query + name: pkgVersion + required: false + schema: + type: string + - in: query + name: previewData + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentDataExample: + description: Data streams the agent is actively sending data to + value: + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 + schema: + additionalProperties: false + type: object + properties: + dataPreview: + items: + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get incoming agent data + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The format of the response package policy. + in: query + name: format + required: false + schema: + default: simplified + enum: + - legacy + - simplified + type: string + requestBody: + content: + application/json: + examples: + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies + value: + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector + value: + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm + schema: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + responses: + '200': + content: + application/json: + examples: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration + value: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration + value: + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Indicates a successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': + content: + application/json: + examples: + conflictErrorResponseExample: + description: Example of a conflict error response + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create an agentless policy + tags: + - Fleet agentless policies + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies/{policyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the policy to delete. + in: path + name: policyId + required: true + schema: + type: string + - description: Force delete the policy even if the policy is managed. + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + schema: + additionalProperties: false + description: Response for deleting an agentless package policy. + type: object + properties: + id: + description: The ID of the deleted agentless package policy. + type: string + required: + - id + description: Indicates a successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': + content: + application/json: + examples: + conflictErrorResponseExample: + description: Example of a conflict error response + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Delete an agentless policy + tags: + - Fleet agentless policies + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: searchAfter + required: false + schema: + type: string + - in: query + name: openPit + required: false + schema: + type: boolean + - in: query + name: pitId + required: false + schema: + type: string + - in: query + name: pitKeepAlive + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentsExample: + description: List of agents + value: + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs + value: + actionIds: + - action-id-1 + - action-id-2 + schema: + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 1000 + type: array + required: + - actionIds + responses: + '200': + content: + application/json: + examples: + postGetAgentsByActionsExample: + description: Agents associated with the given actions + value: + items: + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents by action ids + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteAgentExample: + description: Agent successfully deleted + value: + id: agent-id-1 + success: true + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - in: path + name: agentId + required: true + schema: + type: string + - in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentExample: + description: Agent details + value: + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putAgentRequestExample: + description: Update agent tags + value: + tags: + - production + - linux + schema: + additionalProperties: false + type: object + properties: + tags: + items: + type: string + maxItems: 10 + type: array + user_provided_metadata: + additionalProperties: + nullable: true + type: object + responses: + '200': + content: + application/json: + examples: + putAgentExample: + description: Updated agent details + value: + item: + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/actions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent + value: + action: + type: UNENROLL + schema: + additionalProperties: false + type: object + properties: + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data + required: + - action + responses: + '200': + content: + application/json: + examples: + postAgentActionExample: + description: Created agent action + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/effective_config: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config + parameters: + - description: The agent ID to get effective config of + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + effective_config: {} + schema: + additionalProperties: false + type: object + properties: + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get an agent's effective config + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token + responses: + '200': + content: + application/json: + examples: + postMigrateAgentExample: + description: Agent migration initiated + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to change privilege level for + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + changeAgentPrivilegeLevelRequest: + value: + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + anyOf: + - additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + - additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level + tags: + - Elastic Agents + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postReassignAgentRequestExample: + description: Reassign an agent to a different policy + value: + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id + responses: + '200': + content: + application/json: + examples: + postReassignAgentExample: + description: Agent successfully reassigned + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent + value: + additional_metrics: + - CPU + schema: + additionalProperties: false + nullable: true + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + postRequestDiagnosticsExample: + description: Diagnostics action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Agent agent-id-1 does not support request diagnostics action. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Request agent diagnostics + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to rollback + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + anyOf: + - additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + - additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback an agent + tags: + - Elastic Agent actions + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean + responses: + '200': + content: + application/json: + examples: + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Unenroll an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + responses: + '200': + content: + application/json: + examples: + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/uploads: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads + parameters: + - in: path + name: agentId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentUploadsExample: + description: List of files uploaded by the agent + value: + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent uploads + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status + parameters: + - in: query + name: page + required: false + schema: + default: 0 + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: date + required: false + schema: + type: string + - in: query + name: latest + required: false + schema: + type: number + - in: query + name: errorSize + required: false + schema: + default: 5 + type: number + responses: + '200': + content: + application/json: + examples: + getActionStatusExample: + description: Status of recent agent actions + value: + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: actionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postCancelActionRequestExample: + description: Cancel an agent action + value: {} + responses: + '200': + content: + application/json: + examples: + postCancelActionExample: + description: Cancellation action created + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Cancel an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] + responses: + '200': + content: + application/json: + examples: + getAvailableVersionsExample: + description: List of available agent versions for upgrade + value: + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get available agent versions + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster + value: + agents: + - agent-id-1 + - agent-id-2 + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - agents + - uri + - enrollment_token + responses: + '200': + content: + application/json: + examples: + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate multiple agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkChangeAgentPrivilegeLevelRequest: + value: + agents: agent + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + required: + - agents + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk change agent privilege level + tags: + - Elastic Agents + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy + value: + agents: + - agent-id-1 + - agent-id-2 + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + policy_id: + type: string + required: + - policy_id + - agents + responses: + '200': + content: + application/json: + examples: + postBulkReassignAgentsExample: + description: Bulk reassign action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk reassign agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents + value: + additional_metrics: + - CPU + agents: + - agent-id-1 + - agent-id-2 + schema: + additionalProperties: false + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents + responses: + '200': + content: + application/json: + examples: + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk request diagnostics from agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackAgentsRequest: + value: + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + required: + - agents + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionIds: + - actionId1 + - actionId2 + schema: + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 10000 + type: array + required: + - actionIds + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback agents + tags: + - Elastic Agent actions + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + revoke: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents + responses: + '200': + content: + application/json: + examples: + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk unenroll agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_update_agent_tags: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array + required: + - agents + responses: + '200': + content: + application/json: + examples: + postBulkUpdateAgentTagsExample: + description: Bulk action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk update agent tags + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version + value: + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string + required: + - agents + - version + responses: + '200': + content: + application/json: + examples: + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: fileId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted + value: + deleted: true + id: file-id-1 + schema: + additionalProperties: false + type: object + properties: + deleted: + type: boolean + id: + type: string + required: + - id + - deleted + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: + schema: + type: object + description: Successful response — returns the uploaded file content + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] + responses: + '200': + content: + application/json: + examples: + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required + value: + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC + schema: + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + type: object + properties: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent setup info + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + responses: + '200': + content: + application/json: + examples: + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors + value: + isInitialized: true + nonFatalErrors: [] + schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Initiate Fleet setup + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags + parameters: + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: showInactive + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentTagsExample: + description: List of tags used across agents + value: + items: + - production + - linux + - datacenter-1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent tags + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions + parameters: + - in: query + name: fleetServerSetup + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges + value: + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true + schema: + additionalProperties: false + type: object + properties: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Check permissions + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors: get: - description: >- - Get the latest Attack Discovery generations metadata (that are not - dismissed) for the current user. This endpoint retrieves generation - metadata including execution status and statistics for Attack Discovery - generations. - operationId: GetAttackDiscoveryGenerations + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors parameters: - - description: >- - End of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now + - description: The page number for pagination. in: query - name: end + name: page required: false schema: type: string - - description: The maximum number of generations to retrieve - example: 50 + - description: The number of items per page. in: query - name: size + name: perPage required: false schema: - default: 50 - minimum: 1 - type: number - - description: >- - Start of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h + type: string + - description: KQL query to filter cloud connectors. in: query - name: start + name: kuery required: false schema: type: string @@ -3139,7986 +42067,16627 @@ paths: '200': content: application/json: - example: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded + examples: + getCloudConnectorsExample: + description: List of Fleet cloud connectors + value: + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: + additionalProperties: false type: object properties: - generations: - description: List of Attack Discovery generations + items: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 type: array required: - - generations - description: Indicates a successful call. + - items + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type - example: Bad Request + type: string + errorType: type: string message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: type: number - description: Bad Request response. - summary: >- - Get the latest Attack Discovery generations metadata for the current - user + required: + - message + - attributes + description: Bad Request + summary: Get cloud connectors tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}: - get: - description: >- - Returns a specific Attack Discovery generation, including all generated - Attack discoveries and associated metadata, including execution status - and statistics. - operationId: GetAttackDiscoveryGeneration + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned at the start of an Attack Discovery - generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - in: path - name: execution_uuid + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector + value: + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} + schema: + additionalProperties: false + type: object + properties: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + required: + - name + - cloudProvider + - vars + responses: + '200': + content: + application/json: + examples: + postCloudConnectorExample: + description: The created Fleet cloud connector + value: + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create cloud connector + tags: + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true + example: 'true' + type: string + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: If true, forces deletion even if the cloud connector is in use. in: query - name: with_replacements + name: force required: false schema: - default: true type: boolean responses: '200': content: application/json: - example: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded + examples: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted + value: + id: cloud-connector-id-1 schema: + additionalProperties: false type: object properties: - data: - description: >- - Array of Attack discoveries generated during this - execution. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - generation: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - description: >- - Optional metadata about the attack discovery generation - process, metadata including execution status and - statistics. This metadata may not be available for all - generations. + id: + type: string required: - - data - description: Indicates a successful call. + - id + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type - example: Bad Request + type: string + errorType: type: string message: - description: >- - Human-readable error message describing what went wrong - with the request - example: Invalid request parameters. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: type: number required: - - status_code - - error - message - description: Bad Request response. - summary: >- - Get a single Attack Discovery generation, including its discoveries and - (optional) generation metadata + - attributes + description: Bad Request + summary: Delete cloud connector (supports force deletion) tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: >- - Dismisses an Attack Discovery generation for the current user, - indicating that its status should not be reported in the UI. This sets - the generation's status to "dismissed" and affects how the generation - appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned when an Attack Discovery generation is created - and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 + - description: The unique identifier of the cloud connector. in: path - name: execution_uuid + name: cloudConnectorId required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string responses: '200': content: application/json: - example: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed + examples: + getCloudConnectorExample: + description: A Fleet cloud connector + value: + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: + additionalProperties: false type: object properties: - alerts_context_count: - description: >- - The number of alerts that were sent as context to the LLM - for this generation. - example: 75 - type: number - connector_id: - description: >- - The unique identifier of the connector used to generate - the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: >- - Statistical information about the connector's performance - for this user, providing insights into usage patterns and - success rates. + item: + additionalProperties: false type: object properties: - average_successful_duration_nanoseconds: - description: >- - The average duration in nanoseconds for successful - generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: >- - The total number of Attack discoveries successfully - created for this generation - example: 2 + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: type: number - discoveries: - description: >- - The number of attack discoveries that were generated - during this execution. - example: 3 - type: number - end: - description: >- - The timestamp when the generation process completed, in - ISO 8601 format. This field may be absent for generations - that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: >- - The unique identifier for this attack discovery generation - execution. This UUID can be used to reference this - specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: >- - A human-readable message describing the current state or - progress of the generation process. Provides context about - what the AI is analyzing. - example: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - type: string - reason: - description: >- - Additional context or reasoning provided when a generation - fails or encounters issues. This field helps diagnose - problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: >- - The timestamp when the generation process began, in ISO - 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string - status: - description: >- - The current status of the attack discovery generation. - After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - description: Indicates a successful call. + - item + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type or category - example: Bad Request + type: string + errorType: type: string message: - description: >- - Human-readable error message describing what went wrong - with the request. - example: Invalid request parameters. type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 + statusCode: type: number required: - - status_code - - error - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation + - attributes + description: Bad Request + summary: Get cloud connector tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules: - post: - description: >- - Creates a new Attack Discovery schedule that analyzes security alerts at - specified intervals. The schedule defines when and how Attack Discovery - analysis should run, including which alerts to analyze, which AI - connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string requestBody: content: application/json: - example: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h + examples: + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector + value: + name: Updated AWS connector + vars: {} schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps - description: >- - Attack Discovery schedule configuration including name, parameters, - schedule interval, and actions - required: true + additionalProperties: false + type: object + properties: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object responses: '200': content: application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic + examples: + putCloudConnectorExample: + description: The updated Fleet cloud connector + value: + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: The Attack Discovery schedule was successfully created. + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Create Attack Discovery schedule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update cloud connector tags: - - Security Attack discovery API - x-code-samples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - /api/attack_discovery/schedules/_find: + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: get: - description: >- - Find Attack Discovery schedules that match the search criteria. Supports - pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: The page number for pagination. in: query name: page required: false schema: + minimum: 1 type: number - - description: >- - Number of Attack Discovery schedules to return per page (used for - pagination). Defaults to 10. - example: 10 + - description: The number of items per page. in: query - name: per_page + name: perPage required: false schema: + minimum: 1 type: number - - description: >- - Field used to sort results. Common fields include 'name', - 'created_at', 'updated_at', and 'enabled'. - example: name - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Sort order direction. Use 'asc' for ascending or 'desc' for - descending. Defaults to 'asc'. - example: asc - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string responses: '200': content: application/json: - example: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 + examples: + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector + value: + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 schema: + additionalProperties: false type: object properties: - data: - description: Array of matched Attack Discovery schedule objects. + items: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 type: array page: - description: Current page number of the paginated result set. type: number - per_page: - description: Number of items requested per page. + perPage: type: number total: - description: >- - Total number of Attack Discovery schedules matching the - query (across all pages). type: number required: - - page - - per_page + - items - total - - data - description: Indicates a successful call. + - page + - perPage + description: 'OK: A successful request.' '400': content: application/json: - example: - error: Bad Request - message: Invalid request payload. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Cloud connector not found + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - description: Error type - example: Bad Request + type: string + errorType: type: string message: - description: Human-readable error message - example: Invalid request payload. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria + required: + - message + - attributes + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) tags: - - Security Attack discovery API - x-code-samples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}: - delete: - description: >- - Permanently deletes an Attack Discovery schedule and all associated - configuration. - operationId: DeleteAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - delete. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] responses: '200': content: application/json: - example: - id: 12345678-1234-1234-1234-123456789012 + examples: + getDataStreamsExample: + description: List of Fleet-managed data streams + value: + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics schema: + additionalProperties: false type: object properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the deleted Attack Discovery - schedule + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + type: object + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array required: - - id - description: >- - Successfully deleted Attack Discovery schedule, returning the ID of - the deleted schedule for confirmation + - data_streams + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Delete Attack Discovery schedule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams tags: - - Security Attack discovery API - x-code-samples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys: get: - description: >- - Retrieves a specific Attack Discovery schedule by its unique identifier. - Returns complete schedule configuration including parameters, interval - settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - retrieve. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true + - in: query + name: page + required: false schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + default: 1 + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: kuery + required: false + schema: + type: string responses: '200': content: application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic + examples: + getEnrollmentApiKeysExample: + description: List of enrollment API keys + value: + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully retrieved Attack Discovery schedule with complete - configuration and metadata + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + maxItems: 10000 + type: array + list: + deprecated: true + items: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Get Attack Discovery schedule by ID + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get enrollment API keys tags: - - Security Attack discovery API - x-code-samples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - put: - description: >- - Updates an existing Attack Discovery schedule with new configuration. - All schedule properties can be modified including name, parameters, - interval, and actions. The update operation replaces the entire schedule - configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - update. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + example: 'true' + type: string requestBody: content: application/json: - example: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h + examples: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy + value: + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps - description: >- - Updated Attack Discovery schedule configuration. All fields are - required as this replaces the entire schedule configuration. - required: true + additionalProperties: false + type: object + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id responses: '200': content: application/json: - example: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' - updated_by: elastic + examples: + postEnrollmentApiKeyExample: + description: The created enrollment API key + value: + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - created + type: string + item: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + required: + - item + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: keyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked + value: + action: deleted schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully updated Attack Discovery schedule with the new - configuration and metadata + additionalProperties: false + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Update Attack Discovery schedule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke an enrollment API key tags: - - Security Attack discovery API - x-code-samples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - /api/attack_discovery/schedules/{id}/_disable: - post: - description: >- - Disables an Attack Discovery schedule, preventing it from running - according to its configured interval. The schedule configuration is - preserved and can be re-enabled later. Any currently running executions - will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - disable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id + - in: path + name: keyId required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string responses: '200': content: application/json: - example: - id: 12345678-1234-1234-1234-123456789012 + examples: + getEnrollmentApiKeyExample: + description: An enrollment API key + value: + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 schema: + additionalProperties: false type: object properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the disabled Attack Discovery - schedule + item: + additionalProperties: false + type: object + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at required: - - id - description: >- - Successfully disabled Attack Discovery schedule, returning the - schedule ID for confirmation + - item + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Disable Attack Discovery schedule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key tags: - - Security Attack discovery API - x-code-samples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}/_enable: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/bulk_assets: post: - description: >- - Enables a previously disabled Attack Discovery schedule, allowing it to - run according to its configured interval. Once enabled, the schedule - will begin executing at the next scheduled time based on its interval - configuration. - operationId: EnableAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - enable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + additionalProperties: false + type: object + properties: + assetIds: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds responses: '200': content: application/json: - example: - id: 12345678-1234-1234-1234-123456789012 + examples: + postBulkGetAssetsExample: + description: Requested assets + value: + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard schema: + additionalProperties: false type: object properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the enabled Attack Discovery - schedule + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false + type: object + properties: + description: + type: string + service: + type: string + title: + type: string + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array required: - - id - description: >- - Successfully enabled Attack Discovery schedule, returning the - schedule ID for confirmation + - items + description: Successful response '400': content: application/json: - example: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Enable Attack Discovery schedule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk get assets tags: - - Security Attack discovery API - x-code-samples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/cases: - delete: - description: > - You must have `read` or `all` privileges and the `delete` sub-feature - privilege for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/categories: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_ids' + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: include_policy_templates + required: false + schema: + type: boolean responses: - '204': - description: Indicates a successful call. - '401': + '200': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + getCategoriesExample: + description: List of integration categories + value: + items: + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete cases + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package categories tags: - - cases - x-code-samples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: > - DELETE - kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] - patch: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - updating. - operationId: updateCaseDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateCaseRequest: - $ref: '#/components/examples/Cases_update_case_request' + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: - $ref: '#/components/schemas/Cases_update_case_request' + additionalProperties: false + type: object + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets responses: '200': content: application/json: examples: - updateCaseResponse: - $ref: '#/components/examples/Cases_update_case_response' + postCreateCustomIntegrationExample: + description: Custom integration successfully created + value: + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template schema: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - type: array - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update cases + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a custom integration tags: - - cases - post: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - creating. - operationId: createCaseDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string requestBody: content: application/json: examples: - createCaseRequest: - $ref: '#/components/examples/Cases_create_case_request' + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: - $ref: '#/components/schemas/Cases_create_case_request' - required: true + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData responses: '200': content: application/json: examples: - createCaseResponse: - $ref: '#/components/examples/Cases_create_case_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Create a case + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update a custom integration tags: - - cases - /api/cases/_find: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/data_streams: get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: findCasesDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams parameters: - - $ref: '#/components/parameters/Cases_assignees_filter' - - $ref: '#/components/parameters/Cases_category' - - $ref: '#/components/parameters/Cases_defaultSearchOperator' - - $ref: '#/components/parameters/Cases_from' - - $ref: '#/components/parameters/Cases_owner_filter' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_reporters' - - $ref: '#/components/parameters/Cases_search' - - $ref: '#/components/parameters/Cases_searchFields' - - $ref: '#/components/parameters/Cases_severity' - - $ref: '#/components/parameters/Cases_sortField' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_status' - - $ref: '#/components/parameters/Cases_tags' - - $ref: '#/components/parameters/Cases_to' + - in: query + name: type + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - in: query + name: datasetQuery + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + - in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - findCaseResponse: - $ref: '#/components/examples/Cases_find_case_response' + getDataStreamsExample: + description: List of data streams from installed packages + value: + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs schema: + additionalProperties: false type: object properties: - cases: + items: items: - $ref: '#/components/schemas/Cases_case_response_properties' + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name maxItems: 10000 type: array - count_closed_cases: - type: integer - count_in_progress_cases: - type: integer - count_open_cases: - type: integer - page: - type: integer - per_page: - type: integer - total: - type: integer - description: Indicates a successful call. - '401': + required: + - items + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Search cases + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams tags: - - cases - /api/cases/{caseId}: + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages: get: - description: > - Returns case details. The response does not include a comments - property; use the find case comments API to retrieve comments. The - totalComment field reflects the actual number of user comments on the - case. You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're seeking. - operationId: getCaseDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages parameters: - - $ref: '#/components/parameters/Cases_case_id' + - in: query + name: category + required: false + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getDefaultCaseResponse: - $ref: '#/components/examples/Cases_get_case_response' - getDefaultObservabilityCaseResponse: - $ref: '#/components/examples/Cases_get_case_observability_response' + getPackagesExample: + description: List of available integration packages + value: + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 schema: - $ref: '#/components/schemas/Cases_case_response_get_case' - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: true + type: object + properties: + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + id: + type: string + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - id + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case information + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get packages tags: - - cases - /api/cases/{caseId}/alerts: - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: getCaseAlertsDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages parameters: - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/gzip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + schema: + format: binary + type: string responses: '200': content: - application/json: - examples: - getCaseAlertsResponse: - $ref: '#/components/examples/Cases_get_case_alerts_response' + application/gzip; application/zip: schema: - items: - $ref: '#/components/schemas/Cases_alert_response_properties' - type: array - description: Indicates a successful call. - '401': - content: + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get all alerts for a case - tags: - - cases - x-state: Technical preview - /api/cases/{caseId}/comments: - delete: - description: > - Deletes all comments and alerts from a case. You must have `all` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - responses: - '204': - description: Indicates a successful call. - '401': + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template + description: Successful response + '400': content: + application/gzip; application/zip: + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete all case comments and alerts + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Install a package by upload tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: | - DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments - patch: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're updating. - NOTE: You cannot change the comment type or the owner of a comment. - operationId: updateCaseCommentDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean requestBody: content: application/json: examples: - updateCaseCommentRequest: - $ref: '#/components/examples/Cases_update_comment_request' + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry + value: + packages: + - system + - aws schema: - $ref: '#/components/schemas/Cases_update_case_comment_request' - required: true + additionalProperties: false + type: object + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages responses: '200': content: application/json: examples: - updateCaseCommentResponse: - $ref: '#/components/examples/Cases_update_comment_response' + postBulkInstallPackagesExample: + description: Bulk install results + value: + items: + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + - additionalProperties: false + type: object + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update a case comment or alert + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk install packages tags: - - cases + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback: post: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're creating. - NOTE: Each case can have a maximum of 1,000 alerts. - operationId: addCaseCommentDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createCaseCommentRequest: - $ref: '#/components/examples/Cases_add_comment_request' + bulkRollbackRequest: + value: + packages: + - name: system schema: - $ref: '#/components/schemas/Cases_add_case_comment_request' - required: true + additionalProperties: false + type: object + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages responses: '200': content: application/json: examples: - createCaseCommentResponse: - $ref: '#/components/examples/Cases_add_comment_response' + successResponse: + value: + taskId: taskId schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + taskId: + type: string + required: + - taskId + description: 'OK: A successful request.' + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + value: + message: Bad Request schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add a case comment or alert + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback packages tags: - - cases - /api/cases/{caseId}/comments/_find: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: get: - description: > - Retrieves a paginated list of comments for a case. You must have `read` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases with the comments you're - seeking. - operationId: findCaseCommentsDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string responses: '200': content: application/json: examples: - findCaseCommentsResponse: - $ref: '#/components/examples/Cases_find_case_comments_response' - schema: - $ref: '#/components/schemas/Cases_find_comments_response' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' + successResponse: + value: + status: success schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case comments - tags: - - cases - /api/cases/{caseId}/comments/{commentId}: - delete: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' - responses: - '204': - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + description: 'OK: A successful request.' + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + value: + message: Bad Request schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete a case comment or alert + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get Bulk rollback packages details tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: > - DELETE - kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases with the - comments you're seeking. - operationId: getCaseCommentDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages + value: + packages: + - name: aws + - name: gcp + schema: + additionalProperties: false + type: object + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages responses: '200': content: application/json: examples: - getCaseCommentResponse: - $ref: '#/components/examples/Cases_get_comment_response' + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated + value: + taskId: task-id-1 schema: - oneOf: - - $ref: >- - #/components/schemas/Cases_alert_comment_response_properties - - $ref: >- - #/components/schemas/Cases_user_comment_response_properties - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + taskId: + type: string + required: + - taskId + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get a case comment or alert + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk uninstall packages tags: - - cases - /api/cases/{caseId}/connector/{connectorId}/_push: - post: - description: > - You must have `all` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - You must also have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're pushing. - operationId: pushCaseDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_connector_id' - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - pushCaseRequest: - summary: >- - Push a case to an external service. No request body is - required. - value: null - schema: - nullable: true - type: object + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string responses: '200': content: application/json: examples: - pushCaseResponse: - $ref: '#/components/examples/Cases_push_case_response' + getBulkOperationDetailsExample: + description: Details of the bulk operation task + value: + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Push a case to an external service + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk uninstall packages details tags: - - cases - /api/cases/{caseId}/files: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: post: - description: > - Attach a file to a case. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on the - owner of the case you're updating. The request must include: + description: |- + **Spaces method and path for this operation:** - - The `Content-Type: multipart/form-data` HTTP header. +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
- - The location of the file that is being uploaded. - operationId: addCaseFileDefaultSpace + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: - multipart/form-data: + application/json: examples: - addCaseFileRequest: - summary: Attach a plain text file named "my_attachment". + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions value: - filename: my_attachment + packages: + - name: system + - name: elastic_agent schema: - $ref: '#/components/schemas/Cases_add_case_file_request' - required: true + additionalProperties: false + type: object + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages responses: '200': content: application/json: examples: - addCaseFileResponse: - $ref: '#/components/examples/Cases_add_comment_response' + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated + value: + taskId: task-id-1 schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + taskId: + type: string + required: + - taskId + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Attach a file to a case + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade packages tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" \ - --form "file=@/path/to/my_attachment.txt" \ - --form "filename=my_attachment" - /api/cases/{caseId}/user_actions/_find: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: get: - description: > - Retrieves a paginated list of user activity for a case. You must have - `read` privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the case you're seeking. - operationId: findCaseActivityDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_user_action_types' + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string responses: '200': content: application/json: examples: - findCaseActivityResponse: - $ref: '#/components/examples/Cases_find_case_activity_response' + getBulkOperationDetailsExample: + description: Details of the bulk operation task + value: + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: + additionalProperties: false type: object properties: - page: - type: integer - perPage: - type: integer - total: - type: integer - userActions: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: items: - $ref: >- - #/components/schemas/Cases_user_actions_find_response_properties + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success maxItems: 10000 type: array - description: Indicates a successful call. - '401': + status: + type: string + required: + - status + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case activity + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk upgrade packages details tags: - - cases - /api/cases/alerts/{alertId}: - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: getCasesByAlertDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname parameters: - - $ref: '#/components/parameters/Cases_alert_id' - - $ref: '#/components/parameters/Cases_owner_filter' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getCasesByAlertResponse: - summary: Cases associated with a given alert. + deletePackageExample: + description: Package successfully deleted value: - - createdAt: '2020-02-19T23:06:33.798Z' - description: Investigating suspicious activity - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 - status: open - title: security_case - totals: - alerts: 1 - events: 0 - userComments: 0 + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - items: - $ref: '#/components/schemas/Cases_related_case' - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get cases for an alert + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package tags: - - cases - x-state: Technical preview - /api/cases/configure: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Get setting details such as the closure type, custom fields, templates, - and the default connector for cases. You must have `read` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the cases were created. - operationId: getCaseConfigurationDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname parameters: - - $ref: '#/components/parameters/Cases_owner_filter' + - in: path + name: pkgName + required: true + schema: + type: string + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: full + required: false + schema: + type: boolean + - in: query + name: withMetadata + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - getConfigurationResponse: - $ref: '#/components/examples/Cases_get_case_configuration_response' + getPackageInfoExample: + description: Package details and installation status + value: + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - items: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are - not used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true + additionalProperties: false + type: object + properties: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false type: object - id: - description: >- - The identifier for the connector. If you do not want - a default connector, use `none`. To retrieve - connector IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: nullable: true + type: object + categories: + items: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true type: object properties: - defaultValue: - description: > - A default value for the custom field. If the - `type` is `text`, the default value must be a - string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: type: string - type: - description: The type of the custom field. + install_source: enum: - - text - - toggle + - registry + - upload + - bundled + - custom type: string - required: - description: > - Indicates whether the field is required. If - `false`, the custom field can be set to null or - omitted when a case is created or updated. + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true type: object properties: - action_type: - example: overwrite - type: string - source: - example: title + github: type: string - target: - example: summary + type: + enum: + - elastic + - partner + - community type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true type: object properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 + license: type: string - label: - description: The observable type label. - example: My observable type + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - type: array - description: Indicates a successful call. - '401': + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + metadata: + additionalProperties: false + type: object + properties: + has_policies: + type: boolean + required: + - has_policies + required: + - item + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case settings + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package tags: - - cases + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Case settings include external connection details, custom fields, and - templates. Connectors are used to interface with external systems. You - must create a connector before you can use it in your cases. If you set - a default connector, it is automatically selected when you create cases - in Kibana. If you use the create case API, however, you must still - specify all of the connector details. You must have `all` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where you are creating cases. - operationId: setCaseConfigurationDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - setCaseConfigRequest: - $ref: '#/components/examples/Cases_set_case_configuration_request' + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false schema: - $ref: '#/components/schemas/Cases_set_case_configuration_request' + additionalProperties: false + nullable: true + type: object + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean responses: '200': content: application/json: examples: - setCaseConfigResponse: - $ref: '#/components/examples/Cases_set_case_configuration_response' + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: + additionalProperties: false type: object properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: + _meta: + additionalProperties: false type: object properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - example: none + install_source: type: string name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true type: string required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. + - install_source + - name + items: items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. - '401': + required: + - items + - _meta + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add case settings + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install a package from the registry tags: - - cases - /api/cases/configure/{configurationId}: - patch: - description: > - Updates setting details such as the closure type, custom fields, - templates, and the default connector for cases. Connectors are used to - interface with external systems. You must create a connector before you - can use it in your cases. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the case was created. - operationId: updateCaseConfigurationDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_configuration_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string requestBody: content: application/json: examples: - updateCaseConfigurationRequest: - $ref: '#/components/examples/Cases_update_case_configuration_request' + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - $ref: '#/components/schemas/Cases_update_case_configuration_request' + additionalProperties: false + type: object + properties: + keepPoliciesUpToDate: + type: boolean + required: + - keepPoliciesUpToDate responses: '200': content: application/json: examples: - updateCaseConfigurationResponse: - $ref: >- - #/components/examples/Cases_update_case_configuration_response + putUpdatePackageExample: + description: Updated package settings + value: + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 schema: + additionalProperties: false type: object properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: + item: + additionalProperties: true type: object properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true + agent: + additionalProperties: false type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - example: none + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: type: string - full_name: - example: null - nullable: true + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + license: type: string - username: - example: elastic - nullable: true + licensePath: type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: type: string - full_name: - example: null - nullable: true + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + release: + enum: + - ga + - beta + - experimental type: string - username: - example: elastic - nullable: true + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: type: string required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update case settings - tags: - - cases - /api/cases/configure/connectors/_find: - get: - description: > - Get information about connectors that are supported for use in cases. - You must have `read` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - operationId: findCaseConnectorsDefaultSpace - responses: - '200': - content: - application/json: - examples: - findConnectorResponse: - $ref: '#/components/examples/Cases_find_connector_response' - schema: - items: - type: object - properties: - actionTypeId: - $ref: '#/components/schemas/Cases_connector_types' - config: - additionalProperties: true - type: object - properties: - apiUrl: - type: string - projectKey: - type: string - id: - type: string - isDeprecated: - type: boolean - isMissingSecrets: - type: boolean - isPreconfigured: - type: boolean - name: - type: string - referencedByCount: - type: integer - maxItems: 1000 - type: array - description: Indicates a successful call. - '401': + - name + - version + - title + - assets + required: + - item + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case connectors + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update package settings tags: - - cases - /api/cases/reporters: - get: - description: > - Returns information about the users who opened cases. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases. The API returns - information about the users as they existed at the time of the case - creation, including their name, full name, and email address. If any of - those details change thereafter or if a user is deleted, the information - returned by this API is unchanged. - operationId: getCaseReportersDefaultSpace + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - - $ref: '#/components/parameters/Cases_owner_filter' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getReportersResponse: - $ref: '#/components/examples/Cases_get_reporters_response' + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - items: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case creators + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package tags: - - cases - /api/cases/tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Aggregates and returns a list of case tags. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're seeking. - operationId: getCaseTagsDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': - content: - application/json: - examples: - getTagsResponse: - $ref: '#/components/examples/Cases_get_tags_response' - schema: - items: - type: string - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case tags - tags: - - cases - /api/data_views: - get: - operationId: getAllDataViewsDefault + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: full + required: false + schema: + type: boolean + - in: query + name: withMetadata + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + getPackageInfoExample: + description: Package details and installation status + value: + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: + additionalProperties: false type: object properties: - data_view: - items: - type: object - properties: - id: - type: string - name: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: type: string - namespaces: - items: + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content type: string - type: array - title: - type: string - typeMeta: + - type: string + var_groups: + items: + additionalProperties: true type: object - type: array - description: Indicates a successful call. + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + metadata: + additionalProperties: false + type: object + properties: + has_policies: + type: boolean + required: + - has_policies + required: + - item + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package tags: - - data views - /api/data_views/data_view: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name post: - operationId: createDataViewDefaultw + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true + additionalProperties: false + nullable: true + type: object + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean responses: '200': content: application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + additionalProperties: false + type: object + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + - additionalProperties: false + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - items + - _meta + description: Successful response '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - /api/data_views/data_view/{viewId}: - delete: - description: | - WARNING: When you delete a data view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - get: - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': content: application/json: examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': - content: - application/json: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install a package from the registry tags: - - data views - post: - operationId: updateDataViewDefault + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string requestBody: content: application/json: examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true + additionalProperties: false + type: object + properties: + keepPoliciesUpToDate: + type: boolean + required: + - keepPoliciesUpToDate responses: '200': content: application/json: + examples: + putUpdatePackageExample: + description: Updated package settings + value: + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + additionalProperties: false + type: object + properties: + item: + additionalProperties: true + type: object + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + additionalProperties: true + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + installationInfo: + additionalProperties: true + type: object + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana: + items: + additionalProperties: true + type: object + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + required: + - item + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update package settings tags: - - data views - /api/data_views/data_view/{viewId}/fields: - post: - description: > - Update fields presentation metadata such as count, customLabel, - customDescription, and format. - operationId: updateFieldsMetadataDefault + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string responses: '200': content: application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update data view fields metadata + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package file tags: - - data views - /api/data_views/data_view/{viewId}/runtime_field: - post: - operationId: createRuntimeFieldDefault + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: packagePolicyId + required: true + schema: + type: string responses: '200': content: application/json: + examples: + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted + value: + items: + - id: logs-my_package.access-default + type: index_template schema: + additionalProperties: false type: object - description: Indicates a successful call. - summary: Create a runtime field + properties: + success: + type: boolean + required: + - success + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete assets for an input package tags: - - data views - put: - operationId: createUpdateRuntimeFieldDefault + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. + - description: Package name in: path - name: viewId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true responses: '200': content: application/json: + examples: + dependenciesResponse: + value: + items: + - name: aws + title: AWS + version: ^2.0.0 + - name: system + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] schema: + additionalProperties: false type: object properties: - data_view: - type: object - fields: + items: items: + additionalProperties: false type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 type: array - description: Indicates a successful call. + required: + - items + description: 'OK: A successful request.' '400': content: application/json: + examples: + packageNotFoundResponse: + value: + message: '[my-package-1.0.0] package not found in registry' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get package dependencies tags: - - data views - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: delete: - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field from a data view - tags: - - data views - get: - operationId: getRuntimeFieldDefault + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string responses: '200': content: application/json: examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted + value: + items: + - id: dashboard-id-1 + type: dashboard schema: + additionalProperties: false type: object properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': + success: + type: boolean + required: + - success + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete Kibana assets for a package tags: - - data views + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name post: - operationId: updateRuntimeFieldDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string requestBody: content: application/json: examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} schema: + additionalProperties: false + nullable: true type: object properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true + force: + type: boolean + space_ids: + description: When provided install assets in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array responses: '200': - description: Indicates a successful call. + content: + application/json: + examples: + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + additionalProperties: false + type: object + properties: + success: + type: boolean + required: + - success + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install Kibana assets for a package tags: - - data views - /api/data_views/default: - get: - operationId: getDefaultDataViewDefault + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean responses: '200': content: application/json: examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + postInstallRuleAssetsExample: + description: Rule assets successfully installed + value: + items: + - id: rule-asset-id-1 + type: security_rule schema: + additionalProperties: false type: object properties: - data_view_id: - type: string - description: Indicates a successful call. + success: + type: boolean + required: + - success + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install Kibana alert rule for a package tags: - - data views + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: - operationId: setDefaultDatailViewDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean requestBody: content: application/json: examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 schema: + additionalProperties: false type: object properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array required: - - data_view_id - required: true + - transforms responses: '200': content: application/json: + examples: + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized + value: + - success: true + transformId: logs-transform-1 schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array + description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Authorize transforms tags: - - data views - /api/data_views/swap_references: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: post: - description: > - Changes saved object references from one data view identifier to - another. WARNING: Misuse can break large numbers of saved objects! - Practicing with a backup is recommended. - operationId: swapDataViewsDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to review upgrade for + in: path + name: pkgName + required: true + schema: + type: string requestBody: content: application/json: examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' + acceptUpgrade: + value: + action: accept + target_version: 2.0.0 schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true + additionalProperties: false + type: object + properties: + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string + required: + - action + - target_version responses: '200': content: application/json: + examples: + successResponse: + value: + success: true schema: + additionalProperties: false type: object properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - /api/data_views/swap_references/_preview: - post: - description: > - Preview the impact of swapping saved object references from one data - view identifier to another. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': + success: + type: boolean + required: + - success + description: 'OK: A successful request.' + '400': content: application/json: + examples: + badRequestResponse: + value: + message: Bad Request schema: + additionalProperties: false + description: Generic Error type: object properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview a saved object reference swap + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations tags: - - data views - /api/detection_engine/index: - delete: - description: > - Permanently deletes the Elastic Security alerts backing index in the - current space, including the alerts + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** - stored in it. Use with caution; prefer lifecycle policies or the UI when - available. +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
- Call `GET /api/detection_engine/index` first to confirm the index that - will be removed. - operationId: DeleteAlertsIndex + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to roll back + in: path + name: pkgName + required: true + schema: + type: string responses: '200': content: application/json: examples: - acknowledged: + successResponse: value: - acknowledged: true + success: true + version: 1.0.0 schema: + additionalProperties: false type: object properties: - acknowledged: + success: type: boolean + version: + type: string required: - - acknowledged - description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: >- - API [DELETE /api/detection_engine/index] is unauthorized - for the current user. The user needs alerts management - permissions for the space. - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - examples: - notFound: - value: - message: The Elastic Security alerts index to delete was not found. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Index does not exist response - '500': + - version + - success + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + badRequestResponse: value: - message: Internal Server Error - status_code: 500 + message: Bad Request schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an alerts index + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback a package to previous version tags: - - Security Detections API - - Alert index API + - Elastic Package Manager (EPM) + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: get: - description: > - Returns the backing Elasticsearch index for Elastic Security detection - alerts in the current space, and + description: |- + **Spaces method and path for this operation:** - whether its mapping is outdated. Use this to verify that an alert index - is provisioned before creating +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
- or running rules that write alerts to it. - operationId: ReadAlertsIndex + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats + parameters: + - in: path + name: pkgName + required: true + schema: + type: string responses: '200': content: application/json: examples: - success: + getPackageStatsExample: + description: Usage stats for a specific package value: - index_mapping_outdated: false - name: .alerts-security.alerts-default + response: + agent_policy_count: 3 schema: + additionalProperties: false type: object properties: - index_mapping_outdated: - nullable: true - type: boolean - name: - type: string + response: + additionalProperties: false + type: object + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count required: - - name - - index_mapping_outdated + - response description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: >- - API [GET /api/detection_engine/index] is unauthorized for - the current user. Check Security and Kibana feature - privileges (detection engine / alerts) for the space. - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - examples: - notFound: - value: - message: >- - Elastic Security alert index is not found for the current - space. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Reads the alert index name if it exists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package stats tags: - - Security Detections API - - Alert index API - post: - description: | - Creates an index for Elastic Security alerts. Calling this API is not - required for the detection engine to function properly. You can create - rules and alerts without calling this API. - operationId: CreateAlertsIndex + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/installed: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed + parameters: + - in: query + name: dataStreamType + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - in: query + name: showOnlyActiveDataStreams + required: false + schema: + type: boolean + - in: query + name: nameQuery + required: false + schema: + type: string + - in: query + name: searchAfter + required: false + schema: + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - in: query + name: perPage + required: false + schema: + default: 15 + type: number + - in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - acknowledged: + getInstalledPackagesExample: + description: List of installed integration packages value: - acknowledged: true + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 schema: + additionalProperties: false type: object properties: - acknowledged: - type: boolean + items: + items: + additionalProperties: false + type: object + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + additionalProperties: false + type: object + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number required: - - acknowledged + - items + - total description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: >- - API [POST /api/detection_engine/index] is unauthorized for - the current user. The user must be able to create indices - for the Elastic Security solution. - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - examples: - notFound: - value: - message: >- - A prerequisite resource required to create the alerts - index was not found. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Create an alerts index + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get installed packages tags: - - Security Detections API - - Alert index API - /api/detection_engine/privileges: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/limited: get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana + description: |- + **Spaces method and path for this operation:** - space and index privileges, which determine if the user can create an +
get /s/{space_id}/api/fleet/epm/packages/limited
- index for the Elastic Security alerts generated by + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - detection engine rules. - operationId: ReadPrivileges + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] responses: '200': content: application/json: examples: - success: + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic + items: + - elastic_agent + - fleet_server schema: + additionalProperties: false type: object properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean + items: + items: + type: string + maxItems: 10000 + type: array required: - - is_authenticated - - has_encryption_key + - items description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space - tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: - delete: - description: > - Delete a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `DELETE /api/detection_engine/rules?id=` + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a limited package list + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + description: |- + **Spaces method and path for this operation:** - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: DeleteRule + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - - description: The rule's `id` value. - in: query - name: id + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: format required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id + default: json + enum: + - json + - yml + - yaml + type: string + - in: query + name: prerelease required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + type: boolean + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - deletedRule: - summary: Response shape after a rule is deleted + getInputsTemplateExample: + description: Inputs template for a package value: - actions: [] - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - false_positives: [] - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: event.action:Process* - references: [] - risk_score: 50 - rule_id: process_started_by_ms_office_user_folder - severity: low - tags: - - tag - throttle: null - to: now - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 3 + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text + schema: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + required: + - inputs + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an inputs template tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/verification_key_id: get: - description: > - Retrieve a detection rule using the `rule_id` or `id` field. + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/fleet/epm/verification_key_id
- The URL query must include one of the following: - - - * `id` - `GET /api/detection_engine/rules?id=` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] responses: '200': content: application/json: examples: - example1: - summary: Example response for a retrieved rule + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures value: - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from Elasticsearch - indices listed in the "Index pattern" section of the - rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low - tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 1 + id: D27D666CD88E42B4 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: > - Indicates a successful call. - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: Retrieve a detection rule + additionalProperties: false + type: object + properties: + id: + nullable: true + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package signature verification key ID tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - patch: - description: > - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PatchRule - requestBody: - content: - application/json: - examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: > - FROM logs-abc* + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) +
get /s/{space_id}/api/fleet/fleet_server_hosts
- | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"false" - example7: - summary: Patch machine learning rule - value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. - required: true + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + getFleetServerHostsExample: + description: List of Fleet Server hosts value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 + items: + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Fleet Server hosts tags: - - Security Detections API - - Rules API - post: - description: > - Create a new detection rule. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - - You can create the following types of rules: - - - * **Custom query**: Searches the defined indices and creates an alert - when a document matches the rule's KQL query. - - * **Event correlation**: Searches the defined indices and creates an - alert when results match an [Event Query Language - (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) - query. - - * **Threshold**: Searches the defined indices and creates an alert when - the number of times the specified field's value meets the threshold - during a single execution. When there are multiple values that meet the - threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined - in the specified [Elasticsearch - index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). - For example, you can create an index for IP addresses and use this index - to create an alert whenever an event's `destination.ip` equals a value - in the index. The index's field mappings should be - [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - - * **New terms**: Generates an alert for each new term detected in source - documents within a specified time range. - - * **ES|QL**: Uses [Elasticsearch Query Language - (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) - to find events and aggregate search results. - - * **Machine learning rules**: Creates an alert when a machine learning - job discovers an anomaly above the defined threshold. - - > info - - > To create machine learning rules, you must have the [appropriate - license](https://www.elastic.co/subscriptions) or use a [cloud - deployment](https://cloud.elastic.co/registration). Additionally, for - the machine learning rule to function correctly, the associated machine - learning job must be running. - - - To retrieve machine learning job IDs, which are required to create - machine learning jobs, call the [Elasticsearch Get jobs - API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). - Machine learning jobs that contain `siem` in the `groups` field can be - used to create rules: - - - ```json - - ... - - "job_id": "linux_anomalous_network_activity_ecs", - - "job_type": "anomaly_detector", - - "job_version": "7.7.0", - - "groups": [ - "auditbeat", - "process", - "siem" - ], - - ... - - ``` - - - Additionally, you can set up notifications for when rules create alerts. - The notifications use the [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting). Each - action type requires a connector. Connectors store the information - required to send notifications via external systems. The following - connector types are supported for rule notifications: - - - * Slack - - * Email - - * PagerDuty - - * Webhook - - * Microsoft Teams - - * IBM Resilient - - * Jira - - * ServiceNow ITSM - - > info - - > For more information on PagerDuty fields, see [Send a v2 - Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - - - To retrieve connector IDs, which are required to configure rule - notifications, call the [Find objects - API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) - with `"type": "action"` in the request payload. - - - For detailed information on Kibana actions and alerting, and additional - API calls, see: - + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** - * [Alerting - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) +
post /s/{space_id}/api/fleet/fleet_server_hosts
- * [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting) + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * [Connectors - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: >- - Threshold rule that detects multiple failed login attempts to - a Windows host from the same external source IP address - summary: Threshold rule - value: - description: >- - Detects when there are 20 or more failed login attempts from - the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: >- - Machine learning rule that creates alerts, and sends Slack - notifications, when the linux_anomalous_network_activity_ecs - machine learning job discovers anomalies with a threshold of - 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: >- - Event correlation rule that creates alerts when the Windows - rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process where - event.type in ("start", "process_started") and (process.name - == "rundll32.exe" or process.pe.original_file_name == - "rundll32.exe") and ((process.args == "rundll32.exe" and - process.args_count == 1) or (process.args != "rundll32.exe" - and process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: > - Indicator match rule that creates an alert when one of the - following is true: The event's destination IP address and port - number matches destination IP and port values in the - threat_index index; The event's source IP address matches a - host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: >- - New terms rule that creates alerts a new IP address is - detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: >- - esql rule that creates alerts from events that match an Excel - parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: >- - from auditbeat-8.10.2 METADATA _id, _version, _index | where - process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: >- - Query rule that searches for processes started by MS Office - and suppresses alerts by the process.parent.name field within - a 5-hour time period - summary: Query rule 2 + postFleetServerHostRequestExample: + description: Create a new Fleet Server host value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls responses: '200': content: - application/json: - examples: - example1: - description: Example response for a query rule - summary: Query rule response - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response - value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response - value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: >- - Detects when there are 20 or more failed login attempts - from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response - value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process - where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe") and - ((process.args == "rundll32.exe" and process.args_count == - 1) or (process.args != "rundll32.exe" and - process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response + application/json: + examples: + postFleetServerHostExample: + description: The created Fleet Server host value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: >- - from auditbeat-8.10.2 METADATA _id | where - process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 + id: fleet-server-host-id-1 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host tags: - - Security Detections API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > warn + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getFleetServerHostExample: + description: A Fleet Server host + value: + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: UpdateRule + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string requestBody: content: application/json: examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule - value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - risk_score: 21 - severity: low - tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: > - FROM logs* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* - MIN(dateField) finds the earliest timestamp in the dataset. - */ - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) /* Calculates the event rate by - dividing the total count of events by the time difference - (in seconds) between the earliest event and the current - time. */ - - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"true" - type: threat_match - example7: - summary: Update machine learning rule + putFleetServerHostRequestExample: + description: Update a Fleet Server host value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: > - > info - - > All unspecified fields are deleted. You cannot modify the `id` or - `rule_id` values. - required: true + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - proxy_id responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + putFleetServerHostExample: + description: The updated Fleet Server host value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/health_check: post: - description: > - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - - - The edit action allows you to add, delete, or set tags, index patterns, - investigation fields, rule actions and schedules for multiple rules at - once. - - The edit action is idempotent, meaning that if you add a tag to a rule - that already has that tag, no changes are made. The same is true for - other edit actions, for example removing an index pattern that is not - specified in a rule will not result in any changes. The only exception - is the `add_rule_actions` and `set_rule_actions` action, which is - non-idempotent. This means that if you add or set a rule action to a - rule that already has that action, a new action is created with a new - unique ID. + description: |- + **Spaces method and path for this operation:** - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
post /s/{space_id}/api/fleet/health_check
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PerformRulesBulkAction + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check parameters: - - description: > - Enables dry run mode for the request call. - - - Enable dry run mode to verify that bulk actions can be applied to - specified rules. Certain rules, such as prebuilt Elastic rules on a - Basic subscription, can’t be edited and will return errors in the - request response. Error details will contain an explanation, the - rule name and/or ID, and additional troubleshooting information. - - - To enable dry run mode on a request, add the query parameter - `dry_run=true` to the end of the request URL. Rules specified in the - request will be temporarily updated. These updates won’t be written - to Elasticsearch. - - > info - - > Dry run mode is not supported for the `export` bulk action. A 400 - error will be returned in the request response. - in: query - name: dry_run - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean - requestBody: - content: - application/json: - examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: >- - The following request exports the rules with the specified - IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: >- - The following request adds two tags at the same time, tag-1 - and tag-2, to the rules that have the IDs sent in the payload. - If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: >- - The following request removes the tag "tag-1" from the rules - with the specified IDs. If the tag does not exist for a rule, - no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: >- - The following request sets the tags "tag-1" and "tag-2" for - the rules with the specified IDs, overwriting any existing - tags. If the set of tags is the same as the existing tags, no - changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: >- - The following request adds the index pattern "test-*" to the - rules with the specified IDs. If the index pattern already - exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: >- - The following request removes the index pattern "test-*" from - the rules with the specified IDs. If the index pattern does - not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: >- - The following request sets the index patterns "test-*" and - "prod-*" for the rules with the specified IDs, overwriting any - existing index patterns. If the set of index patterns is the - same as the existing index patterns, no changes are made. - summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: >- - The following request adds investigation field to the rules - with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: >- - The following request deletes investigation fields from the - rules with the specified IDs. If the field does not exist for - a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - value: - - field1 - - field2 - example18: - description: >- - The following request sets investigation fields for the rules - with the specified IDs, overwriting any existing investigation - fields. If the set of investigation fields is the same as the - existing investigation fields, no changes are made. - summary: >- - Edit - Set (overwrite existing) investigation fields for rules - (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: >- - The following request sets a timeline template for the rules - with the specified IDs. If the same timeline template is - already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) timeline template for rules - (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: >- - The following request sets a schedule for the rules with the - specified IDs. If the same schedule is already set for a rule, - no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: >- - The following request sets rule actions for the rules with the - specified IDs. Each action receives its own unique ID. - summary: >- - Edit - Set (overwrite existing) rule actions for rules - (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: 2023-10-31T00:00:00.000Z - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: >- - The following request set alert suppression to the rules with - the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: >- - The following request set alert suppression to threshold rules - with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: >- - The following request removes alert suppression from the rules - with the specified IDs. If the rules do not have alert - suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: >- - The following request triggers the filling of gaps for the - specified rule ids and time range - summary: >- - Fill Gaps - Manually trigger the filling of gaps for specified - rules - value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID + value: + id: fleet-server-host-id-1 schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id responses: '200': content: application/json: examples: - example01: - description: >- - In this response one rule was updated and one was skipped. - Objects returned in attributes.results.skipped will only - include rules' id, name, and skip_reason. - summary: Successful response + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: >- - A machine learning job detected unusually large - numbers of DNS queries for a single top-level DNS - domain, which is often used for DNS tunneling. DNS - tunneling can be used for command-and-control, - persistence, or data exfiltration activity. For - example, dnscat tends to generate many DNS - questions for a top-level domain as it uses the - DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - >- - DNS domains that use large numbers of child - domains, such as software or content - distribution networks, can trigger this alert - and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - >- - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: >- - If processing of any rule fails, a partial error outputs the - ID and/or name of the affected rule and the corresponding - error, as well as successfully processed rules (in the same - format as a successful 200 request). - summary: Partial failure + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) value: - value: - attributes: - errors: - - message: >- - Index patterns can't be added. Machine learning - rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: >- - Generates a detection alert for each external - alert written to the configured indices. - Enabling this rule allows you to immediately - begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: > - event.kind:alert and not event.module:(endgame - or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: >- - The attributes.errors section of the response shows that two - rules failed to update and one succeeded. The same results - would be returned if you ran the request without dry run - mode enabled. Notice that there are no arrays in - attributes.results. In dry run mode, rule updates are not - applied and saved to Elasticsearch, so the endpoint wouldn’t - return results for rules that have been updated, created, or - deleted. - summary: Dry run + host_id: fleet-server-host-id-1 + status: OFFLINE + schema: + additionalProperties: false + type: object + properties: + host_id: + type: string + name: + type: string + status: + type: string + required: + - status + description: Successful health check response + '400': + content: + application/json: + examples: + badRequestExample: + description: The host ID exists but has no associated host URLs configured value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: >- - This example presents the successful setting of tags for 2 - rules. There was a difference between the set of tags that - were being added and the tags that were already set in the - rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + error: Bad Request + message: The requested host id fleet-server-host-id-1 does not have associated host urls. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: >- - This example presents the idempotent behavior of the edit - action with set_tags request. Both rules already had exactly - the same tags that were being added, so no changes were made - in any of them. - summary: Idempotent behavior of set_tags + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Check Fleet Server health + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent + value: + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + additionalProperties: false + type: object + properties: + item: + type: string + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a full K8s agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No manifest was found + value: + error: Not Found + message: Agent manifest not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + responses: + '200': + content: + application/json: + examples: + postLogstashApiKeyExample: + description: The generated Logstash API key value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: >- - This example presents the idempotent behavior of the edit - action with add_tags request. One rule was updated and one - was skipped. The rule that was skipped already had all the - tags that were being added. - summary: Idempotent behavior of add_tags + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + schema: + additionalProperties: false + type: object + properties: + api_key: + type: string + required: + - api_key + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: >- - This example shows a non-idempotent nature of the - set_rule_actions requests. Regardless if the actions are the - same as the existing actions for a rule, the actions are - always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Generate a Logstash API key + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: query + name: acknowledge + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: >- - This example shows a non-idempotent nature of the - add_rule_actions requests. Regardless if the added action is - the same as another existing action for a rule, the new - action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + message: Key pair rotated successfully. + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Key pair rotated successfully + '400': + content: + application/json: + examples: + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true + error: Bad Request + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '500': + content: + application/json: + examples: + serviceUnavailableExample: + description: The message signing service is not available + value: + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Internal Server Error + summary: Rotate a Fleet message signing key pair + tags: + - Message Signing Service + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] + responses: + '200': + content: + application/json: + examples: + getOutputsExample: + description: List of Fleet outputs + value: + items: + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postOutputRequestExample: + description: Create a new Elasticsearch output + value: + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + responses: + '200': + content: + application/json: + examples: + postOutputExample: + description: The created Fleet output + value: + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create output tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}: + delete: + description: |- + **Spaces method and path for this operation:** - > info +
delete /s/{space_id}/api/fleet/outputs/{outputId}
- > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteOutputExample: + description: The output was successfully deleted + value: + id: output-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Delete output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ExportRules + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false + - in: path + name: outputId + required: true schema: - default: false - type: boolean - - description: > - File name for saving the exported rules. + type: string + responses: + '200': + content: + application/json: + examples: + getOutputExample: + description: A Fleet output + value: + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/fleet/outputs/{outputId}
- > When using cURL to export rules to a file, use the -O and -J - options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: outputId + required: true schema: - default: export.ndjson type: string requestBody: content: application/json: examples: - exportByRuleIds: - summary: Request body to export a subset of rules + putOutputRequestExample: + description: Update a Fleet output value: - objects: - - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output schema: - nullable: true - type: object - properties: - objects: - description: >- - Array of objects with a rule's `rule_id` field. Do not use - rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array - required: - - objects - required: false + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: - application/ndjson: + application/json: examples: - sampleNdjson: - value: > - {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example - rule","type":"query","enabled":true} - - {"exception_list":true} - - {"export_summary":{"total_rules":1,"exceptions_count":0}} + putOutputExample: + description: The updated Fleet output + value: + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: - description: > - An `.ndjson` file containing the returned rules. - - - Each line in the file represents an object (a rule, exception - list parent container, or exception list item), and the last - line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: > - curl -X POST - "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" - -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - /api/detection_engine/rules/_find: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}/health: get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - description: > - List of `alert.attributes` field names to return for each rule (for - example `name`, `enabled`). - - If omitted, the default field set is returned. Repeat the parameter - to pass multiple field names, or - - use comma-separated values when supported by your client. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: > - Search query - - - Filters the returned results according to the value of the specified - field, using the alert.attributes.: syntax, - where can be: - - - name - - - enabled + description: |- + **Spaces method and path for this operation:** - - tags +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
- - createdBy + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - interval + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getOutputHealthExample: + description: The latest health status of a Fleet output + value: + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + required: + - state + - message + - timestamp + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get the latest output health + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies: + get: + description: |- + **Spaces method and path for this operation:** - - updatedBy +
get /s/{space_id}/api/fleet/package_policies
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Even though the JSON rule object uses created_by and updated_by - fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter + List all package policies. + operationId: get-fleet-package-policies + parameters: + - in: query + name: page required: false schema: - type: string - - description: Field to sort by - in: query - name: sort_field + type: number + - in: query + name: perPage required: false schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order + type: number + - in: query + name: sortField required: false schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page + type: string + - in: query + name: sortOrder required: false schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page + enum: + - desc + - asc + type: string + - in: query + name: showUpgradeable required: false schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start - in: query - name: gaps_range_start + type: boolean + - in: query + name: kuery required: false schema: type: string - - description: Gaps range end - in: query - name: gaps_range_end + - in: query + name: format required: false schema: + enum: + - simplified + - legacy type: string - - description: Gap fill statuses - in: query - name: gap_fill_statuses - required: false - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - in: query - name: gap_auto_fill_scheduler_id + - in: query + name: withAgentCount required: false schema: - type: string + type: boolean responses: '200': content: application/json: examples: - example1: + getPackagePoliciesExample: + description: List of package policies value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: >- - Identifies a PowerShell process launched by either - cscript.exe or wscript.exe. Observing Windows - scripting processes executing a PowerShell script, may - be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but no - matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: >- - event.action:"Process Create (rule: ProcessCreate)" - and process.parent.name:("wscript.exe" or - "cscript.exe") and process.name:"powershell.exe" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' page: 1 - perPage: 5 - total: 4 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object properties: - data: + items: items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 type: array page: - type: integer + type: number perPage: - type: integer + type: number total: - type: integer - warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array + type: number required: + - items + - total - page - perPage - - total - - data - description: > - Successful response - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: List all detection rules + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package policies tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: > - curl -X GET - "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" - -H 'kbn-xsrf: true' - /api/detection_engine/rules/_import: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - > info + description: |- + **Spaces method and path for this operation:** - > To import rules with actions, you need at least Read privileges for - the Action and Connectors feature. To overwrite or add new connectors, - you need All privileges for the Actions and Connectors feature. To - import rules without actions, you don’t need Actions and Connectors - privileges. Refer to [Enable and access - detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) - for more information. +
post /s/{space_id}/api/fleet/package_policies
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - - - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ImportRules + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. Both the exception list container and its items are - overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list + example: 'true' + type: string + - in: query + name: format required: false schema: - default: false - type: boolean + enum: + - simplified + - legacy + type: string requestBody: content: - multipart/form-data: + application/json: examples: - rulesFile: - summary: Multipart part containing a rule export + postPackagePolicyRequestExample: + description: Create a new nginx package policy value: - file: rules_import.ndjson + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true + anyOf: + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - inputs + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Deprecated. Use policy_ids instead. + nullable: true + type: string + policy_ids: + description: IDs of the agent policies which that package policy will be added to. + items: + type: string + maxItems: 1000 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: - example1: - summary: Import rules with success + postPackagePolicyExample: + description: The created package policy value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer + item: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': + content: + application/json: + examples: + conflictExample: + description: A package policy with the same name already exists + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create a package policy tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - /api/detection_engine/rules/{id}/exceptions: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/_bulk_get: post: - description: Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + example: 'true' + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - addItems: + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID value: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + ids: + - package-policy-id-1 + - package-policy-id-2 schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + additionalProperties: false type: object properties: - items: + ids: + description: list of package policy ids items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps + type: string + maxItems: 1000 type: array + ignoreMissing: + type: boolean required: - - items - description: Rule exception items. - required: true + - ids responses: '200': content: application/json: examples: - ruleExceptionItems: + postBulkGetPackagePoliciesExample: + description: The requested package policies value: - - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request params]: id: Invalid uuid' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: One or more package policies were not found value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create rule exception items + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies tags: - - Security Exceptions API - /api/detection_engine/rules/prepackaged: - put: - description: > - Install and update all Elastic prebuilt detection rules and Timelines. - - - This endpoint allows you to install and update prebuilt detection rules - and Timelines provided by Elastic. - - When you call this endpoint, it will: - - - Install any new prebuilt detection rules that are not currently - installed in your system. - - - Update any existing prebuilt detection rules that have been modified - or improved by Elastic. - - - Install any new prebuilt Timelines that are not currently installed in - your system. - - - Update any existing prebuilt Timelines that have been modified or - improved by Elastic. + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + delete: + description: |- + **Spaces method and path for this operation:** +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- This ensures that your detection engine is always up-to-date with the - latest rules and Timelines, + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - providing you with the most current and effective threat detection - capabilities. - operationId: InstallPrebuiltRulesAndTimelines + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - example1: + deletePackagePolicyExample: + description: The package policy was successfully deleted value: - rules_installed: 112 - rules_updated: 0 - timelines_installed: 5 - timelines_updated: 2 + id: package-policy-id-1 schema: additionalProperties: false type: object properties: - rules_installed: - description: The number of rules installed - minimum: 0 - type: integer - rules_updated: - description: The number of rules updated - minimum: 0 - type: integer - timelines_installed: - description: The number of timelines installed - minimum: 0 - type: integer - timelines_updated: - description: The number of timelines updated - minimum: 0 - type: integer + id: + type: string required: - - rules_installed - - rules_updated - - timelines_installed - - timelines_updated - description: Indicates a successful call - summary: Install prebuilt detection rules and Timelines - tags: - - Security Detections API - - Prebuilt Rules API - /api/detection_engine/rules/prepackaged/_status: - get: - description: > - Retrieve the status of all Elastic prebuilt detection rules and - Timelines. - - - This endpoint provides detailed information about the number of custom - rules, installed prebuilt rules, available prebuilt rules that are not - installed, outdated prebuilt rules, installed prebuilt timelines, - available prebuilt timelines that are not installed, and outdated - prebuilt timelines. - operationId: ReadPrebuiltRulesAndTimelinesStatus - responses: - '200': + - id + description: Successful response + '400': content: application/json: examples: - example1: + genericErrorResponseExample: + description: Example of a generic error response value: - rules_custom_installed: 0 - rules_installed: 0 - rules_not_installed: 112 - rules_not_updated: 0 - timelines_installed: 0 - timelines_not_installed: 0 - timelines_not_updated: 0 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - rules_custom_installed: - description: The total number of custom rules - minimum: 0 - type: integer - rules_installed: - description: The total number of installed prebuilt rules - minimum: 0 - type: integer - rules_not_installed: - description: >- - The total number of available prebuilt rules that are not - installed - minimum: 0 - type: integer - rules_not_updated: - description: The total number of outdated prebuilt rules - minimum: 0 - type: integer - timelines_installed: - description: The total number of installed prebuilt timelines - minimum: 0 - type: integer - timelines_not_installed: - description: >- - The total number of available prebuilt timelines that are - not installed - minimum: 0 - type: integer - timelines_not_updated: - description: The total number of outdated prebuilt timelines - minimum: 0 - type: integer + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - rules_custom_installed - - rules_installed - - rules_not_installed - - rules_not_updated - - timelines_installed - - timelines_not_installed - - timelines_not_updated - description: Indicates a successful call - summary: Retrieve the status of prebuilt detection rules and Timelines + - message + - attributes + description: Bad Request + summary: Delete a package policy tags: - - Security Detections API - - Prebuilt Rules API - /api/detection_engine/rules/preview: - post: - description: > - Simulates a detection rule using the same rule type and query logic as a - persisted rule, over a short + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - time window, without persisting a rule or writing alerts. Use the - response to validate queries, see sample +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- matching documents, and inspect execution logs. Pair `invocationCount` - and `timeframeEnd` to cap run time. - operationId: RulePreview + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution - in: query - name: enable_logged_requests + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: format required: false schema: - type: boolean - requestBody: - content: - application/json: - examples: - queryRule: - value: - description: Find matching events - from: now-24h - index: - - logs-* - invocationCount: 1 - language: kuery - max_signals: 20 - name: Rule preview - query: 'process.name : *' - risk_score: 25 - severity: low - timeframeEnd: '2025-01-20T12:00:00.000Z' - to: now - type: query - schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: > - Rule create payload (same shape as `POST /api/detection_engine/rules` - for a given `type`) plus - - `invocationCount` and `timeframeEnd` to control how the preview is - executed. Optional - - `enable_logged_requests` surfaces Elasticsearch request logging for - debugging. - required: true + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - success: + getPackagePolicyExample: + description: A package policy value: - isAborted: false - logs: - - duration: 45 - errors: [] - requests: [] - startedAt: 2025-01-20T10:00:00.000Z - warnings: [] - previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: + additionalProperties: false type: object properties: - isAborted: - type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString + item: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by required: - - logs + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].timeframeEnd: expected string, received - null + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range - tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: - post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees - requestBody: - content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove - schema: - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertAssigneesBody - description: User profile IDs to add or remove on each listed alert document ID. - required: true - responses: - '200': - content: - application/json: - examples: - add: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 76 - total: 1 - updated: 1 - version_conflicts: 0 - schema: - additionalProperties: true - description: Elasticsearch update by query or update by IDs response + additionalProperties: false + description: Generic Error type: object - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request body].ids: at least one alert id is required to - update assignees - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/detection_engine/signals/assignees] is - unauthorized for the current user, this action is granted - by the Kibana Security Solution privileges for cases and - detections - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Not enough privileges response - '500': + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No package policy was found with the given ID value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Assign and unassign users from detection alerts + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/finalize_migration: - post: - deprecated: true - description: > - **DEPRECATED.** Completes a legacy alert index migration. Do not - automate against this in new code. - - **WARNING:** Finalizing swaps read aliases; confirm the migration has - finished successfully before calling. - + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - Finalize successful migrations of detection alerts. This replaces the - original index's alias with the +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- successfully migrated index's alias. The endpoint is idempotent, so you - can poll until a migration + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - finishes and then call this operation once. - operationId: FinalizeAlertsMigration + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - oneMigration: + putPackagePolicyRequestExample: + description: Update a package policy value: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to finalize. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to finalize - required: true + anyOf: + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + inputs: + items: + additionalProperties: false + type: object + properties: + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + type: string + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Deprecated. Use policy_ids instead. + nullable: true + type: string + policy_ids: + description: IDs of the agent policies which that package policy will be added to. + items: + type: string + maxItems: 1000 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package responses: '200': content: application/json: examples: - success: + putPackagePolicyExample: + description: The updated package policy value: - migrations: - - completed: true - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: '2021-01-06T22:05:56.859Z' - version: 16 + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' schema: - items: - $ref: >- - #/components/schemas/Security_Detections_API_MigrationFinalizationResult - type: array + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].migration_ids: at least one migration id is - required to finalize + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '403': content: application/json: examples: - serverError: + forbiddenExample: + description: The update is not authorized for this package value: - message: Internal Server Error - status_code: 500 + error: Forbidden + message: An error message describing what went wrong + statusCode: 403 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Finalize detection alert migrations + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Forbidden + summary: Update a package policy tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/migration: - delete: - deprecated: true - description: > - **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new - call sites. - - **WARNING:** This schedules deletions; ensure no production reads still - point at the source index. - - - Migrations favor data integrity over shard size. Consequently, unused or - orphaned indices are artifacts of + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** - the migration process. A successful migration can leave both the old and - new indices present, so the old +
post /s/{space_id}/api/fleet/package_policies/delete
- index may be deleted. While you can delete these indices manually, the - endpoint applies a deletion policy + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - to the relevant index, causing it to be deleted after 30 days, and - removes other migration-specific artifacts. - operationId: AlertsMigrationCleanup + Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - cleanupMigrations: + postDeletePackagePoliciesRequestExample: + description: Delete multiple package policies by ID value: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + packagePolicyIds: + - package-policy-id-1 + - package-policy-id-2 schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + additionalProperties: false type: object properties: - migration_ids: - description: Array of `migration_id`s to cleanup. + force: + type: boolean + packagePolicyIds: items: type: string - minItems: 1 + maxItems: 1000 type: array required: - - migration_ids - description: Array of `migration_id`s to cleanup - required: true + - packagePolicyIds responses: '200': content: application/json: examples: - success: + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation value: - migrations: - - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: 2021-01-06T22:05:56.859Z - version: 16 + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true schema: items: - $ref: >- - #/components/schemas/Security_Detections_API_MigrationCleanupResult + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + id: + type: string + name: + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Use `policy_ids` instead + nullable: true + type: string + policy_ids: + items: + type: string + maxItems: 10000 + type: array + statusCode: + type: number + success: + type: boolean + required: + - id + - success + - policy_ids + - package + maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].migration_ids: at least one migration id is - required to run cleanup + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Clean up detection alert migrations + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk delete package policies tags: - - Security Detections API - - Alerts migration API + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade: post: - deprecated: true - description: > - **DEPRECATED.** Legacy API for on-demand reindexing of old - `.siem-signals-*` alert indices. Do not build new - - integrations; upgrade the Elastic Stack and rely on product-managed data - lifecycle instead. - - **WARNING:** Migrations can be resource intensive and should be planned - during a maintenance window. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/fleet/package_policies/upgrade
- Initiate a migration of detection alerts. Migrations are initiated per - index. The process is not destructive + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - and should not remove existing data, but it can consume significant - cluster resources. Plan capacity accordingly. - operationId: CreateAlertsMigration + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - singleIndex: + postUpgradePackagePoliciesRequestExample: + description: Upgrade package policies to the latest version value: - index: - - .siem-signals-default-000001 + packagePolicyIds: + - package-policy-id-1 schema: - allOf: - - type: object - properties: - index: - description: Array of index names to migrate. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - required: - - index - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsReindexOptions - description: Alerts migration parameters - required: true + additionalProperties: false + type: object + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds responses: '200': content: application/json: examples: - success: + postUpgradePackagePoliciesExample: + description: Results of the upgrade operation value: - indices: - - index: .siem-signals-default-000001, - migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d - migration_index: .siem-signals-default-000001-r000016 + - id: package-policy-id-1 + name: nginx-1 + success: true schema: - type: object - properties: - indices: - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexMigrationError - - $ref: >- - #/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration - type: array - required: - - indices + items: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + id: + type: string + name: + type: string + statusCode: + type: number + success: + type: boolean + required: + - id + - success + maxItems: 10000 + type: array description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].index: at least one index name is required - to start a migration + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Initiate a detection alert migration + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade a package policy tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/migration_status: - get: - deprecated: true - description: > - **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` - index migration workflows. Do not use - - for new automations; there is no supported replacement in this public - API. - - **WARNING:** Prefer upgrading through supported Elastic stack upgrades - rather than ad-hoc index migrations. + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade/dryrun: + post: + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
- Retrieves indices that contain detection alerts of a particular age, - along with migration information for + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - each of those indices. - operationId: ReadAlertsMigrationStatus + Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun parameters: - - description: Maximum age of qualifying detection alerts - in: query - name: from + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: > - Time from which data is analyzed. For example, now-4200s means the - rule analyzes data from 70 minutes - - before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). - example: now-30d - format: date-math + example: 'true' type: string - responses: - '200': - content: - application/json: - examples: - success: - value: - indices: - - index: .siem-signals-default-000002 - is_outdated: true - migrations: - - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - status: pending - updated: 2021-01-06T20:41:37.173Z - version: 16 - signal_versions: - - count: 100 - version: 15 - - count: 87 - version: 16 - version: 15 - - index: .siem-signals-default-000003 - is_outdated: false - migrations: [] - signal_versions: - - count: 54 - version: 16 - version: 16 - schema: - type: object - properties: - indices: - items: - $ref: >- - #/components/schemas/Security_Detections_API_IndexMigrationStatus - type: array - required: - - indices - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query].from: expected date-math, received null' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieve the status of detection alert migrations - tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts requestBody: content: application/json: examples: - query: + postDryRunPackagePoliciesRequestExample: + description: Dry run an upgrade of a package policy value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: 2025-01-17T08:00:00.000Z - lte: 2025-01-18T07:59:59.999Z - runtime_mappings: {} - size: 0 + packagePolicyIds: + - package-policy-id-1 schema: - $ref: >- - #/components/schemas/Security_Detections_API_QueryAlertsBodyParams - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true + additionalProperties: false + type: object + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds responses: '200': content: application/json: examples: - success: + postDryRunPackagePoliciesExample: + description: Preview of the package policy upgrade diff value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 + - diff: + - id: package-policy-id-1 + name: nginx-1 + package: + name: nginx + version: 1.20.0 + - name: nginx-1 + package: + name: nginx + version: 1.21.0 + hasErrors: false + name: nginx-1 schema: - additionalProperties: true - description: Elasticsearch search response - type: object + items: + additionalProperties: false + type: object + properties: + agent_diff: + items: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + required: + - package + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + maxItems: 1 + type: array + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + diff: + items: + anyOf: + - additionalProperties: false + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + - additionalProperties: true + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + additionalProperties: false + type: object + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + additionalProperties: false + type: object + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + maxItems: 2 + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + maxItems: 10000 + type: array description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Failed to parse search request: unknown query clause in - bool filter + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Dry run a package policy upgrade + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] + responses: + '200': content: application/json: examples: - unauthorized: + getFleetProxiesExample: + description: List of Fleet proxies value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + items: + - id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get proxies tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - byId: - value: - signal_ids: - - >- - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: + postFleetProxyRequestExample: + description: Create a new Fleet proxy value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed + name: My proxy + url: http://proxy.example.com:3128 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - url + - name responses: '200': content: application/json: examples: - byId: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: + postFleetProxyExample: + description: The created Fleet proxy value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 + item: + id: proxy-id-2 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: - additionalProperties: true - description: Elasticsearch update by query response + additionalProperties: false type: object + properties: + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].signal_ids: at least one alert id is - required to update status + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a proxy tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: - post: - description: > - Add tags to detection alerts, and remove them from alerts, by alert IDs - or a query, in a single request. + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** - > info +
delete /s/{space_id}/api/fleet/proxies/{itemId}
- > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: itemId + required: true + schema: + type: string responses: '200': content: application/json: examples: - success: + deleteFleetProxyExample: + description: The Fleet proxy was successfully deleted value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, + id: proxy-id-1 schema: - additionalProperties: true - description: Elasticsearch update by query response + additionalProperties: false type: object + properties: + id: + type: string + required: + - id description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].tags: cannot add and remove the same tag in - a single request + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No proxy was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a proxy tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json: - examples: - example1: - value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/encrypted_saved_objects/_rotate_key: - post: - description: > - Superuser role required. - + description: |- + **Spaces method and path for this operation:** - If a saved object cannot be decrypted using the primary encryption key, - then Kibana will attempt to decrypt it using the specified - decryption-only keys. In most of the cases this overhead is negligible, - but if you're dealing with a large number of saved objects and - experiencing performance issues, you may want to rotate the encryption - key. +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: rotateEncryptionKey + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid parameters: - - description: > - Specifies a maximum number of saved objects that Kibana can process - in a single batch. Bulk key rotation is an iterative process since - Kibana may not be able to fetch and process all required saved - objects in one go and splits processing into consequent batches. By - default, the batch size is 10000, which is also a maximum allowed - value. - in: query - name: batch_size - required: false - schema: - default: 10000 - type: number - - description: > - Limits encryption key rotation only to the saved objects with the - specified type. By default, Kibana tries to rotate the encryption - key for all saved object types that may contain encrypted - attributes. - in: query - name: type - required: false + - in: path + name: itemId + required: true schema: type: string responses: @@ -11126,910 +58695,1476 @@ paths: content: application/json: examples: - rotateEncryptionKeyResponse: - $ref: '#/components/examples/Saved_objects_key_rotation_response' + getFleetProxyExample: + description: A Fleet proxy + value: + item: + id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: + additionalProperties: false type: object properties: - failed: - description: > - Indicates the number of the saved objects that were still - encrypted with one of the old encryption keys that Kibana - failed to re-encrypt with the primary key. - type: number - successful: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - - - NOTE: In most cases, `total` will be greater than - `successful` even if `failed` is zero. The reason is that - Kibana may not need or may not be able to rotate - encryption keys for all encrypted saved objects. - type: number - total: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - type: number - description: Indicates a successful call. + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item + description: Successful response '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - '429': - content: - application/json: - schema: - type: object - description: Already in progress. - summary: Rotate a key for encrypted saved objects - tags: - - saved objects - /api/endpoint_list: - post: - description: >- - Create the exception list for Elastic Endpoint rule exceptions. When you - create the exception list, it will have a `list_id` of `endpoint_list`. - If the Elastic Endpoint exception list already exists, your request will - return an empty response. - operationId: CreateEndpointList - responses: - '200': content: application/json: examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created + genericErrorResponseExample: + description: Example of a generic error response value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList - description: Successful response - '400': - content: - application/json: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a proxy tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: - delete: - description: >- - Delete an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: DeleteEndpointListItem + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false + example: 'true' + type: string + - in: path + name: itemId + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + type: string + requestBody: + content: + application/json: + examples: + putFleetProxyRequestExample: + description: Update a Fleet proxy + value: + name: Updated proxy + url: http://updated-proxy.example.com:3128 + schema: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - certificate_authorities + - certificate + - certificate_key responses: '200': content: application/json: examples: - deleted: - summary: Deleted endpoint exception list item + putFleetProxyExample: + description: The updated Fleet proxy value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + item: + id: proxy-id-1 + is_preconfigured: false + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Delete an Elastic Endpoint exception list item + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a proxy tags: - - Security Endpoint Exceptions API + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/{outputId}/remote_status: get: - description: >- - Get the details of an Elastic Endpoint exception list item, specified by - the `id` or `item_id` field. - operationId: ReadEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the synchronization status of remote integrations for a specific output by its ID.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-outputid-remote-status parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false + - in: path + name: outputId + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + type: string responses: '200': content: application/json: examples: - item: - summary: Endpoint exception list item + getRemoteSyncedIntegrationsInfoExample: + description: Synchronization status of remote integrations for a specific output value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + integrations: + - id: nginx-remote + install_status: + main: installed + remote: installed + package_name: nginx + package_version: 1.20.0 + sync_status: COMPLETED + updated_at: '2024-01-01T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + custom_assets: + additionalProperties: + additionalProperties: false + type: object + properties: + error: + type: string + is_deleted: + type: boolean + name: + type: string + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + error: + type: string + integrations: + items: + additionalProperties: false + type: object + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + type: object + properties: + main: + type: string + remote: + type: string + required: + - main + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + updated_at: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - sync_status + - install_status + maxItems: 10000 + type: array + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - integrations description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get remote synced integrations status by outputId + tags: + - Fleet remote synced integrations + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the synchronization status of all remote integrations across connected remote clusters.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-status + parameters: [] + responses: + '200': content: application/json: + examples: + getRemoteSyncedIntegrationsStatusExample: + description: Synchronization status of remote integrations across connected remote clusters + value: + integrations: + - id: nginx-remote + install_status: + main: installed + remote: installed + package_name: nginx + package_version: 1.20.0 + sync_status: COMPLETED + updated_at: '2024-01-01T00:00:00.000Z' + - error: Failed to sync package to remote cluster + id: system-remote + install_status: + main: installed + remote: not_installed + package_name: system + package_version: 1.38.0 + sync_status: FAILED + updated_at: '2024-01-01T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': + additionalProperties: false + type: object + properties: + custom_assets: + additionalProperties: + additionalProperties: false + type: object + properties: + error: + type: string + is_deleted: + type: boolean + name: + type: string + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + error: + type: string + integrations: + items: + additionalProperties: false + type: object + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + type: object + properties: + main: + type: string + remote: + type: string + required: + - main + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + updated_at: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - sync_status + - install_status + maxItems: 10000 + type: array + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - integrations + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get remote synced integrations status tags: - - Security Endpoint Exceptions API + - Fleet remote synced integrations + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/service_tokens: post: - description: >- - Create an Elastic Endpoint exception list item, and associate it with - the Elastic Endpoint exception list. - operationId: CreateEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/service_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash + postGenerateServiceTokenRequestExample: + description: Generate a service token for a remote Fleet Server value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple + remote: true schema: + additionalProperties: false + nullable: true type: object properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + remote: + default: false + type: boolean responses: '200': content: application/json: examples: - created: - summary: Endpoint exception list item created + postGenerateServiceTokenExample: + description: The generated Fleet Server service token value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + name: elastic/fleet-server/token-1234567890 + value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + name: + type: string + value: + type: string + required: + - name + - value description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a service token + tags: + - Fleet service tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] + responses: + '200': content: application/json: + examples: + getSettingsExample: + description: The current Fleet settings + value: + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: false + secret_storage_requirements_met: true + version: WzEsMV0= schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get settings tags: - - Security Endpoint Exceptions API + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name put: - description: >- - Update an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: UpdateEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateName: - summary: Update an endpoint exception list item + putSettingsRequestExample: + description: Update Fleet settings to enable pre-release integrations value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple + prerelease_integrations_enabled: true schema: + additionalProperties: false type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - is retrieved. Use it ensure updates are made against the - latest version. + additional_yaml_config: + deprecated: true type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + has_seen_add_data_notice: + deprecated: true + type: boolean + integration_knowledge_enabled: + type: boolean + kibana_ca_sha256: + deprecated: true + type: string + kibana_urls: + deprecated: true + items: + format: uri + type: string + maxItems: 10 + type: array + prerelease_integrations_enabled: + type: boolean responses: '200': content: application/json: examples: - updated: - summary: Endpoint exception list item updated + putSettingsExample: + description: The updated Fleet settings value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: true + secret_storage_requirements_met: true + version: WzIsMV0= schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item description: Successful response '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Update settings tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: - get: - description: Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/setup: + post: + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - desc - - asc + example: 'true' type: string responses: '200': content: application/json: examples: - foundItems: - summary: Found endpoint exception list items + fleetSetupSuccessExample: + description: Fleet initialized successfully with no non-fatal errors value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + isInitialized: true + nonFatalErrors: [] + fleetSetupWithNonFatalErrorsExample: + description: Fleet initialized but encountered non-fatal errors during setup + value: + isInitialized: true + nonFatalErrors: + - message: Package fleet_server not found in registry + name: PackageNotFoundError schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - data: - description: The list of endpoint exception list items. + isInitialized: + type: boolean + nonFatalErrors: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 type: array - page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string - total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer required: - - data - - page - - per_page - - total - description: Successful response + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '500': content: application/json: + examples: + internalErrorResponseExample: + description: Example of an internal server error response + value: + error: Internal Server Error + message: An error message describing what went wrong + statusCode: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + additionalProperties: false + description: Internal Server Error + type: object + properties: + message: + type: string + required: + - message + description: Internal Server Error + summary: Initiate Fleet setup + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/space_settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Fleet settings for the current Kibana space. + operationId: get-fleet-space-settings + parameters: [] + responses: + '200': content: application/json: + examples: + getSpaceSettingsExample: + description: The Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Get space settings + tags: [] + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + putSpaceSettingsRequestExample: + description: Update allowed namespace prefixes for the current Kibana space + value: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 10 + type: array + responses: + '200': content: application/json: + examples: + putSpaceSettingsExample: + description: The updated Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get Elastic Endpoint exception list items - tags: - - Security Endpoint Exceptions API - /api/endpoint/action: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Create space settings + tags: [] + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens: get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens parameters: - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - in: query - name: endDate + - description: Partial match filtering for policy IDs + in: query + name: policyId required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + maxLength: 50 + type: string - in: query - name: agentTypes + name: search required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - in: query - name: withOutputs + maxLength: 50 + type: string + - description: The number of items to return + in: query + name: perPage required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + minimum: 5 + type: number - in: query - name: types + name: page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse - description: Indicates a successful call. - summary: Get response actions - tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + minimum: 1 + type: number responses: '200': content: application/json: + examples: + getUninstallTokensExample: + description: List of uninstall token metadata for agent policies + value: + items: + - created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + - created_at: '2024-01-02T00:00:00.000Z' + id: token-id-2 + namespaces: + - production + policy_id: policy-id-2 + policy_name: Production policy + page: 1 + perPage: 20 + total: 2 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}: - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - in: path - name: action_id - required: true - schema: - description: The ID of the action to retrieve. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + required: + - id + - policy_id + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': content: application/json: + examples: + conflictingQueryParamsExample: + description: Both policyId and search query parameters were provided + value: + error: Bad Request + message: Query parameters `policyId` and `search` cannot be used at the same time. + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse - description: OK - summary: Get action details + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get metadata for latest uninstall tokens tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}: + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: | - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: > - The file identifier is constructed in one of two ways: + description: |- + **Spaces method and path for this operation:** - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
- `{file_id}` = `{action_id}.{agent_id}` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. - in: path - name: file_id + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid + parameters: + - in: path + name: uninstallTokenId required: true schema: type: string @@ -12037,15448 +60172,25220 @@ paths: '200': content: application/json: + examples: + getUninstallTokenExample: + description: Decrypted uninstall token for an agent policy + value: + item: + created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + token: CKHJsJcBqNwIRcRBNDaE schema: + additionalProperties: false + type: object properties: - data: + item: + additionalProperties: false type: object properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time + created_at: type: string id: - description: The unique file identifier. type: string - mimeType: - description: The MIME type of the file. + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: type: string - name: - description: The file name. + policy_name: + nullable: true type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED + token: type: string - description: Indicates a successful call. - summary: Get file information + required: + - id + - policy_id + - created_at + - token + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No uninstall token was found with the given ID + value: + error: Not Found + message: Uninstall Token not found with ID token-id-1 + statusCode: 404 + description: Not Found + summary: Get a decrypted uninstall token tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}/download: - get: - description: > - Download a file associated with a response action. Files are downloaded - in a password-protected `.zip` archive to prevent the file from running. - Use password `elastic` to open the `.zip` in a safe environment. + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/lists: + delete: + description: | + **Spaces method and path for this operation:** - > info +
delete /s/{space_id}/api/lists
- > Files retrieved from third-party-protected hosts require a different - password. Refer to [Third-party response - actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) - for your system's password. - operationId: EndpointFileDownload + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id + - in: query + name: id required: true schema: - type: string - - description: > - The file identifier is constructed in one of two ways: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + example: false + type: boolean + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean + responses: + '200': + content: + application/json: + examples: + ipList: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: +
get /s/{space_id}/api/lists
- `{file_id}` = `{action_id}.{agent_id}` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. - in: path - name: file_id + Get the details of a value list using the list ID. + operationId: ReadList + parameters: + - in: query + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: - application/octet-stream: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 1 schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/cancel: - post: - description: >- - Cancel a running or pending response action (Applies only to some agent - types). - operationId: CancelAction - requestBody: - content: - application/json: - examples: - MicrosoftDefenderEndpoint: - summary: >- - Cancel a response action on a Microsoft Defender for Endpoint - host - value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': content: application/json: examples: - CancelSuccess: - summary: Cancel action successfully created + badRequest: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Cancel a response action - tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - ExecuteSuccess: - summary: Execute action successfully created + unauthorized: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a command - tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: - post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - GetFileSuccess: - summary: Get file action successfully created + forbidden: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Forbidden + message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get a file + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList requestBody: content: application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: >- - Isolates a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e schema: + example: + id: ip_list + name: Bad ips list - UPDATED type: object properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - endpoint_ids + - id + description: Value list's properties required: true responses: '200': content: application/json: examples: - IsolateSuccess: - summary: Isolate action successfully created + ip: value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 2 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse - description: Indicates a successful call. - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': content: application/json: examples: - KillProcessSuccess: - summary: Kill process action successfully created + badRequest: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: '[request body]: name: Expected string, received number' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Terminate a process - tags: - - Security Endpoint Management API - /api/endpoint/action/memory_dump: - post: - description: Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump - requestBody: - content: - application/json: - examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine - value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created + unauthorized: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Generate a memory dump from the host machine - tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json: - examples: - singleEndpoint: - summary: Get running processes on a single endpoint - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - RunningProcsSuccess: - summary: Running processes action successfully created + forbidden: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Forbidden + message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get running processes + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list tags: - - Security Endpoint Management API - /api/endpoint/action/runscript: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name post: - description: Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new value list. + operationId: CreateList requestBody: content: application/json: examples: - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent + ip: value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: >- - --delete --paths-to-delete - /tmp/temp_file.txt,/tmp/random_file.txt + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: Value list's properties required: true responses: '200': content: application/json: examples: - RunScriptSuccess: - summary: Run script action successfully created + ip: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-09T18:23:52.241Z' + created_at: '2025-01-09T18:23:52.241Z' + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: '2025-01-09T18:23:52.241Z' + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:24:55.786Z' + created_at: '2025-01-09T18:24:55.786Z' + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: '2025-01-09T18:24:55.786Z' + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:25:39.604Z' + created_at: '2025-01-09T18:25:39.604Z' + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: '2025-01-09T18:25:39.604Z' + updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a script - tags: - - Security Endpoint Management API - /api/endpoint/action/scan: - post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json: - examples: - scanFile: - summary: Scan a file on an endpoint - value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + notFound: + value: + message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - ScanSuccess: - summary: Scan action successfully created + forbidden: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Forbidden + message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Scan a file or directory - tags: - - Security Endpoint Management API - /api/endpoint/action/state: - get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: + examples: + alreadyExists: + value: + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state - tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: - post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': content: application/json: examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created + serverError: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Suspend a process + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: - post: - description: Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList requestBody: content: application/json: - examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: >- - Releases a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e schema: + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated type: object properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - endpoint_ids + - id + - name + - description + description: Value list's properties required: true responses: '200': content: application/json: examples: - UnisolateSuccess: - summary: Unisolate action successfully created + ip: value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse - description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': content: application/json: examples: - UploadSuccess: - summary: Upload action successfully created + badRequest: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: >- - a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Upload a file + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list tags: - - Security Endpoint Management API - /api/endpoint/metadata: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/_find: get: - description: Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists parameters: - - in: query + - description: The page number to return. + in: query name: page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - in: query - name: pageSize + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - in: query - name: kuery + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - in: query - name: hostStatuses - required: true + example: name + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - in: query - name: sortField + enum: + - desc + - asc + example: asc + type: string + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + in: query + name: cursor required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - in: query - name: sortDirection + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: + examples: + ipList: + value: + cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received nan' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse - description: Indicates a successful call. - summary: Get a metadata list + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists tags: - - Security Endpoint Management API - /api/endpoint/metadata/{id}: - get: - description: Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata - parameters: - - description: The agent ID of the endpoint. - in: path - name: id - required: true - schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 - type: string + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/index: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse - description: Indicates a successful call. - summary: Get metadata - tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - description: Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse - parameters: - - description: The agent ID to retrieve the policy response for. - in: query - name: agentId - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - responses: - '200': + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: Indicates a successful call. - summary: Get a policy response - tags: - - Security Endpoint Management API - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote - parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Get a protection updates note - tags: - - Security Endpoint Management API - post: - description: Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - description: >- - The package policy ID to create or update the protection updates - note for. - in: path - name: package_policy_id - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - type: object - properties: - note: - description: The note content. - type: string - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Create or update a protection updates note + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams tags: - - Security Endpoint Management API - /api/entity_analytics/monitoring/engine/delete: - delete: - description: >- - Deletes the Privilege Monitoring Engine and optionally removes all - associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false - schema: - default: false - type: boolean + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex responses: '200': content: application/json: - examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully - value: - deleted: true schema: type: object properties: - deleted: + list_index: + type: boolean + list_item_index: type: boolean required: - - deleted + - list_index + - list_item_index description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/disable: - post: - description: >- - Disables the Privilege Monitoring Engine, stopping all monitoring - activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': + '400': content: application/json: - examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully - value: - status: disabled schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - summary: Disable the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/init: - post: - description: >- - Initializes the Privilege Monitoring Engine, setting up the required - resources and starting the engine. - operationId: InitMonitoringEngine - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully + unauthorized: value: - status: started + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/schedule_now: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Schedules the Privilege Monitoring Engine to run as soon as possible, - triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex responses: '200': content: application/json: - examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully - value: - success: true schema: type: object properties: - success: - description: Indicates the scheduling was successful + acknowledged: type: boolean + required: + - acknowledged description: Successful response - '409': + '400': content: application/json: schema: - type: object - properties: - message: - description: Error message indicating the engine is already running - type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/health: - get: - description: >- - Returns the current health status of the Privilege Monitoring Engine, - including engine status, error details, and user count statistics. - operationId: PrivMonHealth - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine + unauthorized: value: - status: started - users: - current_count: 42 - max_allowed: 1000 + error: Unauthorized + message: | + [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] + statusCode: 401 schema: - type: object - properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: >- - Maximum number of privileged users allowed to be - monitored - type: integer - required: - - current_count - - max_allowed - required: - - status - description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: >- - Check if the current user has all required permissions for Privilege - Monitoring - operationId: PrivMonPrivileges - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: - example: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges - description: Successful response - summary: Run a privileges check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users: - post: - description: >- - Creates a new privileged user to be monitored by the Privilege - Monitoring Engine. - operationId: CreatePrivMonUser - requestBody: - content: - application/json: - examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - CreatePrivMonUserResponse: - summary: Created monitored user + alreadyExists: value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe + message: 'data stream: \".lists-default\" and \".items-default\" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User created successfully - summary: Create a new monitored user - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/_csv: - post: - description: >- - Bulk upserts privileged users by uploading a CSV file. Returns per-row - errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - example: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 1 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/{id}: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items: delete: - description: Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem parameters: - - in: path + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. + in: query name: id - required: true + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. + in: query + name: value + required: false schema: + example: 255.255.255.255 + type: string + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false type: string responses: '200': content: application/json: examples: - DeletePrivMonUserResponse: - summary: User deleted successfully + ip: value: - acknowledged: true - message: User deleted successfully + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - type: object - properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean - message: - description: >- - A message providing additional information about the - deletion status - type: string - required: - - success - description: User deleted successfully - summary: Delete a monitored user - tags: - - Security Entity Analytics API - put: - description: >- - Updates the details of an existing monitored privileged user by their - document ID. - operationId: UpdatePrivMonUser - parameters: - - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': content: application/json: examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user + badRequest: value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User updated successfully - summary: Update a monitored user + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/list: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Returns a list of all privileged users currently being monitored. - Supports optional KQL filtering. - operationId: ListPrivMonUsers + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem parameters: - - description: KQL query to filter the list of monitored users + - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query - name: kql + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. + in: query + name: value required: false schema: + example: 127.0.0.2 type: string responses: '200': content: application/json: examples: - ListPrivMonUsersResponse: - summary: List of monitored users + ip: value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith + _version: WzExLDFd + '@timestamp': '2025-01-08T05:16:25.882Z' + created_at: '2025-01-08T05:16:25.882Z' + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: '2025-01-08T05:16:25.882Z' + updated_by: elastic + value: 127.0.0.2 schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: >- - Installs the privileged access detection integration package and sets up - the associated ML modules required for the Entity Analytics privileged - user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': content: application/json: examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully + badRequest: value: - message: Privileged access detection package installed successfully + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - type: object - properties: - message: - type: string - required: - - message - description: Successful response - summary: >- - Installs the privileged access detection package for the Entity - Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: >- - Returns the installation and ML module setup status of the privileged - access detection package, along with the state of each associated ML - job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running + unauthorized: value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete - type: string - package_installation_status: - enum: - - complete - - incomplete - type: string - required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: >- - Gets the status of the privileged access detection package for the - Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/watchlists: - post: - description: >- - Creates a new entity analytics watchlist with an optional set of entity - sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist - requestBody: - content: - application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources - value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Filter - identifierField: - description: >- - Field used to query the entity store for index-type - sources - type: string - indexPattern: - type: string - integrationName: - description: >- - Required when type is entity_analytics_integration. - One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Matcher - type: array - name: - type: string - queryRule: - description: >- - KQL query used to filter data from the provided index - patterns - type: string - range: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_DateRange - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitySourceType - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - CreateWatchlistResponse: - summary: Created watchlist + forbidden: value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' + error: Forbidden + message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - - type: object - properties: - entitySources: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{id}: - get: - description: >- - Retrieves the details of an entity analytics watchlist by its unique - identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - GetWatchlistResponse: - summary: Watchlist details + notFound: value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + message: 'list item id: \"foo\" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist details - summary: Get a watchlist by ID - tags: - - Security Entity Analytics API - x-state: Technical Preview - put: - description: >- - Updates the name, description, risk modifier, or managed status of an - existing entity analytics watchlist. - operationId: UpdateWatchlist - parameters: - - description: The ID of the watchlist to update - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdateWatchlistRequest: - summary: Update watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - UpdateWatchlistResponse: - summary: Updated watchlist + serverError: value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist updated successfully - summary: Update an existing watchlist + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: - post: - description: > - Uploads a CSV file to add entities to a watchlist. The CSV must contain - a header row - - with a "type" column (user, host, service, or generic) and one or more - ECS identity - - fields (e.g. "user.name", "host.hostname") used to match entities in the - entity store. - - - Matched entities are added to the watchlist and their - `entity.attributes.watchlists` + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** - field is updated in the entity store. +
patch /s/{space_id}/api/lists/items
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem requestBody: content: - multipart/form-data: - examples: - csvUpload: - summary: CSV file with user entities - value: - file: | - type,user.name - user,john.doe - user,jane.smith + application/json: schema: + example: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 type: object properties: - file: - description: The CSV file to upload. - format: binary + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - file + - id + description: Value list item's properties required: true responses: '200': content: application/json: examples: - CsvUploadResponse: - summary: CSV upload response with mixed results + ipItem: value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 + _version: WzE5LDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:23:37.602Z' + updated_by: elastic + value: 255.255.255.255 schema: - type: object - properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem - type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer - required: - - successful - - failed - - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Assigns the provided entities to the specified watchlist using a - "manual" source label. + description: | + **Spaces method and path for this operation:** - The entities must already exist in the entity store. +
post /s/{space_id}/api/lists/items
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - If an entity is already on the watchlist, no new document is created — - the "manual" label + Create a value list item and associate it with the specified value list. - is added to its existing source labels instead. - operationId: AssignWatchlistEntities - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. + operationId: CreateListItem requestBody: content: application/json: examples: - assignEntities: - summary: Assign two entities to a watchlist + ip: value: - euids: - - user:john.doe - - host:web-01 + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek schema: type: object properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - euids + - list_id + - value + description: Value list item's properties required: true responses: '200': content: application/json: examples: - assignEntitiesResponse: - summary: Successful assignment of two entities + ip: value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:33:08.202Z' + created_at: '2025-01-09T18:33:08.202Z' + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: '2025-01-09T18:33:08.202Z' + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:34:29.422Z' + created_at: '2025-01-09T18:34:29.422Z' + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: '2025-01-09T18:34:29.422Z' + updated_by: elastic + value: zeek schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: - post: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: description: | - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities - parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem requestBody: content: application/json: - examples: - unassignEntities: - summary: Unassign two entities from a watchlist - value: - euids: - - user:john.doe - - host:web-01 + example: + id: ip_item + value: 255.255.255.255 schema: type: object properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - euids + - id + - value + description: Value list item's properties required: true responses: '200': content: application/json: examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities + ip: value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - type: object - properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem - type: array - not_found: - description: >- - Number of entities not found in the manual watchlist - assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer - required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/list: - get: - description: Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': content: application/json: examples: - ListWatchlistsResponse: - summary: List of watchlists + badRequest: value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' + error: Bad Request + message: '[request body]: id: Expected string, received number' + statusCode: 400 schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - type: array - description: List of watchlists - summary: List all watchlists + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_store/enable: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_export: post: - description: >- - Initialize the entire Entity Store, creating engines for all or - specified entity types. - operationId: InitEntityStore - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems + parameters: + - description: Value list's `id` to export. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': + content: + application/ndjson: + schema: + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: 'Bad Request","message":"[request query]: list_id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - initEntityStoreExample: - description: >- - The Entity Store was successfully initialized, creating host - and user engines in the installing state. - summary: Entity Store initialized with host and user engines + serverError: value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true + message: Internal Server Error + status_code: 500 schema: - type: object - properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean - description: Successful response - '400': - description: Invalid request - summary: Initialize the Entity Store + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items tags: - - Security Entity Analytics API - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems parameters: - - description: >- - The entity type of the engine ('user', 'host', 'service', - 'generic'). - examples: - hostAndService: - value: host,service + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. in: query - name: entityTypes + name: page required: false schema: - description: >- - Array of engine types to delete. Empty by default, which results - in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. + example: 1 + type: integer + - description: The number of list items to return per page. in: query - name: delete_data + name: per_page required: false schema: - type: boolean + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine + ip: value: - deleted: - - host - still_running: - - generic - - user - - service + cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 schema: type: object properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - still_running: - description: Entity types whose engines are still running. + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType + $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - get: - description: Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': + '400': content: application/json: examples: - listEntityEnginesExample: - description: >- - Returns a list with one running host engine and one stopped - user engine. - summary: Two engines installed + badRequest: value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, schema: - type: object - properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine + unauthorized: value: - deleted: true + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - get: - description: >- - Get the engine descriptor for a specific entity type, including its - configuration and current status. - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - getEntityEngineExample: - description: >- - Returns the engine descriptor for a host engine that is - currently running with default settings. - summary: A running host engine + forbidden: value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host + error: Forbidden + message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/init: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_import: post: - description: Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems parameters: - - description: The entity type of the engine. - in: path - name: entityType - required: true + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + example: true + type: string requestBody: content: - application/json: + multipart/form-data: schema: type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. + file: + description: A `.txt` or `.csv` file containing newline separated list items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary type: string - description: Schema for the engine initialization required: true responses: '200': content: application/json: examples: - initEntityEngineExample: - description: >- - A host engine was successfully initialized and is now in the - installing state. - summary: Host engine initialized + ip: value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/start: - post: - description: >- - Start a previously stopped entity engine, resuming transform processing - for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': content: application/json: examples: - startEntityEngineExample: - description: >- - The engine was successfully started and is now processing - data. - summary: Engine started successfully + badRequest: value: - started: true + message: Either type or list_id need to be defined in the query + status_code: 400 schema: - type: object - properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/stop: - post: - description: >- - Stop a running entity engine, pausing transform processing for the given - entity type. - operationId: StopEntityEngine - parameters: - - description: The entity type of the engine to stop. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/privileges: + get: + operationId: ReadListPrivileges responses: '200': content: application/json: examples: - stopEntityEngineExample: - description: >- - The engine was successfully stopped and is no longer - processing data. - summary: Engine stopped successfully + privileges: value: - stopped: true + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic schema: type: object properties: - stopped: - description: Whether the engine was successfully stopped. + is_authenticated: type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - description: >- - Synchronize data view index patterns to all running entity engines so - that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': + '400': + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - applyDataviewIndicesExample: - description: >- - All running engines were successfully updated with the - current data view index patterns. - summary: All engines updated + unauthorized: value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - result: - description: Per-engine update results. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - partialSuccessExample: - description: >- - The host engine was updated but the user engine failed due - to insufficient privileges. - summary: One engine failed + forbidden: value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false + error: Forbidden + message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: examples: - serverErrorExample: - description: >- - An unexpected error occurred while applying data view - indices. - summary: Internal server error + serverError: value: - body: An internal error occurred while updating engine indices - statusCode: 500 + message: Internal Server Error + status_code: 500 schema: - type: object - properties: - body: - description: Error message. - type: string - statusCode: - description: HTTP status code. - type: number - description: Error response - summary: Apply DataView indices to all installed engines + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges tags: - - Security Entity Analytics API - /api/entity_store/entities/{entityType}: - delete: - description: > - Delete a single entity in Entity Store. + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** - The entity will be immediately deleted from the latest index. It will - remain available in historical snapshots if it has been snapshotted. - The delete operation does not prevent the entity from being recreated if - it is observed again in the future. - operationId: DeleteSingleEntity +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/logstash/pipeline/{id}: + delete: + description: | + Delete a centrally-managed Logstash pipeline. + If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: delete-logstash-pipeline parameters: - - example: user + - description: An identifier for the pipeline. in: path - name: entityType + name: id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string + responses: + '204': + description: Indicates a successful call + summary: Delete a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + Get information for a centrally-managed Logstash pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getLogstashPipelineResponseExample1: + value: |- + { + "id": "hello-world", + "description": "Just a simple pipeline", + "username": "elastic", + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persistent" + } + } + schema: + type: object + description: Indicates a successful call + summary: Get a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + Create a centrally-managed Logstash pipeline or update a pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: put-logstash-pipeline + parameters: + - description: | + An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: + examples: + putLogstashPipelineRequestExample1: + value: |- + { + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persisted" + } + } schema: type: object properties: - id: - description: >- - Identifier of the entity to be deleted, commonly entity.id - value. - example: arn:aws:iam::123456789012:user/jane.doe + description: + description: A description of the pipeline. + type: string + pipeline: + description: A definition for the pipeline. type: string + settings: + description: | + Supported settings, represented as object keys, include the following: + + - `pipeline.workers` + - `pipeline.batch.size` + - `pipeline.batch.delay` + - `pipeline.ecs_compatibility` + - `pipeline.ordered` + - `queue.type` + - `queue.max_bytes` + - `queue.checkpoint.writes` + type: object required: - - id - description: Schema for the deleting entity - required: true + - pipeline + responses: + '204': + description: Indicates a successful call + summary: Create or update a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/logstash/pipelines: + get: + description: | + Get a list of all centrally-managed Logstash pipelines. + + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + > info + > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. + + The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipelines responses: '200': content: application/json: examples: - deleteEntityExample: - description: >- - The entity was found and successfully removed from the - latest index. - summary: Entity deleted - value: - deleted: true + getLogstashPipelinesResponseExample1: + value: |- + { + "pipelines": [ + { + "id": "hello-world", + "description": "Just a simple pipeline", + "last_modified": "2018-04-14T12:23:29.772Z", + "username": "elastic" + }, + { + "id": "sleepy-pipeline", + "description": "", + "last_modified": "2018-03-24T03:41:30.554Z" + } + ] + } schema: type: object - properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Delete an entity in Entity Store + description: Indicates a successful call + summary: Get all Logstash pipelines tags: - - Security Entity Analytics API - put: - description: > - Update or create an entity in Entity Store. + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window: + post: + description: |- + **Spaces method and path for this operation:** - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. By default, - only the following fields can be updated: * `entity.attributes.*` * - `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set - the `force` query parameter to `true`. > info > Some fields always - retain the first observed value. Updates to these fields will not appear - in the final index. +
post /s/{space_id}/api/maintenance_window
- > Due to technical limitations, not all updates are guaranteed to appear - in the final list of observed values. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Due to technical limitations, create is an async operation. The time - for a document to be present in the > final index depends on the entity - store transform and usually takes more than 1 minute. - operationId: UpsertEntity + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window parameters: - - example: user - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean + example: 'true' + type: string requestBody: content: application/json: + examples: + createMaintenanceWindowRequest: + description: | + Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. + summary: Create a maintenance window + value: + enabled: true + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + title: Weekly Maintenance Window schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + required: + - title + - schedule responses: '200': content: application/json: + examples: + createMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully created. + summary: Create a maintenance window response + value: + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. '403': - description: Operation on a restricted field - '409': - description: >- - Conflict. The entity was updated while another update was happening - in ElasticSearch - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert an entity in Entity Store + description: Indicates that this call is forbidden. + summary: Create a maintenance window. tags: - - Security Entity Analytics API - /api/entity_store/entities/bulk: - put: - description: > - Update or create many entities in Entity Store. + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/_find: + get: + description: |- + **Spaces method and path for this operation:** - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. +
get /s/{space_id}/api/maintenance_window/_find
- The creation is asynchronous. The time for a document to be present in - the final index depends on the entity store transform and usually takes - more than 1 minute. - operationId: UpsertEntitiesBulk + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find parameters: - - description: When true, allows updating protected fields. + - description: The title of the maintenance window. in: query - name: force + name: title required: false schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: List entities records, paging, sorting and filtering as needed. - operationId: ListEntities - parameters: - - description: Field to sort results by. - example: entity.name + type: string + - description: The user who created the maintenance window. in: query - name: sort_field + name: created_by required: false schema: type: string - - description: Sort order. + - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". in: query - name: sort_order + name: status required: false schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 + items: + enum: + - running + - finished + - upcoming + - archived + - disabled + type: string + type: array + - description: The page number to return. in: query name: page required: false schema: + default: 1 + maximum: 100 minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 + type: number + - description: The number of maintenance windows to return per page. in: query name: per_page required: false schema: - maximum: 10000 + default: 10 + maximum: 100 minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array + type: number responses: '200': content: application/json: + examples: + findMaintenanceWindowsResponse: + description: | + The response returned when maintenance windows are successfully found. + summary: Find maintenance windows response + value: + maintenanceWindows: + - created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + - created_at: '2025-03-10T09:00:00.000Z' + created_by: elastic + enabled: true + id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Database Upgrade Window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 2 schema: + additionalProperties: false type: object properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. + maintenanceWindows: + description: The list of maintenance windows. items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule type: array + page: + description: The current page number. + type: number + per_page: + description: The number of maintenance windows returned per page. + type: number total: - description: Total number of entities matching the query. - minimum: 0 - type: integer + description: The total number of maintenance windows that match the query. + type: number required: - - records - page - per_page - total - description: Entities returned successfully - summary: List Entity Store Entities + - maintenanceWindows + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. tags: - - Security Entity Analytics API - /api/entity_store/status: + - maintenance-window + x-state: Generally available; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be deleted. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get the overall Entity Store status and per-engine statuses, optionally - including component-level health details. - operationId: GetEntityStoreStatus + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id parameters: - - description: >- - If true, returns a detailed status of each engine including all its - components. - example: true - in: query - name: include_components + - description: The identifier for the maintenance window. + in: path + name: id + required: true schema: - type: boolean + type: string responses: '200': content: application/json: examples: - entityStoreRunning: - description: >- - The Entity Store is running with both host and user engines - started and using default settings. - summary: Entity Store running with two engines + getMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully retrieved. + summary: Get a maintenance window response value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: + additionalProperties: false type: object properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - - type: object - properties: - components: - description: >- - Detailed component-level status. Only included - when include_components is true. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus - type: array - type: array + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_StoreStatus - description: The overall status of the Entity Store. + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at - status - - engines - description: Successful response - summary: Get the status of the Entity Store + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - description: Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` deletes the list in the current Kibana space; `agnostic` - deletes a global list. Must match the - - list you are removing when using `list_id` or `id`. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The identifier for the maintenance window. + in: path + name: id + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string + requestBody: + content: + application/json: + examples: + updateMaintenanceWindowRequest: + description: | + Update a maintenance window to change its title, schedule, and scope. + summary: Update a maintenance window + value: + enabled: true + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + title: Updated maintenance window + schema: + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string responses: '200': content: application/json: examples: - detectionExceptionList: + updateMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully updated. + summary: Update a maintenance window response value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z + created_at: '2025-02-25T10:00:00.000Z' created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Updated maintenance window + updated_at: '2025-03-15T14:30:00.000Z' updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response + description: Indicates an invalid schema or parameters. '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response + description: Indicates that this call is forbidden. '404': + description: Indicates a maintenance window with the given ID does not exist. + '409': + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be archived. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: + archiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully archived. + summary: Archive a maintenance window response value: - message: Internal Server Error - status_code: 500 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: archived + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. tags: - - Security Exceptions API - get: - description: Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}/_unarchive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - When `single`, the list is resolved in the current Kibana space. - When `agnostic`, the list is a global - - (space-agnostic) container. Required for looking up the correct list - when `list_id` is not unique. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The identifier for the maintenance window to be unarchived. + in: path + name: id + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - detectionType: + unarchiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully unarchived. + summary: Unarchive a maintenance window response value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z + created_at: '2025-02-25T10:00:00.000Z' created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response + description: Indicates an invalid schema or parameters. '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response + description: Indicates that this call is forbidden. '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/sync: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': content: application/json: examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space tags: - - Security Exceptions API + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/update_jobs_spaces: post: - description: > - An exception list groups exception items and can be associated with - detection rules. You can assign exception lists to multiple detection - rules. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces requestBody: content: application/json: examples: - createDetection: + updateADJobSpacesRequest: value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' responses: '200': content: application/json: examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: 2025-01-09T01:05:23.019Z - created_by: elastic - description: >- - This is a sample detection type exception with an - autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: 2025-01-09T01:05:23.020Z - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: 2025-01-09T01:10:36.369Z - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: 2025-01-09T01:10:36.369Z - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - typeEndpoint: - value: - _version: WzQsMV0= - created_at: 2025-01-09T01:07:49.658Z - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: 2025-01-09T01:07:49.658Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: + successADResponse: value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + test-job: + success: true + type: anomaly-detector + successDFAResponse: value: - error: Forbidden - message: >- - API [POST /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of trained models to add and/or remove them from given spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': content: application/json: examples: - alreadyExists: + successTMResponse: value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/note: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. + + The response has HTTP 200 with an empty body on success. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: + type: string + nullable: true + type: array + required: + - noteIds + description: | + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. + `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns Security Timeline notes as saved objects. + + **Query modes (mutually exclusive branches on the server):** + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). + + 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes + parameters: + - description: | + Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: | + Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: | + Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true + type: string + - description: | + Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: | + Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: | + Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter + schema: + nullable: true + type: string + - description: | + Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + responses: + '200': content: application/json: examples: - serverError: + notesPage: + summary: Paged notes for a timeline value: - message: Internal Server Error - status_code: 500 + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes tags: - - Security Exceptions API - put: - description: Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new note or updates an existing one. + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute requestBody: content: application/json: examples: - fullReplace: + addNote: + summary: Add a note on an event value: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft - - malware - type: detection + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - was retrieved. Use it ensure updates are done against the - latest version. + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: Note payload (timeline, text, optional event linkage, metadata). + noteId: + description: The `savedObjectId` of the note to update. Omit when creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion + description: Saved object version string from a previous read; optional on update. + example: WzQ2LDFd + nullable: true + type: string required: - - name - - description - - type - description: Exception list's properties + - note + description: | + Body must include the `note` object. For updates, include `noteId` (and optionally `version`). + To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. required: true responses: '200': content: application/json: examples: - simpleList: - value: - _version: WzExLDFd - created_at: 2025-01-07T20:43:55.264Z - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: 2025-01-07T21:32:03.726Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: + persisted: + summary: Persisted note wrapper value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/observability_ai_assistant/chat/complete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/observability_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new chat completion by using the Observability AI Assistant. + + The API returns the model's response based on the current conversation context. + + It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: observability-ai-assistant-chat-complete + requestBody: + content: + application/json: + examples: + chatCompleteRequestExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' + schema: + type: object + properties: + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. + type: string + required: + - messages + - connectorId + - persist + responses: + '200': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + chatCompleteResponseExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list + type: object + description: Successful response + summary: Generate a chat completion tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - description: Duplicate an existing exception list. - operationId: DuplicateExceptionList + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/history: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory parameters: - - description: The `list_id` of the existing exception list to copy (source list). + - description: The number of results to return per page. in: query - name: list_id - required: true + name: pageSize + required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: >- - Scope in which the source list is defined (`single` = current space, - `agnostic` = all spaces). - examples: - agnostic: - value: agnostic - single: - value: single + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. in: query - name: namespace_type - required: true + name: nextPage + required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the duplicated - list. Expiration date defined by `expire_time`. + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + type: string + - description: A search string to filter history entries by pack name, query text, or query ID. in: query - name: include_expired_exceptions - required: true + name: kuery + required: false schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true + description: A search string to filter history entries by pack name, query text, or query ID. type: string - responses: - '200': - content: - application/json: - examples: - detectionExceptionList: - value: - _version: WzExNDY1LDFd - created_at: 2025-01-09T16:19:50.280Z - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: 2025-01-09T16:19:50.280Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type: Invalid enum value. - Expected 'agnostic' | 'single', received 'foo' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_duplicate] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list id: "foo" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Exception list not found - '405': - content: - application/json: - examples: - notAllowed: - value: - message: >- - Cannot duplicate: list is immutable or the operation is - not allowed in this state - status_code: 405 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list - tags: - - Security Exceptions API - /api/exception_lists/_export: - post: - description: Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList - parameters: - - description: >- - Exception list's internal `id` (UUID) returned on create; use with - `list_id` and `namespace_type` for an unambiguous target. + - description: Comma-separated list of user IDs to filter live query history. in: query - name: id - required: true + name: userIds + required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human-readable `list_id` of the exception list to export, as shown - in the UI and API responses. + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. in: query - name: list_id - required: true + name: sourceFilters + required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` exports a list in the current Kibana space; `agnostic` - exports a global (space-agnostic) list. - examples: - agnostic: - value: agnostic - single: - value: single + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). in: query - name: namespace_type - required: true + name: startDate + required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list. Expiration date defined by `expire_time`. - example: true + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). in: query - name: include_expired_exceptions - required: true + name: endDate + required: false schema: - default: 'true' - enum: - - 'true' - - 'false' + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' type: string responses: '200': - content: - application/ndjson: - examples: - exportSavedObjectsResponse: - value: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} - schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: list_id: Required, namespace_type: - Required - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_export] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': content: application/json: examples: - serverError: + unifiedHistoryExample: + summary: Example unified history response value: - message: Internal Server Error - status_code: 500 + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: Indicates a successful call. + summary: Get unified query history tags: - - Security Exceptions API - /api/exception_lists/_find: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries: get: - description: Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - + description: |- + **Spaces method and path for this operation:** - Uses the `so type.field name:field` value syntax, where `so type` - can be: +
get /s/{space_id}/api/osquery/live_queries
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - `exception-list`: Specify a space-aware exception list. - - - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single + Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. in: query - name: namespace_type + name: kuery required: false schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. in: query name: page required: false schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: per_page + name: pageSize required: false schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: sort_field + name: sort required: false schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. in: query - name: sort_order + name: sortOrder required: false schema: - enum: - - desc - - asc - example: desc - type: string + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: - examples: - simpleLists: - value: - data: - - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/exception_lists/_find?namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: Indicates a successful call. + summary: Get live queries tags: - - Security Exceptions API - /api/exception_lists/_import: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name post: - description: Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. + description: |- + **Spaces method and path for this operation:** - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - example: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. +
post /s/{space_id}/api/osquery/live_queries
- Additional `item_id`'s are generated for each exception item. Both - the exception + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - list and its items are overwritten. - in: query - name: as_new_list - required: false - schema: - default: false - example: false - type: boolean + Create and run a live query. + operationId: OsqueryCreateLiveQuery requestBody: content: - multipart/form-data: - examples: - ndjsonUpload: - value: - file: exception_lists.ndjson + application/json: schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - example: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary - type: string + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' required: true responses: '200': content: application/json: - examples: - withErrors: - value: - errors: - - error: - message: >- - Error found importing exception list: Invalid value - \"4\" supplied to \"list_id\" - status_code: 400 - list_id: (unknown list_id) - - error: - message: >- - Found that item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already - exists. Import of item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: - value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, - schema: - type: object - properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - Multipart part `file` is required and must contain a valid - .ndjson exception list export - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: Indicates a successful call. + summary: Create a live query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + responses: + '200': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_import] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: Indicates a successful call. + summary: Get live query details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + type: string + - description: A KQL search string to filter results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: Indicates a successful call. + summary: Get live query results tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - description: Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks parameters: - - description: >- - Exception item's identifier. Either `id` or `item_id` must be - specified + - description: The page number to return. in: query - name: id + name: page required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: item_id + name: pageSize required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` deletes the item in the current Kibana space; `agnostic` - deletes an item in a space-agnostic list. Must match the list that - owns the item. - examples: - agnostic: - value: agnostic - single: - value: single + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: namespace_type + name: sort required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: - examples: - simpleExceptionItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + example: {} + type: object + properties: {} + description: Indicates a successful call. + summary: Delete a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists/items?item_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': content: application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - serverError: + copyPackExample: + summary: Example response for copying a pack value: - message: Internal Server Error - status_code: 500 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack tags: - - Security Exceptions API + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries: get: - description: >- - Get the details of an exception list item using the `id` or `item_id` - field. - operationId: ReadExceptionListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries parameters: - - description: >- - Exception list item's identifier. Either `id` or `item_id` must be - specified. + - description: The page number to return. in: query - name: id + name: page required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified. + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: item_id + name: pageSize required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` fetches the item in the current space; `agnostic` fetches a - global (space-agnostic) item. Must - - match how the list was created. - examples: - agnostic: - value: agnostic - single: - value: single + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: namespace_type + name: sort required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: - examples: - simpleListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items?item_id=&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: Indicates a successful call. + summary: Get saved queries tags: - - Security Exceptions API + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Create an exception item and associate it with the specified exception - list. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/osquery/saved_queries
- > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and save a query for later use. + operationId: OsqueryCreateSavedQuery requestBody: content: application/json: - examples: - simpleItem: - value: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac - description: Exception list item's properties + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' required: true responses: '200': content: application/json: - examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: 2025-01-09T01:16:23.322Z - created_by: elastic - description: >- - This is a sample exception that has no item_id so it is - autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: 2025-01-09T01:16:23.322Z - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withValueListEntry: - value: - _version: WzcsMV0= - comments: [] - created_at: 2025-01-09T01:31:12.614Z - created_by: elastic - description: >- - Don't signal when agent.name is rock01 and source.ip is in - the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: 2025-01-09T01:31:12.614Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: Indicates a successful call. + summary: Create a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: - examples: - alreadyExists: - value: - message: >- - exception list item id: \"simple_list_item\" already - exists - status_code: 409 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + description: Indicates a successful call. + summary: Delete a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + description: Indicates a successful call. + summary: Get saved query details tags: - - Security Exceptions API + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name put: - description: Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: - examples: - updateItem: - value: - description: Updated description - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - name: Updated name - namespace_type: single - type: simple schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac - description: Exception list item's properties + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' required: true responses: '200': content: application/json: - examples: - simpleListItem: - value: - _version: WzEyLDFd - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:34:50.233Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: item_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + description: Indicates a successful call. + summary: Update a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - notFound: + copySavedQueryExample: + summary: Example response for copying a saved query value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: Indicates a successful call. + summary: Copy a saved query + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': content: application/json: examples: - serverError: + scheduledActionResultsExample: + summary: Example scheduled action results response value: - message: Internal Server Error - status_code: 500 + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: Indicates a successful call. + summary: Get scheduled action results tags: - - Security Exceptions API - /api/exception_lists/items/_find: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: get: - description: Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId required: true schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: namespace_type + name: kuery required: false schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: > - Free-text search term applied to exception list item fields (for - example a hostname or file path fragment). + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. in: query - name: search + name: page required: false schema: - example: host.name - type: string - - description: The page number to return + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. in: query - name: page + name: pageSize required: false schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. in: query - name: per_page + name: sort required: false schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. in: query - name: sort_field + name: sortOrder required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. in: query - name: sort_order + name: startDate required: false schema: - enum: - - desc - - asc - example: desc + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' type: string responses: '200': content: application/json: examples: - simpleListItems: + scheduledQueryResultsExample: + summary: Example scheduled query results response value: data: - - _version: WzgsMV0= - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:12:25.512Z - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: Indicates a successful call. + summary: Get scheduled query results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json: + examples: + pinEvent: + summary: Pin an event + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true + responses: + '200': + content: + application/json: + examples: + pinnedSaved: + summary: Pinned event saved object + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + description: Indicates a successful call. + summary: Pin/unpin an event + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/dangerously_delete_data: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json: + examples: + CleanUpRiskEngineResponse: + summary: Successful cleanup response + value: + cleanup_successful: true schema: type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total + cleanup_successful: + type: boolean description: Successful response '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject + requestBody: + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object + value: + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d + schema: + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + range: + type: object + properties: + end: + type: string + start: + type: string + required: true + responses: + '200': content: application/json: examples: - badRequest: + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 + risk_engine_saved_object_configured: true schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + type: object + properties: + risk_engine_saved_object_configured: + type: boolean + description: Successful response + '400': content: application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json: {} + responses: + '200': content: application/json: examples: - notFound: + ScheduleRiskEngineNowResponse: + summary: Successful schedule response value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 + success: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' + description: Successful response + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine tags: - - Security Exceptions API - /api/exception_lists/summary: - get: - description: Get a summary of the specified exception list. - operationId: ReadExceptionListSummary + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_create: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_create
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple Kibana saved objects. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. + NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. + operationId: bulkCreateSavedObjects parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: When true, overwrites the document with the same identifier. in: query - name: list_id - required: false + name: overwrite schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` returns summary for a list in the current space; `agnostic` - for a space-agnostic list. Must + type: boolean + requestBody: + content: + application/json: + schema: + items: + type: object + properties: + coreMigrationVersion: + description: | + The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. + type: string + typeMigrationVersion: + description: | + The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. + type: string + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Create saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_delete: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** - line up with `id` / `list_id` used to look up the list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause +
post /s/{space_id}/api/saved_objects/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a saved object, it cannot be recovered. + + WARNING: This API is intended to be removed in a future Elastic stack version. There is currently no alternative API for all use cases supported by this API. Once alternative APIs are provided in a future Elastic version, it will be possible to migrate away from this API. + operationId: bulkDeleteSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: | + When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. in: query - name: filter - required: false + name: force schema: - example: >- - exception-list-agnostic.attributes.tags:"policy:policy-1" OR - exception-list-agnostic.attributes.tags:"policy:all" - type: string + type: boolean + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true responses: '200': content: application/json: - examples: - summary: - value: - linux: 0 - macos: 0 - total: 0 - windows: 0 schema: type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer - description: Successful response + description: | + Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Delete saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_get: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved objects by identifier. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. + operationId: bulkGetSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + '200': content: application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + type: object + description: Indicates a successful call. + '400': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-summary] - statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Get saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. + operationId: bulkResolveSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + '200': content: application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + type: object + description: | + Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Resolve saved objects tags: - - Security Exceptions API - /api/exceptions/shared: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_update: post: - description: > - An exception list groups exception items and can be associated with - detection rules. A shared exception list can apply to multiple detection - rules. + deprecated: true + description: | + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/saved_objects/_bulk_update
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the attributes for multiple Kibana saved objects. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. + operationId: bulkUpdateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json: + schema: + type: object + description: | + Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Update saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + exportSavedObjectsRequest: + summary: Export a specific saved object. + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + schema: + additionalProperties: false type: object properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + hasReference: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. + responses: + '200': + content: + application/x-ndjson: + examples: + exportSavedObjectsResponse: + summary: The export objects API response contains a JSON record for each exported object. + value: + attributes: + description: '' + layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' + mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + schema: {} + description: Indicates a successfull call. + '400': + content: + application/json: + schema: + additionalProperties: false + description: Indicates an unsuccessful response. + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + description: Bad request. + summary: Export saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_find: + get: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated set of Kibana saved objects. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. + operationId: findSavedObjects + parameters: + - description: | + An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. + in: query + name: aggs + schema: + type: string + - description: The default operator to use for the `simple_query_string`. + in: query + name: default_search_operator + schema: + type: string + - description: The fields to return in the attributes key of the response. + in: query + name: fields + schema: + oneOf: + - type: string + - type: array + - description: | + The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: Filters to objects that do not have a relationship with the type and identifier combination. + in: query + name: has_no_reference + schema: + type: object + - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. + in: query + name: has_no_reference_operator + schema: + type: string + - description: Filters to objects that have a relationship with the type and ID combination. + in: query + name: has_reference + schema: + type: object + - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. + in: query + name: has_reference_operator + schema: + type: string + - description: The page of objects to return. + in: query + name: page + schema: + type: integer + - description: The number of objects to return per page. + in: query + name: per_page + schema: + type: integer + - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. + in: query + name: search + schema: + type: string + - description: The fields to perform the `simple_query_string` parsed query against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - type: array + - description: | + Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. + in: query + name: sort_field + schema: + type: string + - description: The saved object types to include. + in: query + name: type + required: true + schema: + oneOf: + - type: string + - type: array responses: '200': content: application/json: - examples: - sharedList: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response + type: object + description: Indicates a successful call. '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list - tags: - - Security Exceptions API - /api/features: - get: - description: > - Get information about all Kibana features. Features are used by spaces - and security to refine and secure access to Kibana. - operationId: get-features - responses: - '200': - content: - application/json: - examples: - getFeaturesExample: - value: | - { - "features": [ - { - "name": "tasks", - "description": "Manages task results" - }, - { - "name": "security", - "description": "Manages configuration for Security features, such as users and roles" - }, - { - "name": "searchable_snapshots", - "description": "Manages caches and configuration for searchable snapshots" - }, - { - "name": "logstash_management", - "description": "Enables Logstash Central Management pipeline storage" - }, - { - "name": "transform", - "description": "Manages configuration and state for transforms" - }, - { - "name": "kibana", - "description": "Manages Kibana configuration and reports" - }, - { - "name": "synonyms", - "description": "Manages synonyms" - }, - { - "name": "async_search", - "description": "Manages results of async searches" - }, - { - "name": "ent_search", - "description": "Manages configuration for Enterprise Search features" - }, - { - "name": "machine_learning", - "description": "Provides anomaly detection and forecasting functionality" - }, - { - "name": "geoip", - "description": "Manages data related to GeoIP database downloader" - }, - { - "name": "watcher", - "description": "Manages Watch definitions and state" - }, - { - "name": "fleet", - "description": "Manages configuration for Fleet" - }, - { - "name": "enrich", - "description": "Manages data related to Enrich policies" - }, - { - "name": "inference_plugin", - "description": "Inference plugin for managing inference services and inference" - } - ] - } schema: - type: object - description: Indicates a successful call - summary: Get features + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Search for saved objects tags: - - system - x-state: Technical Preview - /api/lists: - delete: - description: | - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. + operationId: post-saved-objects-import parameters: - - description: Value list identifier to delete, including all of its list items. - in: query - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Determines whether exception items referencing this value list - should be deleted. + example: 'true' + type: string + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' in: query - name: deleteReferences + name: overwrite required: false schema: default: false - example: false type: boolean - - description: >- - Determines whether to delete value list without performing any - additional checks of where this list may be utilized. + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' in: query - name: ignoreReferences + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: compatibilityMode required: false schema: default: false - example: false type: boolean + requestBody: + content: + multipart/form-data: + examples: + importObjectsRequest: + value: + file: file.ndjson + schema: + additionalProperties: false + type: object + properties: + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' + type: object + required: + - file responses: '200': content: application/json: examples: - ipList: + importObjectsResponse: + summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + additionalProperties: false + type: object + properties: + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + type: object + properties: {} + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + type: object + properties: {} + type: array + required: + - success + - successCount + - errors + - successResults + description: Indicates a successful call. '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists?id=ip_list] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list + additionalProperties: false + description: Indicates an unsuccessful response. + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + description: Bad request. + summary: Import saved objects tags: - - Security Lists API - get: - description: Get the details of a value list using the list ID. - operationId: ReadList + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_resolve_import_errors: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_resolve_import_errors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + To resolve errors from the Import objects API, you can: + + * Retry certain saved objects + * Overwrite specific saved objects + * Change references to different saved objects + operationId: resolveImportErrors parameters: - - description: Value list identifier (`id`) returned when the list was created. + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: | + Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. in: query - name: id - required: true + name: compatibilityMode + required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + type: boolean + - description: | + Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. + in: query + name: createNewCopies + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data: + examples: + resolveImportErrorsRequest: + $ref: '#/components/examples/Saved_objects_resolve_missing_reference_request' + schema: + type: object + properties: + file: + description: The same file given to the import API. + format: binary + type: string + retries: + description: The retry operations, which can specify how to resolve different types of errors. + items: + type: object + properties: + destinationId: + description: Specifies the destination ID that the imported object should have, if different from the current ID. + type: string + id: + description: The saved object ID. + type: string + ignoreMissingReferences: + description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. + type: boolean + overwrite: + description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. + type: boolean + replaceReferences: + description: A list of `type`, `from`, and `to` used to change the object references. + items: + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + type: array + type: + description: The saved object type. + type: string + required: + - type + - id + type: array + required: + - retries + required: true responses: '200': content: application/json: examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 1 + resolveImportErrorsResponse: + $ref: '#/components/examples/Saved_objects_resolve_missing_reference_response' schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + type: object + properties: + errors: + description: | + Specifies the objects that failed to resolve. + + NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. + items: + type: object + type: array + success: + description: | + Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: | + Indicates the number of successfully resolved records. + type: number + successResults: + description: | + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. + items: + type: object + type: array + description: Indicates a successful call. '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists?id=ip_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve import errors tags: - - Security Lists API - patch: - description: Update specific fields of an existing list using the list `id`. - operationId: PatchList + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Kibana saved object with a randomly generated identifier. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. + NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. + operationId: createSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean requestBody: content: application/json: - examples: - patchName: - value: - id: ip_list - name: Bad ips list - UPDATED schema: - example: - id: ip_list - name: Bad ips list - UPDATED type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + coreMigrationVersion: + description: | + The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. + type: string + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + typeMigrationVersion: + description: | + The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. + type: string required: - - id - description: Value list's properties + - attributes required: true responses: '200': content: application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + description: Indicates a successful call. + '409': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}/{id}: + get: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single Kibana saved object by identifier. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. + operationId: getSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': content: application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + type: object + description: Indicates a successful call. + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Get a saved object tags: - - Security Lists API + - saved objects + x-metaTags: + - content: Kibana + name: product_name post: - description: Create a new value list. - operationId: CreateList + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. + NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. + operationId: createSavedObjectId + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean requestBody: content: application/json: - examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: - value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword schema: type: object properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + coreMigrationVersion: + description: | + The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. + type: string + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + typeMigrationVersion: + description: | + The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. + type: string required: - - name - - description - - type - description: Value list's properties + - attributes required: true responses: '200': content: application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-09T18:23:52.241Z - created_at: 2025-01-09T18:23:52.241Z - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: 2025-01-09T18:23:52.241Z - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:24:55.786Z - created_at: 2025-01-09T18:24:55.786Z - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: 2025-01-09T18:24:55.786Z - updated_by: elastic - version: 1 - keyword_custom_format: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:25:39.604Z - created_at: 2025-01-09T18:25:39.604Z - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: 2025-01-09T18:25:39.604Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - notFound: - value: - message: >- - To create a list, the data stream must exist first. Data - stream \".lists-default\" does not exist - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + type: object + description: Indicates a successful call. '409': content: application/json: - examples: - alreadyExists: - value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list + type: object + description: Indicates a conflict error. + summary: Create a saved object tags: - - Security Lists API + - saved objects + x-metaTags: + - content: Kibana + name: product_name put: - description: > - Update a value list using the list `id`. The original list is replaced, - and all unspecified fields are deleted. + deprecated: true + description: | + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/saved_objects/{type}/{id}
- > You cannot modify the `id` value. - operationId: UpdateList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the attributes for Kibana saved objects. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. + operationId: updateSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' requestBody: content: application/json: - examples: - replaceList: - value: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - name - - description - description: Value list's properties required: true responses: '200': content: application/json: - examples: - ip: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': + type: object + description: Indicates a successful call. + '404': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + description: Indicates the object was not found. + '409': content: application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + description: Indicates a conflict error. + summary: Update a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/resolve/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. + + WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. + operationId: resolveSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/lists] is unauthorized for user, this action - is granted by the Kibana privileges [lists-all] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + type: object + description: Indicates a successful call. + '400': content: application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json: + schema: + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 + type: object + properties: + create: + description: Array of anonymization fields to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + type: array + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' + type: array + responses: + '200': + content: + application/json: + example: + anonymization_fields_count: 5 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 1 + skipped: 1 + succeeded: 2 + total: 5 + message: Bulk action completed successfully + status_code: 200 + success: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + description: Indicates a successful call. + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + example: + error: Bad Request + message: Invalid request body + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list + type: object + properties: + error: + description: Error type or name. + type: string + message: + description: Detailed error message. + type: string + statusCode: + description: Status code of the response. + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields tags: - - Security Lists API - /api/lists/_find: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: get: - description: >- - Get a paginated subset of value lists. By default, the first page is - returned, with 20 results per page. - operationId: FindLists + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields parameters: - - description: The page number to return. + - description: Fields to return + example: + - id + - field + - anonymized + - allowed in: query - name: page + name: fields required: false schema: - example: 1 - type: integer - - description: The number of value lists to return per page. + items: + type: string + type: array + - description: Search query + example: 'field: "user.name"' in: query - name: per_page + name: filter required: false schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + type: string + - description: Field to sort by + example: created_at in: query name: sort_field required: false schema: - example: name - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + example: asc in: query name: sort_order required: false schema: - enum: - - desc - - asc - example: asc - type: string - - description: >- - Returns the lists that come after the last lists returned in the - previous call (use the `cursor` value returned in the previous - call). This parameter uses the `tie_breaker_id` field to ensure all - lists are sorted and returned correctly. + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 in: query - name: cursor + name: page required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 in: query - name: filter + name: per_page required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean responses: '200': content: application/json: - examples: - ipList: - value: - cursor: >- - WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d - data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + example: + aggregations: + anonymized: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 schema: type: object properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + aggregations: + type: object + properties: + field_status: + type: object + properties: + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array data: items: - $ref: '#/components/schemas/Security_Lists_API_List' + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array page: - minimum: 0 type: integer - per_page: - minimum: 0 + perPage: type: integer total: - minimum: 0 type: integer required: - - data - page - - per_page + - perPage - total - - cursor + - data description: Successful response '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received nan' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/_find?page=1&per_page=20] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + example: + error: Bad Request + message: Invalid request parameters + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields tags: - - Security Lists API - /api/lists/index: - delete: - description: Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/chat/complete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete + parameters: + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + example: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: sk-abc123 + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true responses: '200': content: - application/json: - examples: - acknowledged: - value: - acknowledged: true + application/octet-stream: schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response + format: binary + type: string + description: Indicates a successful model response call. '400': content: application/json: - examples: - badRequest: - value: - message: >- - Unable to delete value list data streams: invalid or - missing index metadata - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/index] is not authorized; lists-all - (or equivalent) is required to delete data streams - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: The value list data stream was not found in this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams + type: object + properties: + error: + description: Error type. + example: Bad Request + type: string + message: + description: Human-readable error message. + example: Invalid request payload. + type: string + statusCode: + description: HTTP status code. + example: 400 + type: number + description: Generic Error + summary: Create a model response tags: - - Security Lists API - get: - description: Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + schema: + type: object + properties: + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false responses: '200': content: application/json: - examples: - bothExist: - value: - list_index: true - list_item_index: true + example: + success: true schema: type: object properties: - list_index: - type: boolean - list_item_index: + failures: + items: + type: string + type: array + success: + example: true type: boolean - required: - - list_index - - list_item_index - description: Successful response + totalDeleted: + example: 10 + type: number + description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: - examples: - badRequest: - value: - message: >- - Unable to read value list data stream status for this - space - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/index] is not authorized; list read - permissions are required - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: Value list backing indices were not found for this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete conversations tags: - - Security Lists API + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name post: - deprecated: true - description: > - **DEPRECATED.** `deprecated: true` is set on this operation. Value list - backing data streams for the space + description: |- + **Spaces method and path for this operation:** - are now created as part of supported workflows; calling this explicitly - is rarely required. +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
- **WARNING:** Do not use for new integrations. Prefer the UI or the list - and list-item APIs after confirming + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - indices exist with `GET /api/lists/index`. - - - Creates the `.lists` and `.items` data streams in the current Kibana - space. - operationId: CreateListIndex + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true responses: '200': content: application/json: - examples: - acknowledged: - value: - acknowledged: true + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. '400': content: application/json: - examples: - badRequest: - value: - message: >- - Indices exist but the request could not be completed for - the current space. Check that Elasticsearch and Kibana - privileges allow index creation for lists. - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: > - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/index] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: >- - data stream: \".lists-default\" and \".items-default\" - already exists - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required parameter: title' + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + summary: Create a conversation tags: - - Security Lists API - /api/lists/items: - delete: - description: >- - Delete a value list item using its `id`, or its `list_id` and `value` - fields. - operationId: DeleteListItem + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations parameters: - - description: >- - Value list item's identifier. Required if `list_id` and `value` are - not specified. + - description: A list of fields to include in the response. If omitted, all fields are returned. in: query - name: id + name: fields required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. + example: + - id + - title + - createdAt + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. in: query - name: list_id + name: filter required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + example: Security Issue + type: string + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. in: query - name: value + name: sort_field required: false schema: - example: 255.255.255.255 - type: string - - description: >- - Determines when changes made by the request are made visible to - search. + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + example: created_at + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. in: query - name: refresh + name: sort_order required: false schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean responses: '200': content: application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: object + properties: + data: + description: A list of conversations. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' type: array - description: Successful response + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: The total number of conversations matching the filter criteria. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: - examples: - badRequest: - value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid filter query parameter + type: string + statusCode: + example: 400 + type: number + description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. + summary: Get conversations + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': content: application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. + '400': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request. + summary: Delete a conversation + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value, a unique identifier for the conversation. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': content: application/json: - examples: - notFound: - value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 + example: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Generic Error. The request could not be processed due to an error. + summary: Get a conversation tags: - - Security Lists API - get: - description: Get the details of a value list item. - operationId: ReadListItem + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation parameters: - - description: >- - Value list item identifier. Required if `list_id` and `value` are - not specified. - in: query + - description: The conversation's `id` value. + example: abc123 + in: path name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Value list item list's `id` identfier. Required if `id` is not - specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. - in: query - name: value - required: false + required: true schema: - example: 127.0.0.2 - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' + required: true responses: '200': content: application/json: - examples: - ip: - value: - _version: WzExLDFd - '@timestamp': 2025-01-08T05:16:25.882Z - created_at: 2025-01-08T05:16:25.882Z - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: 2025-01-08T05:16:25.882Z - updated_by: elastic - value: 127.0.0.2 + example: + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. '400': content: application/json: - examples: - badRequest: - value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + summary: Update a conversation + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: GetKnowledgeBase + responses: + '200': content: application/json: examples: - unauthorized: + KnowledgeBaseReadResponse200Example2: + summary: A response that returns information about the knowledge base. value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Read a KnowledgeBase + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + post: + operationId: PostKnowledgeBase + parameters: + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - notFound: + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. value: - message: 'list item id: \"foo\" not found' - status_code: 404 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + KnowledgeBaseResponse400Example2: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Create a KnowledgeBase tags: - - Security Lists API - patch: - description: >- - Update specific fields of an existing value list item using the item - `id`. - operationId: PatchListItem - requestBody: - content: - application/json: - examples: - changeValue: - value: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 - schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - description: Value list item's properties - required: true + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string responses: '200': content: application/json: examples: - ipItem: + KnowledgeBaseReadResponse200Example1: + summary: A response that returns information about the knowledge base. value: - _version: WzE5LDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:23:37.602Z - updated_by: elastic - value: 255.255.255.255 + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. '400': content: application/json: - examples: - badRequest: - value: - message: >- - {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] - failed to parse field [ip] of type [ip] in document with - id ip_item. Preview of fields value: - 2","caused_by":{"type":"illegal_argument_exception","reason":"2 - is not an IP string literal."}},"status":400}]} - status_code: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Read a KnowledgeBase for a resource + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - unauthorized: + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + KnowledgeBaseResponse400Example1: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Generic Error + summary: Create a KnowledgeBase for a resource + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry + requestBody: + content: + application/json: + example: + content: To reset your password, go to the settings page and click 'Reset Password'. + tags: + - password + - reset + - help + title: How to reset a password + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + required: true + responses: + '200': content: application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 + example: + content: To reset your password, go to the settings page and click 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + example: + error: Invalid input + message: The 'title' field is required. schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as invalid input or missing required fields. + summary: Create a Knowledge Base Entry tags: - - Security Lists API + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: - description: > - Create a value list item and associate it with the specified value list. - + description: |- + **Spaces method and path for this operation:** - All value list items in the same list must be the same type. For - example, each list item in an `ip` list must define a specific IP - address. +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Before creating a list item, you must create a list. - operationId: CreateListItem + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: application/json: - examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: - value: - list_id: keyword_list - value: zeek schema: type: object properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: Value list item's properties - required: true + create: + description: List of Knowledge Base Entries to create. + example: + - content: This is the content of the new entry. + title: New Entry + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - content: Updated content. + id: '123' + title: Updated Entry + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array responses: '200': content: application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:33:08.202Z - created_at: 2025-01-09T18:33:08.202Z - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: 2025-01-09T18:33:08.202Z - updated_by: elastic - value: 192.168.0.0/16 - keyword: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:34:29.422Z - created_at: 2025-01-09T18:34:29.422Z - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: 2025-01-09T18:34:29.422Z - updated_by: elastic - value: zeek schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - uri [/api/lists/items] with method [post] exists but is - not available with the current configuration - statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Generic Error + summary: Applies a bulk action to multiple Knowledge Base Entries + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries + parameters: + - description: A list of fields to include in the response. If not provided, all fields will be included. + in: query + name: fields + required: false + schema: + example: + - title + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + example: created_at + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: asc + - description: Page number for paginated results. Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 10 + minimum: 0 + type: integer + responses: + '200': content: application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + properties: + data: + description: The list of Knowledge Base Entries for the current page. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + page: + description: The current page number. + example: 1 + type: integer + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 + type: integer + total: + description: The total number of Knowledge Base Entries available. + example: 100 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing the paginated Knowledge Base Entries. + '400': content: application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + type: object + properties: + error: + description: A short description of the error. + example: Bad Request + type: string + message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' + type: string + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + description: Generic Error indicating an issue with the request. + summary: Finds Knowledge Base Entries that match the given query. + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': content: application/json: - examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 + example: + id: '12345' + message: Knowledge Base Entry successfully deleted. schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. + '400': content: application/json: - examples: - alreadyExists: - value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as an invalid `id` or the entry not being found. + summary: Deletes a single Knowledge Base Entry using the `id` field + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + example: + content: To reset your password, go to the settings page and click 'Reset Password'. + id: '12345' + tags: + - password + - reset + - help + title: How to reset a password schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + example: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as an invalid `id` or the entry not being found. + summary: Read a Knowledge Base Entry tags: - - Security Lists API + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name put: - description: > - Update a value list item using the list item ID. The original list item - is replaced, and all unspecified fields are deleted. + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
- > You cannot modify the `id` value. - operationId: UpdateListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: - examples: - fullReplace: - value: - id: ip_item - value: 255.255.255.255 + example: + content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) schema: - example: - id: ip_item - value: 255.255.255.255 - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: Value list item's properties + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' required: true responses: '200': content: application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 + example: + content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. + id: '12345' + tags: + - password + - reset + - help + - update + title: How to reset a password (updated) schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + example: + error: Invalid input + message: The 'content' field cannot be empty. schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as invalid input or the entry not being found. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + example: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + type: array + responses: + '200': content: application/json: examples: - notFound: + success: value: - message: 'list item id: \"foo\" not found' - status_code: 404 + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. + '400': content: application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item + type: object + properties: + error: + description: A short error message. + example: Bad Request + type: string + message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. + type: string + statusCode: + description: The HTTP status code for the error. + example: 400 + type: number + description: Indicates a generic error due to a bad request. + summary: Apply a bulk action to prompts tags: - - Security Lists API - /api/lists/items/_export: - post: - description: Export list item values from the specified value list. - operationId: ExportListItems + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts parameters: - - description: Value list's `id` to export. + - description: List of specific fields to include in each returned prompt. in: query - name: list_id - required: true + name: fields + required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + example: + - id + - name + - content + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort prompts by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer responses: '200': content: - application/ndjson: - examples: - ipLines: - value: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 + application/json: schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 + type: object + properties: + data: + description: The list of prompts returned based on the search query, sorting, and pagination. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. '400': content: application/json: - examples: - badRequest: - value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + error: + description: Short error message. + example: Bad Request + type: string + message: + description: Detailed description of the error. + example: Invalid sort order value provided. + type: string + statusCode: + description: HTTP status code for the error. + example: 400 + type: number + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + updateLogExtractionExample: + description: Update the log extraction configuration with a new lookback period and frequency. + summary: Update log extraction settings + value: + logExtraction: + fieldHistoryLength: 15 + frequency: 10m + lookbackPeriod: 6h + schema: + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + type: string + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + required: + - logExtraction + responses: + '200': content: application/json: examples: - unauthorized: + updateSuccessExample: + description: The Entity Store configuration was successfully updated. + summary: Entity Store updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - forbidden: + invalidDurationExample: + description: A log extraction parameter has an invalid duration format. + summary: Invalid duration parameter value: - error: Forbidden - message: >- - API [POST /api/lists/items/_export?list_id=ips.txt] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + error: Bad Request + message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' + statusCode: 400 + description: Bad request. '404': content: application/json: examples: - notFound: - value: - message: 'list id: "unknown_list" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: The Entity Store has not been installed yet. + summary: Entity Store not installed value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items + error: Not Found + message: Entity store is not installed + statusCode: 404 + description: Entity Store not found. + summary: Update the Entity Store tags: - - Security Lists API - /api/lists/items/_find: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ + "${KIBANA_URL}/api/security/entity_store" + - lang: Console + source: | + PUT kbn://api/security/entity_store + { + "logExtraction": { + "lookbackPeriod": "6h", + "frequency": "10m", + "fieldHistoryLength": 15 + } + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities: get: - description: Get all value list items in the specified list. - operationId: FindListItems + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/entities
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-entities parameters: - - description: Parent value list's `id` to page through items for. + - description: A Kibana Query Language (KQL) filter for the search-after mode. + in: query + name: filter + required: false + schema: + type: string + - description: Number of entities to return in search-after mode. + in: query + name: size + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. + in: query + name: searchAfter + required: false + schema: + type: string + - description: Fields to include in the response source. + in: query + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order in page mode. in: query - name: list_id - required: true + name: sort_order + required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed) in page mode. in: query name: page required: false schema: - example: 1 + maximum: 9007199254740991 + minimum: 1 type: integer - - description: The number of list items to return per page. + - description: Number of entities per page in page mode. in: query name: per_page required: false schema: - example: 20 + maximum: 10000 + minimum: 1 type: integer - - description: Determines which field is used to sort the results. + - description: An Elasticsearch query string to filter entities in page mode. in: query - name: sort_field + name: filterQuery required: false schema: - example: value - format: nonempty - minLength: 1 type: string - - description: Determines the sort order, which can be `desc` or `asc` + - description: Entity types to include in the results. in: query - name: sort_order + name: entity_types required: false schema: - enum: - - desc - - asc - example: asc - type: string - - description: > - Opaque cursor returned in a previous response; pass it to continue - listing from the next page. Omit on the first request. - in: query - name: cursor - required: false + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': + content: + application/json: + examples: + emptyResultExample: + description: No entities matched the query. + summary: Empty result + value: + page: 1 + per_page: 10 + records: [] + total: 0 + pageModeExample: + description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. + summary: Page mode response with host entities + value: + inspect: + dsl: + - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' + response: + - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' + page: 1 + per_page: 10 + records: + - '@timestamp': '2026-04-10T08:30:00.000Z' + asset: + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + lifecycle: + first_seen: '2026-01-15T10:00:00.000Z' + last_activity: '2026-04-10T08:30:00.000Z' + name: web-server-prod-01 + risk: + calculated_level: Moderate + calculated_score: 47.5 + calculated_score_norm: 47.5 + source: + - logs + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + os: + name: Ubuntu + type: linux + total: 1 + searchAfterModeExample: + description: A cursor-based response with entities and a search_after token for the next page. + summary: Search-after mode response + value: + entities: + - '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + nextSearchAfter: + - 1712736600000 + - 1 + description: Indicates a successful response. + '400': + content: + application/json: + examples: + invalidFilterExample: + description: The provided Kibana Query Language filter could not be parsed. + summary: Invalid filter + value: + error: Bad Request + message: |- + Invalid filter: Expected "(", "{", value, whitespace but ":" found. + invalid :: query + ---------^ + statusCode: 400 + mixedModesExample: + description: Cannot combine page-based pagination with cursor-based pagination in the same request. + summary: Mixed pagination modes + value: + error: Bad Request + message: '[request query]: Cannot combine page/per_page with searchAfter' + statusCode: 400 + description: Bad request. + summary: List entities + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" + - lang: Console + source: | + GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security/entity_store/entities/
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. + operationId: delete-security-entity-store-entities + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + deleteEntityExample: + description: Delete a single entity from the Entity Store using its entity identifier. + summary: Delete an entity by identifier + value: + entityId: host:web-server-prod-01 + schema: + additionalProperties: false + type: object + properties: + entityId: + description: The identifier of the entity to delete. + type: string + required: + - entityId + responses: + '200': + content: + application/json: + examples: + deleteSuccessExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + description: Indicates the entity was successfully deleted. + '404': + content: + application/json: + examples: + notFoundExample: + description: No entity with the specified identifier exists in the Entity Store. + summary: Entity not found + value: + error: Not Found + message: Entity ID 'host:web-server-prod-01' not found + statusCode: 404 + description: Entity not found. + summary: Delete an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityId":"host:web-server-prod-01"}' \ + "${KIBANA_URL}/api/security/entity_store/entities/" + - lang: Console + source: | + DELETE kbn://api/security/entity_store/entities/ + { + "entityId": "host:web-server-prod-01" + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/{entityType}: + post: + description: |- + **Spaces method and path for this operation:** - using the : syntax. - in: query - name: filter - required: false +
post /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + example: 'true' + type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + requestBody: + content: + application/json: + examples: + createHostEntityExample: + description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. + summary: Create a host entity + value: + asset: + business_unit: Engineering + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + name: web-server-prod-01 + source: + - manual + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - ip: + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created value: - cursor: >- - WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response + ok: true + description: Indicates the entity was successfully created. '400': content: application/json: examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch value: - error: Forbidden - message: >- - API [GET - /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + error: Bad Request + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' + statusCode: 400 + description: Bad request. + '409': content: application/json: examples: - serverError: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity tags: - - Security Lists API - /api/lists/items/_import: - post: - description: > - Import value list items from a TXT or CSV file. The maximum file size is - 9 million bytes. - + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: >- - Determines when changes made by the request are made visible to - search. - in: query - name: refresh - required: false + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - 'true' - - 'false' - - wait_for - example: true + example: 'true' type: string - requestBody: - content: - multipart/form-data: - examples: - ipLinesFile: - value: - file: list_values.txt - schema: - type: object - properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items/_import?list_id=ip_list] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - notFound: - value: - message: >- - List with the specified list_id does not exist, create the - list or fix list_id to import to an existing one - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items - tags: - - Security Lists API - /api/lists/privileges: - get: - description: > - Returns the caller's authentication state and the Elasticsearch - `cluster`, `index`, and `application` - - privileges for `.lists` and `.items` data streams in the current Kibana - space. Use this to decide which list - - APIs (`read` vs `all` operations) are available before you create or - import lists. - operationId: ReadListPrivileges - responses: - '200': - content: - application/json: - examples: - privileges: - value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - Unable to resolve list privileges: invalid or missing - space context for this request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + - description: The entity type to update. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + requestBody: + content: + application/json: + examples: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes + value: + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + responses: + '200': content: application/json: examples: - unauthorized: + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates the entity was successfully updated. + '400': content: application/json: examples: - forbidden: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - error: Forbidden - message: >- - API [GET /api/lists/privileges] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity tags: - - Security Lists API - /api/logstash/pipeline/{id}: - delete: - description: > - Delete a centrally-managed Logstash pipeline. + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/user?force=true + { + "entity": { + "id": "user:jane.doe@example.com", + "name": "jane.doe", + "type": "user", + "attributes": { "managed": true, "mfa_enabled": true } + }, + "user": { "name": "jane.doe" } + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/bulk: + put: + description: |- + **Spaces method and path for this operation:** - If your Elasticsearch cluster is protected with basic authentication, - you must have either the `logstash_admin` built-in role or a customized - Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: delete-logstash-pipeline - parameters: - - description: An identifier for the pipeline. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call - summary: Delete a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - get: - description: > - Get information for a centrally-managed Logstash pipeline. +
put /s/{space_id}/api/security/entity_store/entities/bulk
- To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash reader role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipeline - parameters: - - description: An identifier for the pipeline. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getLogstashPipelineResponseExample1: - value: |- - { - "id": "hello-world", - "description": "Just a simple pipeline", - "username": "elastic", - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persistent" - } - } - schema: - type: object - description: Indicates a successful call - summary: Get a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - put: - description: > - Create a centrally-managed Logstash pipeline or update a pipeline. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: put-logstash-pipeline + Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-bulk parameters: - - description: > - An identifier for the pipeline. Pipeline ID must begin with a letter - or underscore and can contain only letters, underscores, dashes, - hyphens, and numbers. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - putLogstashPipelineRequestExample1: - value: |- - { - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persisted" - } - } + bulkUpdateExample: + description: Update a host entity and a user entity in a single request. + summary: Bulk update multiple entities + value: + entities: + - doc: + entity: + attributes: + asset: true + id: host:web-server-prod-01 + name: web-server-prod-01 + type: host + host: + name: web-server-prod-01 + type: host + - doc: + entity: + attributes: + managed: true + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + name: jane.doe + type: user schema: + additionalProperties: false type: object properties: - description: - description: A description of the pipeline. - type: string - pipeline: - description: A definition for the pipeline. - type: string - settings: - description: > - Supported settings, represented as object keys, include the - following: - - - - `pipeline.workers` - - - `pipeline.batch.size` - - - `pipeline.batch.delay` - - - `pipeline.ecs_compatibility` - - - `pipeline.ordered` - - - `queue.type` - - - `queue.max_bytes` - - - `queue.checkpoint.writes` - type: object + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + - doc + type: array required: - - pipeline - responses: - '204': - description: Indicates a successful call - summary: Create or update a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - /api/logstash/pipelines: - get: - description: > - Get a list of all centrally-managed Logstash pipelines. - - - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash reader role. - - > info - - > Limit the number of pipelines to 10,000 or fewer. As the number of - pipelines nears and surpasses 10,000, you may see performance issues on - Kibana. - - - The `username` property appears in the response when security is enabled - and depends on when the pipeline was created or last updated. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipelines - responses: - '200': - content: - application/json: - examples: - getLogstashPipelinesResponseExample1: - value: |- - { - "pipelines": [ - { - "id": "hello-world", - "description": "Just a simple pipeline", - "last_modified": "2018-04-14T12:23:29.772Z", - "username": "elastic" - }, - { - "id": "sleepy-pipeline", - "description": "", - "last_modified": "2018-03-24T03:41:30.554Z" - } - ] - } - schema: - type: object - description: Indicates a successful call - summary: Get all Logstash pipelines - tags: - - logstash - x-state: Technical Preview - /api/ml/saved_objects/sync: - get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space - tags: - - ml - /api/ml/saved_objects/update_jobs_spaces: - post: - description: Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces - requestBody: - content: - application/json: - examples: - updateADJobSpacesRequest: - value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: - value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' + - entities responses: '200': content: application/json: examples: - successADResponse: + bulkUpdatePartialExample: + description: Some entities were updated but others encountered Elasticsearch-level errors. + summary: Partial success with errors value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: + errors: + - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf + reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' + status: 404 + type: document_missing_exception + ok: true + bulkUpdateSuccessExample: + description: All entities were successfully updated with no errors. + summary: All entities updated value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces - tags: - - ml - /api/ml/saved_objects/update_trained_models_spaces: - post: - description: >- - Update a list of trained models to add and/or remove them from given - spaces. - operationId: mlUpdateTrainedModelsSpaces - requestBody: - content: - application/json: - examples: - updateTrainedModelsSpacesRequest: - value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' - responses: - '200': + errors: [] + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - successTMResponse: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + summary: Bulk update entities tags: - - ml - /api/note: - delete: - description: > - Deletes notes by saved object ID. Send either `noteId` (single ID) or - `noteIds` (array of IDs) in the JSON body. - + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ + "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/bulk?force=true + { + "entities": [ + { + "type": "host", + "doc": { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "attributes": { "asset": true } + }, + "host": { "name": "web-server-prod-01" } + } + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/install: + post: + description: |- + **Spaces method and path for this operation:** - The response has HTTP 200 with an empty body on success. +
post /s/{space_id}/api/security/entity_store/install
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote + Install the Entity Store, creating engines for the specified entity types and configuring log extraction.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - deleteOne: - summary: Delete a single note by id + installDefaultExample: + description: Install the Entity Store for all entity types with default log extraction settings. + summary: Install with default entity types value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e + entityTypes: + - user + - host + - service + - generic + logExtraction: {} + installWithCustomSettingsExample: + description: Install the Entity Store for host entities only with a custom lookback period and field history length. + summary: Install with custom log extraction + value: + entityTypes: + - host + logExtraction: + delay: 2m + fieldHistoryLength: 20 + filter: 'host.os.type: linux' + frequency: 5m + lookbackPeriod: 12h schema: - oneOf: - - nullable: true + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false type: object properties: - noteId: - description: Saved object ID of the note to delete. + frequency: + default: 24h + pattern: '[smdh]$' type: string - required: - - noteId - - nullable: true + logExtraction: + additionalProperties: false type: object properties: - noteIds: - description: Saved object IDs of the notes to delete. + additionalIndexPatterns: + default: [] items: type: string - nullable: true type: array - required: - - noteIds - description: > - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ - "noteIds": ["", ...] }` for bulk delete. - - `noteIds` may be null in some clients; prefer an empty array or omit - unused fields when possible. - required: true + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + default: '' + type: string + frequency: + default: 30s + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 40000 + maximum: 9007199254740991 + minimum: 1 + type: integer responses: '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes + content: + application/json: + examples: + alreadyInstalledExample: + description: All requested entity types were already installed. + summary: Already installed + value: + ok: true + description: Indicates all requested entity types are already installed. + '201': + content: + application/json: + examples: + installSuccessExample: + description: The Entity Store was installed and engines are being created. + summary: Entity Store installed + value: + ok: true + description: Indicates the Entity Store was successfully installed. + '403': + content: + application/json: + examples: + forbiddenExample: + description: The user does not have the required Elasticsearch privileges. + summary: Insufficient privileges + value: + error: Forbidden + message: User 'analyst' has insufficient privileges + statusCode: 403 + description: Insufficient privileges. + summary: Install the Entity Store tags: - - Security Timeline API - - access:securitySolution - get: - description: > - Returns Security Timeline notes as saved objects. - - - **Query modes (mutually exclusive branches on the server):** - - - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the - given Elasticsearch document `_id` (single string or array). Pagination - query parameters (`page`, `perPage`, etc.) are **not** applied; the - server uses a fixed page size (up to 10000 notes). - - - 2. **`savedObjectIds` is set** — Returns notes linked to the given - Timeline saved object id(s). Same fixed cap as above; list-mode query - parameters are **not** applied. - + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ + "${KIBANA_URL}/api/security/entity_store/install" + - lang: Console + source: | + POST kbn://api/security/entity_store/install + { + "entityTypes": ["user", "host", "service", "generic"], + "logExtraction": {} + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/group: + get: + description: |- + **Spaces method and path for this operation:** - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using - saved-objects find semantics: `page` (default 1), `perPage` (default - 10), optional `search`, `sortField`, `sortOrder`, `filter`, - `createdByFilter`, and `associatedFilter`. +
get /s/{space_id}/api/security/entity_store/resolution/group
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes + Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: get-security-entity-store-resolution-group parameters: - - description: > - Event document `_id` values to match against each note's `eventId`. - When this parameter is present, the response is all matching notes - (up to the server's hard limit), not a paged list using - `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: > - Timeline `savedObjectId` value(s). Returns notes that reference - those timelines. When present, list-mode pagination parameters are - not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: > - Page number for list mode (when `documentIds` and `savedObjectIds` - are omitted). Passed as a string; default 1. - example: '1' - in: query - name: page - schema: - nullable: true - type: string - - description: > - Page size for list mode (when `documentIds` and `savedObjectIds` are - omitted). Passed as a string; default 10. - example: '20' - in: query - name: perPage - schema: - nullable: true - type: string - - description: Search string for saved-objects find (list mode only). - in: query - name: search - schema: - nullable: true - type: string - - description: Field to sort by for saved-objects find (list mode only). - in: query - name: sortField - schema: - nullable: true - type: string - - description: >- - Sort order (`asc` or `desc`) for saved-objects find (list mode - only). - example: desc - in: query - name: sortOrder - schema: - nullable: true - type: string - - description: > - Kuery filter string combined with other list-mode filters (for - example `createdByFilter` or `associatedFilter`). Typed as a string - for API compatibility; interpreted by the saved-objects layer (list - mode only). - in: query - name: filter - schema: - nullable: true - type: string - - description: > - Kibana user profile **UID** (UUID). The server resolves the user's - display identifiers and returns notes whose `createdBy` matches any - of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + - description: The entity identifier to look up the resolution group for. in: query - name: createdByFilter + name: entity_id + required: true schema: - nullable: true type: string - - description: > - Restricts notes by how they relate to a Timeline and/or an event - document (list mode only). Some values apply extra filtering after - the query. Ignored when `documentIds` or `savedObjectIds` is used. - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: examples: - notesPage: - summary: Paged notes for a timeline + resolutionGroupExample: + description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. + summary: Resolution group with linked entities value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 - schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes + aliases: + - '@timestamp': '2026-04-10T08:25:00.000Z' + entity: + id: user:jdoe@example.com + name: jdoe + relationships: + resolution: + resolved_to: user:jane.doe@example.com + type: user + user: + name: jdoe + group_size: 2 + target: + '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + description: Indicates a successful response. + '400': + content: + application/json: + examples: + truncatedSearchExample: + description: The resolution search returned too many results and was truncated. + summary: Search results truncated + value: + error: Bad Request + message: Resolution search truncated + statusCode: 400 + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: The specified entity does not exist or has no resolution group. + summary: Entity not found + value: + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entity not found. + summary: Get resolution group tags: - - Security Timeline API - - access:securitySolution - patch: - description: > - Creates a new note or updates an existing one. - - - **Create:** Send `note` and omit `noteId` to create a new saved object. - + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" + - lang: Console + source: | + GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/link: + post: + description: |- + **Spaces method and path for this operation:** - **Update:** Send `note` with the changed fields and set `noteId` to the - note's saved object ID. Optionally include `version` for optimistic - concurrency when the client has it from a prior read. +
post /s/{space_id}/api/security/entity_store/resolution/link
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: >- - https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute + Link one or more entities to a target entity, creating a resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-link + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - addNote: - summary: Add a note on an event + linkEntitiesExample: + description: Link two user entities to a target entity, creating a resolution group. + summary: Link entities to a target value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + target_id: user:jane.doe@example.com schema: + additionalProperties: false type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: >- - Note payload (timeline, text, optional event linkage, - metadata). - noteId: - description: >- - The `savedObjectId` of the note to update. Omit when - creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: >- - Saved object version string from a previous read; optional - on update. - example: WzQ2LDFd - nullable: true + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. type: string required: - - note - description: > - Body must include the `note` object. For updates, include `noteId` - (and optionally `version`). - - To attach a note to a specific event, set `note.eventId` to that - event's document `_id`; for a timeline-wide note, omit or clear - `eventId` per product rules. - required: true + - target_id + - entity_ids responses: '200': content: application/json: examples: - persisted: - summary: Persisted note wrapper + linkSuccessExample: + description: The entities were successfully linked to the target entity. + summary: Entities linked value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note + linked: + - user:jdoe@example.com + - user:j.doe@example.com + skipped: [] + target_id: user:jane.doe@example.com + description: Indicates a successful response. + '400': + content: + application/json: + examples: + mixedTypesExample: + description: All entities in a resolution group must be of the same type. + summary: Mixed entity types + value: + error: Bad Request + message: Cannot link entities of different types + statusCode: 400 + selfLinkExample: + description: Cannot link an entity to itself. + summary: Self-link error + value: + error: Bad Request + message: Cannot link entity 'user:jane.doe@example.com' to itself. + statusCode: 400 + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found + value: + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Link entities tags: - - Security Timeline API - - access:securitySolution - /api/observability_ai_assistant/chat/complete: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/link" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/link + { + "target_id": "user:jane.doe@example.com", + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/unlink: post: - description: > - Create a new chat completion by using the Observability AI Assistant. - - - The API returns the model's response based on the current conversation - context. - + description: |- + **Spaces method and path for this operation:** - It also handles any tool requests within the conversation, which may - trigger multiple calls to the underlying large language model (LLM). +
post /s/{space_id}/api/security/entity_store/resolution/unlink
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: observability-ai-assistant-chat-complete + Remove one or more entities from their resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-unlink + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - chatCompleteRequestExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample + unlinkEntitiesExample: + description: Remove entities from their resolution group, restoring them as standalone entities. + summary: Unlink entities from their resolution group + value: + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com schema: + additionalProperties: false type: object properties: - actions: - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Function - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: >- - A unique identifier for the conversation if you are - continuing an existing conversation. - type: string - disableFunctions: - description: >- - Flag indicating whether all function calls should be - disabled for the conversation. If true, no calls to - functions will be made. - type: boolean - instructions: - description: >- - An array of instruction objects, which can be either simple - strings or detailed objects. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Instruction - type: array - messages: - description: >- - An array of message objects containing the conversation - history. + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Message + type: string + maxItems: 1000 + minItems: 1 type: array - persist: - description: >- - Indicates whether the conversation should be saved to - storage. If true, the conversation will be saved and will be - available in Kibana. - type: boolean - title: - description: A title for the conversation. - type: string required: - - messages - - connectorId - - persist + - entity_ids responses: '200': content: application/json: examples: - chatCompleteResponseExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample - schema: - type: object - description: Successful response - summary: Generate a chat completion + unlinkSuccessExample: + description: The entities were successfully removed from their resolution group. + summary: Entities unlinked + value: + skipped: [] + unlinked: + - user:jdoe@example.com + - user:j.doe@example.com + description: Indicates a successful response. + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found + value: + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Unlink entities tags: - - observability_ai_assistant + - Security entity store x-codeSamples: - - lang: cURL - source: > - curl --request POST - 'localhost:5601/api/observability_ai_assistant/chat/complete' -u - : -H 'kbn-xsrf: true' -H "Content-Type: - application/json" --data ' - + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/unlink" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/unlink { + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/start: + put: + description: |- + **Spaces method and path for this operation:** - "connectorId": "", - - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], +
put /s/{space_id}/api/security/entity_store/start
- "instructions": ["When the user asks about Elasticsearch cluster - health, use the get_cluster_health tool to retrieve cluster health, - then summarize the response in plain English."] + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - }' - x-state: Technical Preview - /api/osquery/history: - get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory + Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-start parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - in: query - name: nextPage - required: false - schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - description: >- - A search string to filter history entries by pack name, query text, - or query ID. - in: query - name: kuery - required: false - schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false - schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' + example: 'true' type: string + requestBody: + content: + application/json: + examples: + startAllExample: + description: Start all stopped entity engines. + summary: Start all entity engines + value: + entityTypes: + - user + - host + - service + - generic + startSingleExample: + description: Start only the host entity engine. + summary: Start a single entity engine + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - unifiedHistoryExample: - summary: Example unified history response + startSuccessExample: + description: The specified entity engines were successfully started. + summary: Engines started value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse - description: Indicates a successful call. - summary: Get unified query history + ok: true + description: Indicates a successful response. + summary: Start Entity Store engines tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/live_queries: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/start" + - lang: Console + source: | + PUT kbn://api/security/entity_store/start + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/status: get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-status parameters: - - description: A KQL search string to filter live queries. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + - description: If true, returns a detailed status of each engine including all its components. in: query - name: sortOrder + name: include_components required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryResponse - description: Indicates a successful call. - summary: Get live queries - tags: - - Security Osquery API - post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody - required: true + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse - description: Indicates a successful call. - summary: Create a live query + examples: + notInstalledExample: + description: The Entity Store has not been installed. + summary: Entity Store not installed + value: + engines: [] + status: not_installed + runningStatusExample: + description: The Entity Store is running with two started engines using default settings. + summary: Entity Store running + value: + engines: + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxPageSearchSize: 10000 + status: started + timeout: 25s + timestampField: '@timestamp' + type: host + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxPageSearchSize: 10000 + status: started + timeout: 25s + timestampField: '@timestamp' + type: user + status: running + description: Indicates a successful response. + summary: Get Entity Store status tags: - - Security Osquery API - /api/osquery/live_queries/{id}: - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/status?include_components=false" + - lang: Console + source: | + GET kbn://api/security/entity_store/status?include_components=false + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/stop: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-stop parameters: - - description: The ID of the live query. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 + example: 'true' type: string + requestBody: + content: + application/json: + examples: + stopAllExample: + description: Stop all running entity engines. + summary: Stop all entity engines + value: + entityTypes: + - user + - host + - service + - generic + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse - description: Indicates a successful call. - summary: Get live query details - tags: - - Security Osquery API - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults + examples: + stopSuccessExample: + description: The specified entity engines were successfully stopped. + summary: Engines stopped + value: + ok: true + description: Indicates a successful response. + summary: Stop Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/stop" + - lang: Console + source: | + PUT kbn://api/security/entity_store/stop + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-uninstall parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - - description: The ID of the query action. - in: path - name: actionId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + example: 'true' type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + requestBody: + content: + application/json: + examples: + uninstallAllExample: + description: Uninstall all entity engines from the Entity Store. + summary: Uninstall all entity types + value: + entityTypes: + - user + - host + - service + - generic + uninstallSingleExample: + description: Uninstall only the host engine from the Entity Store. + summary: Uninstall a single entity type + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse - description: Indicates a successful call. - summary: Get live query results + examples: + uninstallSuccessExample: + description: The specified entity engines were successfully uninstalled. + summary: Entity Store uninstalled + value: + ok: true + description: Indicates a successful response. + summary: Uninstall the Entity Store tags: - - Security Osquery API - /api/osquery/packs: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/uninstall" + - lang: Console + source: | + POST kbn://api/security/entity_store/uninstall + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/role: get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks + operationId: get-security-role parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder + name: replaceDeprecatedPrivileges required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs + examples: + getRolesResponse1: + $ref: '#/components/examples/get_roles_response1' + summary: Get all roles tags: - - Security Osquery API + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/_query: post: - description: Create a query pack. - operationId: OsqueryCreatePacks + operationId: post-security-role-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true + additionalProperties: false + type: object + properties: + filters: + additionalProperties: false + type: object + properties: + showReservedRoles: + type: boolean + from: + type: number + query: + type: string + size: + type: number + sort: + additionalProperties: false + type: object + properties: + direction: + enum: + - asc + - desc + type: string + field: + type: string + required: + - field + - direction responses: '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' description: Indicates a successful call. - summary: Create a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}: + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/{name}: delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks + operationId: delete-security-role-name parameters: - - description: The pack ID. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + example: 'true' + type: string + - in: path + name: name + required: true + schema: + minLength: 1 + type: string responses: - '200': - content: - application/json: - schema: - example: {} - type: object - properties: {} + '204': description: Indicates a successful call. - summary: Delete a pack + summary: Delete a role tags: - - Security Osquery API + - roles + x-metaTags: + - content: Kibana + name: product_name get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails + operationId: get-security-role-name parameters: - - description: The pack ID. + - description: The role name. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + minLength: 1 + type: string + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details + examples: + getRoleResponse1: + $ref: '#/components/examples/get_role_response1' + summary: Get a role tags: - - Security Osquery API + - roles + x-metaTags: + - content: Kibana + name: product_name put: - description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name parameters: - - description: The pack ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The role name. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + maxLength: 1024 + minLength: 1 + type: string + - description: When true, a role is not overwritten if it already exists. + in: query + name: createOnly + required: false + schema: + default: false + type: boolean requestBody: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true + additionalProperties: false + type: object + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + maxItems: 1000 + type: array + remote_cluster: + items: + additionalProperties: false + type: object + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + maxItems: 100 + type: array + remote_indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + maxItems: 1000 + type: array + run_as: + items: + description: A user name that the role member can impersonate. + type: string + maxItems: 100 + type: array + kibana: + items: + additionalProperties: false + type: object + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + examples: + createRoleRequest1: + $ref: '#/components/examples/create_role_request1' + createRoleRequest2: + $ref: '#/components/examples/create_role_request2' + createRoleRequest3: + $ref: '#/components/examples/create_role_request3' + createRoleRequest4: + $ref: '#/components/examples/create_role_request4' responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + '204': description: Indicates a successful call. - summary: Update a pack + summary: Create or update a role tags: - - Security Osquery API - /api/osquery/packs/{id}/copy: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/roles: post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks + operationId: post-security-roles parameters: - - description: The ID of the pack to copy. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + roles: + additionalProperties: + additionalProperties: false + type: object + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + maxItems: 1000 + type: array + remote_cluster: + items: + additionalProperties: false + type: object + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + maxItems: 100 + type: array + remote_indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + maxItems: 1000 + type: array + run_as: + items: + description: A user name that the role member can impersonate. + type: string + maxItems: 100 + type: array + kibana: + items: + additionalProperties: false + type: object + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + type: object + required: + - roles responses: '200': - content: - application/json: - examples: - copyPackExample: - summary: Example response for copying a pack - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' description: Indicates a successful call. - summary: Copy a pack + summary: Create or update roles tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/saved_queries: - get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/session/_invalidate: + post: + description: | + Invalidate user sessions that match a query. To use this API, you must be a superuser. + operationId: post-security-session-invalidate parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + invalidateRequestExample1: + description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. + summary: Invalidate all sessions + value: |- + { + "match" : "all" + } + invalidateRequestExample2: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. + summary: Invalidate all SAML sessions + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml" } + } + } + invalidateRequestExample3: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. + summary: Invalidate sessions for a provider + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml", "name": "saml1" } + } + } + invalidateRequestExample4: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. + summary: Invalidate sessions for a user + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "oidc" }, + "username": "user@my-oidc-sso.com" + } + } + schema: + type: object + properties: + match: + description: | + The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. + enum: + - all + - query + type: string + query: + description: | + The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. + type: object + properties: + provider: + description: The authentication providers that will have their user sessions invalidated. + type: object + properties: + name: + description: The authentication provider name. + type: string + type: + description: | + The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. + type: string + required: + - type + username: + description: The username that will have its sessions invalidated. + type: string + required: + - provider + required: + - match responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryResponse - description: Indicates a successful call. - summary: Get saved queries + type: object + properties: + total: + description: The number of sessions that were successfully invalidated. + type: integer + description: Indicates a successful call + '403': + description: Indicates that the user may not be authorized to invalidate sessions for other users. + summary: Invalidate user sessions tags: - - Security Osquery API + - user session + x-metaTags: + - content: Kibana + name: product_name + /api/short_url: post: - description: Create and save a query for later use. - operationId: OsqueryCreateSavedQuery + description: | + Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. + Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. + operationId: post-url requestBody: content: application/json: schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody + type: object + properties: + humanReadableSlug: + description: | + When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. + type: boolean + locatorId: + description: The identifier for the locator. + type: string + params: + description: | + An object which contains all necessary parameters for the given locator to resolve to a Kibana location. + > warn + > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. + type: object + slug: + description: | + A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. + type: string + required: + - locatorId + - params required: true responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. - summary: Create a saved query + summary: Create a short URL tags: - - Security Osquery API - /api/osquery/saved_queries/{id}: - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/short_url/_slug/{slug}: + get: + description: | + Resolve a Kibana short URL by its slug. + operationId: resolve-url parameters: - - description: The saved query ID. + - description: The slug of the short URL. in: path - name: id + name: slug required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. - summary: Delete a saved query + summary: Resolve a short URL tags: - - Security Osquery API + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/short_url/{id}: + delete: + description: | + Delete a Kibana short URL. + operationId: delete-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + '200': + description: Indicates a successful call. + summary: Delete a short URL + tags: + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails + description: | + Get a single Kibana short URL. + operationId: get-url parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. - summary: Get saved query details + summary: Get a short URL tags: - - Security Osquery API - put: - description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_copy_saved_objects: + post: + description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-copy-saved-objects parameters: - - description: The saved query ID. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + example: 'true' + type: string requestBody: content: application/json: schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. + type: boolean + createNewCopies: + default: true + description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. + type: boolean + includeReferences: + default: false + description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + description: The identifier of the saved object to copy. + type: string + type: + description: The type of the saved object to copy. + type: string + required: + - type + - id + maxItems: 1000 + type: array + overwrite: + default: false + description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. + type: boolean + spaces: + items: + description: The identifiers of the spaces where you want to copy the specified objects. + type: string + maxItems: 100 + type: array + required: + - spaces + - objects + examples: + copySavedObjectsRequestExample1: + $ref: '#/components/examples/copy_saved_objects_request1' + copySavedObjectsRequestExample2: + $ref: '#/components/examples/copy_saved_objects_request2' responses: '200': + description: 'OK: A successful request.' content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse + examples: + copySavedObjectsResponseExample1: + $ref: '#/components/examples/copy_saved_objects_response1' + copySavedObjectsResponseExample2: + $ref: '#/components/examples/copy_saved_objects_response2' + copySavedObjectsResponseExample3: + $ref: '#/components/examples/copy_saved_objects_response3' + copySavedObjectsResponseExample4: + $ref: '#/components/examples/copy_saved_objects_response4' + summary: Copy saved objects between spaces + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_disable_legacy_url_aliases: + post: + description: Disable one or more legacy URL aliases so that they no longer resolve to their target saved objects. + operationId: post-spaces-disable-legacy-url-aliases + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + aliases: + items: + additionalProperties: false + type: object + properties: + sourceId: + description: The alias source object identifier. This is the legacy object identifier. + type: string + targetSpace: + description: The space where the alias target object exists. + type: string + targetType: + description: 'The type of alias target object. ' + type: string + required: + - targetSpace + - targetType + - sourceId + maxItems: 1000 + type: array + required: + - aliases + examples: + disableLegacyURLRequestExample1: + $ref: '#/components/examples/disable_legacy_url_request1' + responses: + '204': description: Indicates a successful call. - summary: Update a saved query + summary: Disable legacy URL aliases tags: - - Security Osquery API - /api/osquery/saved_queries/{id}/copy: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_get_shareable_references: post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery + description: Collect references and space contexts for saved objects. + operationId: post-spaces-get-shareable-references parameters: - - description: The ID of the saved query to copy. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 1000 + type: array + required: + - objects + examples: + getShareableReferencesRequestExample1: + $ref: '#/components/examples/get_shareable_references_request1' responses: '200': + description: Indicates a successful call. content: application/json: examples: - copySavedQueryExample: - summary: Example response for copying a saved query - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CopySavedQueryResponse - description: Indicates a successful call. - summary: Copy a saved query + getShareableReferencesResponseExample1: + $ref: '#/components/examples/get_shareable_references_response1' + summary: Get shareable references tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_resolve_copy_saved_objects_errors: + post: + description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime + example: 'true' type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + type: boolean + createNewCopies: + default: true + type: boolean + includeReferences: + default: false + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 1000 + type: array + retries: + additionalProperties: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. + type: boolean + destinationId: + description: Specifies the destination identifier that the copied object should have, if different from the current identifier. + type: string + id: + description: The saved object identifier. + type: string + ignoreMissingReferences: + description: When set to true, any missing references errors are ignored. + type: boolean + overwrite: + default: false + description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. + type: boolean + type: + description: The saved object type. + type: string + required: + - type + - id + maxItems: 1000 + type: array + type: object + required: + - retries + - objects + examples: + resolveCopySavedObjectsRequestExample1: + $ref: '#/components/examples/resolve_copy_saved_objects_request1' + resolveCopySavedObjectsRequestExample2: + $ref: '#/components/examples/resolve_copy_saved_objects_request2' + responses: + '200': + description: 'OK: A successful request.' + content: + application/json: + examples: + resolveCopySavedObjectsResponseExample1: + $ref: '#/components/examples/copy_saved_objects_response1' + resolveCopySavedObjectsResponseExample2: + $ref: '#/components/examples/copy_saved_objects_response2' + summary: Resolve conflicts copying saved objects + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_update_objects_spaces: + post: + description: Update one or more saved objects to add or remove them from some spaces. + operationId: post-spaces-update-objects-spaces + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + description: The identifier of the saved object to update. + type: string + type: + description: The type of the saved object to update. + type: string + required: + - type + - id + maxItems: 1000 + type: array + spacesToAdd: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + maxItems: 1000 + type: array + spacesToRemove: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + maxItems: 1000 + type: array + required: + - objects + - spacesToAdd + - spacesToRemove + examples: + updateObjectSpacesRequestExample1: + $ref: '#/components/examples/update_saved_objects_spaces_request1' responses: '200': + description: 'OK: A successful request.' content: application/json: examples: - scheduledActionResultsExample: - summary: Example scheduled action results response - value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse - description: Indicates a successful call. - summary: Get scheduled action results + updateObjectSpacesResponseExample1: + $ref: '#/components/examples/update_saved_objects_spaces_response1' + summary: Update saved objects in spaces tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space: get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults + description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. + operationId: get-spaces-space parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder + name: purpose required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. in: query - name: startDate + name: include_authorized_purposes required: false schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response - value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse - description: Indicates a successful call. - summary: Get scheduled query results + getSpacesResponseExample1: + $ref: '#/components/examples/get_spaces_response1' + getSpacesResponseExample2: + $ref: '#/components/examples/get_spaces_response2' + summary: Get all spaces tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/pinned_event: - patch: - description: Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute - requestBody: - content: - application/json: - examples: - pinEvent: - summary: Pin an event - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - spaces + x-metaTags: + - content: Kibana + name: product_name + post: + description: Create a new Kibana space. + operationId: post-spaces-space + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: schema: + additionalProperties: false type: object properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true + description: + description: A description for the space. type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that you want this - pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic type: string required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. - required: true + - id + - name + examples: + createSpaceRequest: + $ref: '#/components/examples/create_space_request' responses: '200': content: application/json: - examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response - value: - unpinned: true schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + createSpaceResponseExample: + $ref: '#/components/examples/get_space_response' description: Indicates a successful call. - summary: Pin/unpin an event + summary: Create a space tags: - - Security Timeline API - - access:securitySolution - /api/risk_score/engine/dangerously_delete_data: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space/{id}: delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '404': + description: Indicates that the request failed. + summary: Delete a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + get: + description: Retrieve a single Kibana space by its identifier. + operationId: get-spaces-space-id + parameters: + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string responses: '200': + description: Indicates a successful call. content: application/json: examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response - value: - cleanup_successful: true - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine + getSpaceResponseExample: + $ref: '#/components/examples/get_space_response' + summary: Get a space tags: - - Security Entity Analytics API - /api/risk_score/engine/saved_object/configure: - patch: - description: Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject + - spaces + x-metaTags: + - content: Kibana + name: product_name + put: + description: Update an existing Kibana space. + operationId: put-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. You are unable to change the ID with the update operation. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: - examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object - value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d schema: + additionalProperties: false type: object properties: - enable_reset_to_zero: + _reserved: type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] items: + description: The list of features that are turned off in the space. type: string + maxItems: 100 type: array - filters: - items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter - type: array - range: - type: object - properties: - end: - type: string - start: - type: string - required: true + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + updateSpaceRequest: + $ref: '#/components/examples/update_space_request' + responses: + '200': + description: Indicates a successful call. + summary: Update a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/status: + get: + operationId: get-status + parameters: + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean responses: '200': - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response - value: - risk_engine_saved_object_configured: true - schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': content: application/json: schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse - description: Unexpected error - summary: Configure the Risk Engine Saved Object + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - description: >- - Schedule the risk scoring engine to run as soon as possible. You can use - this to recalculate entity risk scores after updating their asset - criticality. - operationId: ScheduleRiskEngineNow + - system + x-metaTags: + - content: Kibana + name: product_name + /api/streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams + parameters: [] requestBody: content: - application/json: {} + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response + listStreams: value: - success: true - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Run the risk scoring engine + streams: + - description: Root logs stream + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-10T08:00:00.000Z' + settings: {} + wired: + fields: + '@timestamp': + type: date + log.level: + type: keyword + message: + type: match_only_text + routing: + - destination: logs.nginx + status: enabled + where: + eq: nginx + field: host.name + name: logs + type: wired + updated_at: '2025-01-10T08:00:00.000Z' + - description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + - description: Legacy application logs + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + updated_at: '2024-12-01T09:00:00.000Z' + settings: {} + name: logs-myapp-default + type: classic + updated_at: '2024-12-01T09:00:00.000Z' + - description: All error-level logs across every stream + name: logs.errors + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + updated_at: '2025-01-20T14:00:00.000Z' + summary: Get stream list tags: - - Security Entity Analytics API - /api/saved_objects/_bulk_create: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_disable: post: - deprecated: true - description: > - Create multiple Kibana saved objects. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/streams/_disable
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the import API for your use case. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - NOTE: For forward compatibility, include `coreMigrationVersion` and - `typeMigrationVersion` when creating saved objects outside of Kibana or - when persisting raw saved objects outside of Kibana. - operationId: bulkCreateSavedObjects + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: When true, overwrites the document with the same identifier. - in: query - name: overwrite + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string requestBody: content: application/json: schema: - items: - type: object - properties: - coreMigrationVersion: - description: > - The Kibana version that last migrated this document. When - creating saved objects outside of Kibana, preserve this - field to retain forward compatibility. - type: string - typeMigrationVersion: - description: > - The type version that last migrated this document. When - creating saved objects outside of Kibana, preserve this - field to retain forward compatibility. - type: string - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Create saved objects + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Disable streams tags: - - saved objects - /api/saved_objects/_bulk_delete: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_enable: post: - deprecated: true - description: > - WARNING: When you delete a saved object, it cannot be recovered. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/streams/_enable
- WARNING: This API is intended to be removed in a future Elastic stack - version. There is currently no alternative API for all use cases - supported by this API. Once alternative APIs are provided in a future - Elastic version, it will be possible to migrate away from this API. - operationId: bulkDeleteSavedObjects + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: > - When true, force delete objects that exist in multiple namespaces. - Note that the option applies to the whole request. Use the delete - object API to specify per-object deletion behavior. TIP: Use this if - you attempted to delete objects and received an HTTP 400 error with - the following message: "Unable to delete saved object that exists in - multiple namespaces, use the force option to delete it anyway". - WARNING: When you bulk delete objects that exist in multiple - namespaces, the API also deletes legacy url aliases that reference - the object. These requests are batched to minimise the impact but - they can place a heavy load on Kibana. Make sure you limit the - number of objects that exist in multiple namespaces in a single bulk - delete operation. - in: query - name: force + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string requestBody: content: application/json: schema: - items: - type: object - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Delete saved objects + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Enable streams tags: - - saved objects - /api/saved_objects/_bulk_get: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_resync: post: - deprecated: true - description: > - Retrieve multiple Kibana saved objects by identifier. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/streams/_resync
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the export API for your use case. - operationId: bulkGetSavedObjects + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: schema: - items: - type: object - type: array - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Resync streams + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Delete a stream + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Get saved objects + examples: + getWiredStream: + value: + dashboards: [] + data_stream_exists: true + effective_failure_store: + disabled: {} + from: logs + effective_lifecycle: + dsl: + data_retention: 7d + from: logs + effective_settings: {} + inherited_fields: + '@timestamp': + from: logs + type: date + log.level: + from: logs + type: keyword + privileges: + create_snapshot_repository: false + lifecycle: true + manage: true + manage_failure_store: true + monitor: true + read_failure_store: true + simulate: true + text_structure: true + view_index_metadata: true + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + summary: Get a stream tags: - - saved objects - /api/saved_objects/_bulk_resolve: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createQueryStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: All error-level logs across every stream + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + createWiredStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + type: wired + updateClassicStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Legacy application logs managed as a classic data stream + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + settings: {} + type: classic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' + responses: {} + summary: Create or update a stream + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_fork: post: - deprecated: true - description: > - Retrieve multiple Kibana saved objects by identifier using any legacy - URL aliases if they exist. Under certain circumstances when Kibana is - upgraded, saved object migrations may necessitate regenerating some - object IDs to enable new features. When an object's ID is regenerated, a - legacy URL alias is created for that object, preserving its old ID. In - such a scenario, that object can be retrieved by the bulk resolve API - using either its new ID or its old ID. - - - WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the export API for your use case. - operationId: bulkResolveSavedObjects + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: + examples: + forkStream: + value: + status: enabled + stream: + name: logs.nginx.errors + where: + eq: '500' + field: http.response.status_code schema: - items: - type: object - type: array - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Resolve saved objects + additionalProperties: false + type: object + properties: + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - stream + - where + responses: {} + summary: Fork a stream tags: - - saved objects - /api/saved_objects/_bulk_update: - post: - deprecated: true - description: > - Update the attributes for multiple Kibana saved objects. + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_ingest: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/streams/{name}/_ingest
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the import API for your use case. - operationId: bulkUpdateSavedObjects + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: schema: - items: - type: object - type: array - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: - schema: - type: object - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Update saved objects + examples: + getWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + summary: Get ingest stream settings tags: - - saved objects - /api/saved_objects/_find: - get: - deprecated: true - description: > - Retrieve a paginated set of Kibana saved objects. + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/streams/{name}/_ingest
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the export API for your use case. - operationId: findSavedObjects + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest parameters: - - description: > - An aggregation structure, serialized as a string. The field format - is similar to filter, meaning that to use a saved object type - attribute in the aggregation, the `savedObjectType.attributes.title: - "myTitle"` format must be used. For root fields, the syntax is - `savedObjectType.rootField`. NOTE: As objects change in Kibana, the - results on each page of the response also change. Use the find API - for traditional paginated results, but avoid using it to export - large amounts of data. - in: query - name: aggs - schema: - type: string - - description: The default operator to use for the `simple_query_string`. - in: query - name: default_search_operator - schema: - type: string - - description: The fields to return in the attributes key of the response. - in: query - name: fields - schema: - oneOf: - - type: string - - type: array - - description: > - The filter is a KQL string with the caveat that if you filter with - an attribute from your saved object type, it should look like that: - `savedObjectType.attributes.title: "myTitle"`. However, if you use a - root attribute of a saved object such as `updated_at`, you will have - to define your filter like that: `savedObjectType.updated_at > - 2018-12-22`. - in: query - name: filter - schema: - type: string - - description: >- - Filters to objects that do not have a relationship with the type and - identifier combination. - in: query - name: has_no_reference - schema: - type: object - - description: >- - The operator to use for the `has_no_reference` parameter. Either - `OR` or `AND`. Defaults to `OR`. - in: query - name: has_no_reference_operator + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: >- - Filters to objects that have a relationship with the type and ID - combination. - in: query - name: has_reference - schema: - type: object - - description: >- - The operator to use for the `has_reference` parameter. Either `OR` - or `AND`. Defaults to `OR`. - in: query - name: has_reference_operator + - in: path + name: name + required: true schema: type: string - - description: The page of objects to return. - in: query - name: page - schema: - type: integer - - description: The number of objects to return per page. - in: query - name: per_page - schema: - type: integer - - description: >- - An Elasticsearch `simple_query_string` query that filters the - objects in the response. - in: query - name: search + requestBody: + content: + application/json: + examples: + upsertWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + ingest: + anyOf: + - additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + - additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + required: + - ingest + responses: {} + summary: Update ingest stream settings + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_query: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-query + parameters: + - in: path + name: name + required: true schema: type: string - - description: >- - The fields to perform the `simple_query_string` parsed query - against. - in: query - name: search_fields - schema: - oneOf: - - type: string - - type: array - - description: > - Sorts the response. Includes "root" and "type" fields. "root" fields - exist for all saved objects, such as "updated_at". "type" fields are - specific to an object type, such as fields returned in the - attributes key of the response. When a single type is defined in the - type parameter, the "root" and "type" fields are allowed, and - validity checks are made in that order. When multiple types are - defined in the type parameter, only "root" fields are allowed. - in: query - name: sort_field + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Get query stream settings + tags: + - streams + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: The saved object types to include. - in: query - name: type + - in: path + name: name required: true schema: - oneOf: - - type: string - - type: array - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Search for saved objects + type: string + requestBody: + content: + application/json: + examples: + upsertQueryStream: + value: + query: + esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level + schema: + additionalProperties: false + type: object + properties: + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + required: + - esql + required: + - query + responses: {} + summary: Upsert query stream settings tags: - - saved objects - /api/saved_objects/_resolve_import_errors: + - streams + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/export: post: - description: | - To resolve errors from the Import objects API, you can: + description: |- + **Spaces method and path for this operation:** - * Retry certain saved objects - * Overwrite specific saved objects - * Change references to different saved objects - operationId: resolveImportErrors +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. When enabled during the initial import, also enable when - resolving import errors. This option cannot be used with the - `createNewCopies` option. - in: query - name: compatibilityMode - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean - - description: > - Creates copies of the saved objects, regenerates each object ID, and - resets the origin. When enabled during the initial import, also - enable when resolving import errors. - in: query - name: createNewCopies - required: false + example: 'true' + type: string + - in: path + name: name + required: true schema: - type: boolean + type: string requestBody: content: - multipart/form-data: - examples: - resolveImportErrorsRequest: - $ref: >- - #/components/examples/Saved_objects_resolve_missing_reference_request + application/json: schema: + additionalProperties: false type: object properties: - file: - description: The same file given to the import API. - format: binary + description: + type: string + include: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + name: + type: string + version: type: string - retries: - description: >- - The retry operations, which can specify how to resolve - different types of errors. - items: - type: object - properties: - destinationId: - description: >- - Specifies the destination ID that the imported object - should have, if different from the current ID. - type: string - id: - description: The saved object ID. - type: string - ignoreMissingReferences: - description: >- - When set to `true`, ignores missing reference errors. - When set to `false`, does nothing. - type: boolean - overwrite: - description: >- - When set to `true`, the source object overwrites the - conflicting destination object. When set to `false`, - does nothing. - type: boolean - replaceReferences: - description: >- - A list of `type`, `from`, and `to` used to change the - object references. - items: - type: object - properties: - from: - type: string - to: - type: string - type: - type: string - type: array - type: - description: The saved object type. - type: string - required: - - type - - id - type: array required: - - retries - required: true - responses: - '200': - content: - application/json: - examples: - resolveImportErrorsResponse: - $ref: >- - #/components/examples/Saved_objects_resolve_missing_reference_response - schema: - type: object - properties: - errors: - description: > - Specifies the objects that failed to resolve. - - - NOTE: One object can result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and a `conflict` error. - items: - type: object - type: array - success: - description: > - Indicates a successful import. When set to `false`, some - objects may not have been created. For additional - information, refer to the `errors` and `successResults` - properties. - type: boolean - successCount: - description: | - Indicates the number of successfully resolved records. - type: number - successResults: - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are only created when all resolvable errors - are addressed, including conflict and missing references. - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Resolve import errors + - name + - description + - version + - include + responses: {} + summary: Export stream content tags: - - saved objects - /api/saved_objects/{type}: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/import: post: - deprecated: true - description: > - Create a Kibana saved object with a randomly generated identifier. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/streams/{name}/content/import
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the import API for your use case. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - NOTE: For forward compatibility, include `coreMigrationVersion` and - `typeMigrationVersion` when creating saved objects outside of Kibana or - when persisting raw saved objects outside of Kibana. - operationId: createSavedObject + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: If true, overwrites the document with the same identifier. - in: query - name: overwrite + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string requestBody: content: - application/json: + multipart/form-data: schema: + additionalProperties: false type: object properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - coreMigrationVersion: - description: > - The Kibana version that last migrated this document. When - creating saved objects outside of Kibana, preserve this - field to retain forward compatibility. - type: string - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_references' - typeMigrationVersion: - description: > - The type version that last migrated this document. When - creating saved objects outside of Kibana, preserve this - field to retain forward compatibility. + content: {} + include: type: string required: - - attributes - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '409': - content: - application/json: - schema: - type: object - description: Indicates a conflict error. - summary: Create a saved object + - include + - content + responses: {} + summary: Import content into a stream tags: - - saved objects - /api/saved_objects/{type}/{id}: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries: get: - deprecated: true - description: > - Retrieve a single Kibana saved object by identifier. + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/streams/{name}/queries
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the export API for your use case. - operationId: getSavedObject + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Get a saved object + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Get stream queries tags: - - saved objects + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries/_bulk: post: - deprecated: true - description: > - Create a Kibana saved object and specify its identifier instead of using - a randomly generated ID. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/streams/{name}/queries/_bulk
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the import API for your use case. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - NOTE: For forward compatibility, include `coreMigrationVersion` and - `typeMigrationVersion` when creating saved objects outside of Kibana or - when persisting raw saved objects outside of Kibana. - operationId: createSavedObjectId + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: If true, overwrites the document with the same identifier. - in: query - name: overwrite + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: schema: + additionalProperties: false type: object properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - coreMigrationVersion: - description: > - The Kibana version that last migrated this document. When - creating saved objects outside of Kibana, preserve this - field to retain forward compatibility. - type: string - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_references' - typeMigrationVersion: - description: > - The type version that last migrated this document. When - creating saved objects outside of Kibana, preserve this - field to retain forward compatibility. - type: string - required: - - attributes - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '409': - content: - application/json: - schema: - type: object - description: Indicates a conflict error. - summary: Create a saved object - tags: - - saved objects - put: - deprecated: true - description: > - Update the attributes for Kibana saved objects. + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + description: + default: '' + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + - id + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + required: + - id + required: + - delete + type: array + required: + - operations + responses: {} + summary: Bulk update queries + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries/{queryId}: + delete: + description: |- + **Spaces method and path for this operation:** +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
- WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the import API for your use case. - operationId: updateSavedObject + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: schema: - type: object - required: true - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '404': - content: - application/json: - schema: - type: object - description: Indicates the object was not found. - '409': - content: - application/json: - schema: - type: object - description: Indicates a conflict error. - summary: Update a saved object + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Remove a query from a stream tags: - - saved objects - /api/saved_objects/resolve/{type}/{id}: - get: - deprecated: true - description: > - Retrieve a single Kibana saved object by identifier using any legacy URL - alias if it exists. Under certain circumstances, when Kibana is - upgraded, saved object migrations may necessitate regenerating some - object IDs to enable new features. When an object's ID is regenerated, a - legacy URL alias is created for that object, preserving its old ID. In - such a scenario, that object can be retrieved using either its new ID or - its old ID. - - - WARNING: This API is intended to be removed in a future Elastic stack - version. Consider using the export API for your use case. - operationId: resolveSavedObject + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - responses: - '200': - content: - application/json: - schema: - type: object - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Resolve a saved object - tags: - - saved objects - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 + additionalProperties: false type: object properties: - create: - description: Array of anonymization fields to create. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - description: >- - Object containing the query to filter anonymization fields - and/or an array of anonymization field IDs to delete. + description: + default: '' + type: string + esql: + additionalProperties: false type: object properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' type: string - update: - description: Array of anonymization fields to update. + required: + - query + evidence: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': - content: - application/json: - example: - anonymization_fields_count: 5 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 1 - skipped: 1 - succeeded: 2 - total: 5 - message: Bulk action completed successfully - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request body - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. type: string - statusCode: - description: Status code of the response. - type: number - description: Generic Error - summary: Apply a bulk action to anonymization fields + type: array + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + responses: {} + summary: Upsert a query to a stream tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/anonymization_fields/_find: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events: get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed - in: query - name: fields - required: false + - in: path + name: name + required: true schema: - items: - type: string - type: array - - description: Search query - example: 'field: "user.name"' - in: query - name: filter - required: false + type: string + - in: query + name: from + required: true schema: type: string - - description: Field to sort by - example: created_at - in: query - name: sort_field - required: false + - in: query + name: to + required: true schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - example: asc + type: string + - in: query + name: bucketSize + required: true + schema: + type: string + - description: Query string to filter significant events on metadata fields in: query - name: sort_order + name: query required: false schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 + type: string + - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). Defaults to hybrid when inference is available.' in: query - name: page + name: searchMode required: false schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 + enum: + - keyword + - semantic + - hybrid + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Read the significant events + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query - name: per_page + name: connectorId required: false schema: - default: 20 - minimum: 0 - type: integer - - description: >- - If true, additionally fetch all anonymization fields, otherwise - fetch only the provided page + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - description: Number of sample documents to use for generation from the current data of stream in: query - name: all_data + name: sampleDocsSize required: false schema: - type: boolean - responses: - '200': - content: - application/json: - example: - aggregations: - anonymized: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json: - example: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get anonymization fields + type: number + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: {} + summary: Generate significant events tags: - - Security AI Assistant API - - AnonymizationFields API - /api/security_ai_assistant/chat/complete: + - streams + x-state: Technical Preview; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events/_preview: post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean + example: 'true' + type: string + - in: path + name: name + required: true + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - in: query + name: bucketSize + required: true + schema: + type: string requestBody: content: application/json: - example: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: sk-abc123 - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + required: + - esql + required: + - query + responses: {} + summary: Preview significant events + tags: + - streams + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{streamName}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-streamname-attachments + parameters: + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: Search query to filter attachments by title + in: query + name: query + required: false + schema: + type: string + - description: Filter by attachment types (single value or array) + in: query + name: attachmentTypes + required: false + schema: + items: + enum: + - dashboard + - rule + - slo + type: string + type: array + - description: Filter by tags (single value or array) + in: query + name: tags + required: false + schema: + items: + type: string + type: array + requestBody: + content: + application/json: + examples: + listAttachmentsExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/octet-stream: - schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': content: application/json: - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Generic Error - summary: Create a model response + examples: + listAttachmentsResponse: + value: + attachments: + - createdAt: '2023-02-23T16:15:47.275Z' + description: Dashboard for monitoring production services + id: dashboard-123 + streamNames: + - logs.awsfirehose + - logs.nginx + tags: + - monitoring + - production + title: My Dashboard + type: dashboard + updatedAt: '2023-03-24T14:39:17.636Z' + description: Successfully retrieved attachments + summary: Get stream attachments tags: - - Security AI Assistant API - - Chat Complete API - /api/security_ai_assistant/current_user/conversations: - delete: - description: This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations + - streams + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-streamname-attachments-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string requestBody: content: application/json: + examples: + bulkAttachmentsExample: + value: + operations: + - index: + id: dashboard-123 + type: dashboard + - delete: + id: rule-456 + type: rule schema: + additionalProperties: false type: object properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 + operations: items: - type: string + anyOf: + - type: object + properties: + index: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - delete type: array - required: false + required: + - operations responses: '200': content: application/json: - example: - success: true - schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: >- - Indicates a successful call. The conversations were deleted - successfully. - '400': + examples: + bulkAttachmentsResponse: + value: + acknowledged: true + description: Successfully performed bulk operations + summary: Bulk update attachments + tags: + - streams + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unlinkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete conversations + examples: + unlinkAttachmentResponse: + value: + acknowledged: true + description: Successfully unlinked attachment + summary: Unlink an attachment from a stream tags: - - Security AI Assistant API - - Conversation API - post: - description: >- - Create a new Security AI Assistant conversation. This endpoint allows - the user to initiate a conversation with the Security AI Assistant by - providing the required parameters. - operationId: CreateConversation + - streams + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string requestBody: content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion + examples: + linkAttachmentExample: + value: {} schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was created - successfully. - '400': + examples: + linkAttachmentResponse: + value: + acknowledged: true + description: Successfully linked attachment + summary: Link an attachment to a stream + tags: + - streams + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitor/test/{monitorId}: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitor/test/{monitorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures. + operationId: post-synthetics-monitor-test + parameters: + - description: The ID (config_id) of the monitor to test. + in: path + name: monitorId + required: true + schema: + type: string + responses: + '200': content: application/json: + examples: + testNowMonitorResponseExample1: + value: |- + { + "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", + "errors": [ + { + "locationId": "us_central_staging", + "error": { + "status": 401, + "reason": "no auth credentials provided", + "failed_monitors": null + } + } + ] + } schema: type: object properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' + errors: + description: Array of errors encountered while triggering the test, one per service location. + items: + type: object + properties: + error: + type: object + properties: + failed_monitors: + description: Optional list of monitors that failed at the location. + items: + type: object + nullable: true + type: array + reason: + description: Human-readable explanation of the failure. + type: string + status: + description: HTTP status code returned by the agent. + type: integer + required: + - status + - reason + - failed_monitors + locationId: + description: Identifier of the service location where the error occurred. + type: string + required: + - locationId + - error + type: array + testRunId: + description: Unique identifier for the triggered test run. type: string - statusCode: - example: 400 - type: number - description: >- - Generic Error. This response indicates an issue with the request, - such as missing required parameters or incorrect data. - summary: Create a conversation + required: + - testRunId + description: Test run triggered successfully. + '404': + description: Monitor not found. + summary: Trigger an on-demand test run for a monitor tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/current_user/conversations/_find: + - synthetics + x-state: Generally available; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors: get: - description: >- - Get a list of all conversations for the current user. This endpoint - allows users to search, filter, sort, and paginate through their - conversations. - operationId: FindConversations + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of monitors. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-synthetic-monitors parameters: - - description: >- - A list of fields to include in the response. If omitted, all fields - are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: - type: string - type: array - - description: >- - A search query to filter the conversations. Can match against - titles, messages, or other conversation attributes. + - description: Additional filtering criteria. in: query name: filter - required: false schema: - example: Security Issue type: string - - description: >- - The field by which to sort the results. Valid fields are - `created_at`, `title`, and `updated_at`. + - description: The locations to filter by. in: query - name: sort_field - required: false + name: locations schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - example: created_at - - description: >- - The order in which to sort the results. Can be either `asc` for - ascending or `desc` for descending. + oneOf: + - type: string + - type: array + - description: The monitor types to filter. in: query - name: sort_order - required: false + name: monitorTypes schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. + oneOf: + - enum: + - browser + - http + - icmp + - tcp + type: string + - type: array + - description: The page number for paginated results. in: query name: page - required: false schema: - default: 1 - example: 1 - minimum: 1 type: integer - - description: The number of conversations to return per page. Default is 20. + - description: The number of items to return per page. in: query name: per_page - required: false schema: - default: 20 - example: 20 - minimum: 0 type: integer - - description: >- - Whether to return conversations that the current user owns. If true, - only conversations owned by the user are returned. + - description: The projects to filter by. in: query - name: is_owner - required: false + name: projects schema: - default: false - example: true - type: boolean - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: A list of conversations. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: >- - The total number of conversations matching the filter - criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: >- - Successful response, returns a paginated list of conversations - matching the specified criteria. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid filter query parameter - type: string - statusCode: - example: 400 - type: number - description: >- - Generic Error. The request could not be processed due to an invalid - query parameter or other issue. - summary: Get conversations - tags: - - Security AI Assistant API - - Conversations API - /api/security_ai_assistant/current_user/conversations/{id}: - delete: - description: >- - Delete an existing conversation using the conversation ID. This endpoint - allows users to permanently delete a conversation. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true + oneOf: + - type: string + - type: array + - description: A free-text query string. + in: query + name: query schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was deleted - successfully. - '400': - content: - application/json: - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. This response indicates an issue with the request. - summary: Delete a conversation - tags: - - Security AI Assistant API - - Conversation API - get: - description: >- - Get the details of an existing conversation using the conversation ID. - This allows users to fetch the specific conversation data by its unique - ID. - operationId: ReadConversation - parameters: - - description: >- - The conversation's `id` value, a unique identifier for the - conversation. - example: abc123 - in: path - name: id - required: true + type: string + - description: The schedules to filter by. + in: query + name: schedules + schema: + oneOf: + - type: array + - type: string + - description: The field to sort the results by. + in: query + name: sortField + schema: + enum: + - name + - createdAt + - updatedAt + - status + type: string + - description: The sort order. + in: query + name: sortOrder + schema: + enum: + - asc + - desc + type: string + - description: The status to filter by. + in: query + name: status schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + oneOf: + - type: array + - type: string + - description: Tags to filter monitors. + in: query + name: tags + schema: + oneOf: + - type: string + - type: array + - description: | + Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. + in: query + name: useLogicalAndFor + schema: + oneOf: + - enum: + - tags + - locations + type: string + - items: + enum: + - tags + - locations + type: string + type: array responses: '200': content: application/json: - example: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. The conversation details are returned. - '400': - content: - application/json: + examples: + getSyntheticMonitorsResponseExample1: + description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. + value: |- + { + "page": 1, + "total": 24, + "monitors": [ + { + "type": "icmp", + "enabled": false, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "timeout": "16", + "name": "8.8.8.8:80", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "max_attempts": 2, + "wait": "7", + "revision": 3, + "mode": "all", + "ipv4": true, + "ipv6": true, + "created_at": "2023-11-07T09:57:04.152Z", + "updated_at": "2023-12-04T19:19:34.039Z", + "host": "8.8.8.8:80" + } + ], + "absoluteTotal": 24, + "perPage": 10, + } schema: type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Generic Error. The request could not be processed due to an error. - summary: Get a conversation + description: A successful response. + summary: Get monitors tags: - - Security AI Assistant API - - Conversations API - put: - description: >- - Update an existing conversation using the conversation ID. This endpoint - allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-synthetic-monitors requestBody: content: application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion + examples: + postSyntheticMonitorsRequestExample1: + description: Create an HTTP monitor to check a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample2: + description: Create a TCP monitor to monitor a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + postSyntheticMonitorsRequestExample3: + description: Create an ICMP monitor to perform ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample4: + description: Create a browser monitor to check a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + description: | + The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' required: true responses: '200': content: application/json: - example: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe + examples: + postSyntheticMonitorsResponseWithWarning: + description: A response when a browser monitor specifies a timeout but has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was updated - successfully. + type: object + properties: + warnings: + description: | + An optional array of warnings about the monitor configuration. + items: + $ref: '#/components/schemas/Synthetics_monitorWarning' + type: array + description: | + A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. For example, if a browser monitor specifies a timeout but has no private locations configured, a warning is returned indicating the timeout will have no effect. '400': content: application/json: + examples: + invalidBrowserTimeout: + description: A 400 error when a browser monitor timeout is below 30 seconds. + summary: Invalid browser timeout + value: |- + { + "statusCode": 400, + "error": "Bad Request", + "message": "Browser Monitor timeout is invalid", + "attributes": { + "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." + } + } schema: type: object properties: + attributes: + type: object + properties: + details: + example: Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds. + type: string error: example: Bad Request type: string message: - example: 'Missing required field: title' + example: Browser Monitor timeout is invalid type: string statusCode: example: 400 - type: number - description: >- - Generic Error. This response indicates an issue with the request, - such as missing required parameters or incorrect data. - summary: Update a conversation + type: integer + description: | + Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. + summary: Create a monitor tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/knowledge_base: - get: - description: Read a single KB - operationId: GetKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/_bulk_delete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple monitors by sending a list of config IDs. + operationId: delete-synthetic-monitors + requestBody: + content: + application/json: + examples: + bulkDeleteRequestExample1: + description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. + value: |- + { + "ids": [ + "monitor1-id", + "monitor2-id" + ] + } + schema: + type: object + properties: + ids: + description: An array of monitor IDs to delete. + items: + type: string + type: array + required: + - ids + required: true responses: '200': content: application/json: examples: - KnowledgeBaseReadResponse200Example2: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: + deleteMonitorsResponseExample1: + description: A response from successfully deleting multiple monitors. + value: |- + [ + { + "id": "monitor1-id", + "deleted": true + }, + { + "id": "monitor2-id", + "deleted": true + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Read a KnowledgeBase + items: + description: The API response includes information about the deleted monitors. + type: object + properties: + deleted: + description: | + If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. + type: boolean + ids: + description: The unique identifier of the deleted monitor. + type: string + type: array + description: A successful response. + summary: Delete monitors tags: - - Security AI Assistant API - - KnowledgeBase API - post: - operationId: PostKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a monitor from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-synthetic-monitor parameters: - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false + - description: The identifier for the monitor that you want to delete. + in: path + name: id + required: true schema: type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false + responses: + '200': + description: OK + summary: Delete a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: get-synthetic-monitor + parameters: + - description: The ID of the monitor. + in: path + name: id + required: true schema: - default: false - type: boolean + type: string responses: '200': content: application/json: examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true + getSyntheticMonitorResponseExample1: + description: A successful response from `GET /api/synthetics/monitors/`. + value: |- + { + "type": "http", + "enabled": true, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "timeout": "16", + "name": "am i something", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "max_attempts": 2, + "__ui": { + "is_tls_enabled": false + }, + "max_redirects": "0", + "response.include_body": "on_error", + "response.include_headers": true, + "check.request.method": "GET", + "mode": "any", + "response.include_body_max_bytes": "1024", + "ipv4": true, + "ipv6": true, + "ssl.verification_mode": "full", + "ssl.supported_protocols": [ + "TLSv1.1", + "TLSv1.2", + "TLSv1.3" + ], + "revision": 13, + "created_at": "2023-11-08T08:45:29.334Z", + "updated_at": "2023-12-18T20:31:44.770Z", + "url": "https://fast.com" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Create a KnowledgeBase + type: object + description: A successful response. + '404': + description: If the monitor is not found, the API returns a 404 error. + summary: Get a monitor tags: - - Security AI Assistant API - - KnowledgeBase API - /api/security_ai_assistant/knowledge_base/{resource}: - get: - description: Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. + operationId: put-synthetic-monitor parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 + - description: The identifier for the monitor that you want to update. in: path - name: resource + name: id required: true schema: type: string + requestBody: + content: + application/json: + examples: + putSyntheticMonitorsRequestExample1: + description: Update an HTTP monitor that checks a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample2: + description: Update a TCP monitor that monitors a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + putSyntheticMonitorsRequestExample3: + description: Update an ICMP monitor that performs ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample4: + description: Update a browser monitor that checks a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: | + The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + required: true responses: '200': content: application/json: examples: - KnowledgeBaseReadResponse200Example1: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true + putSyntheticMonitorResponseWithWarning: + description: A response when a browser monitor specifies a timeout but has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. + type: object + properties: + warnings: + description: | + An optional array of warnings about the monitor configuration. + items: + $ref: '#/components/schemas/Synthetics_monitorWarning' + type: array + description: | + A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. '400': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Read a KnowledgeBase for a resource + description: | + Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. + summary: Update a monitor tags: - - Security AI Assistant API - - KnowledgeBase API - post: - description: Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: - type: string - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameters responses: '200': content: application/json: examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true + getParametersResponseExample1: + description: A successful response for a user with read-only permissions to get a list of parameters. + summary: Read access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"] + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"] + } + ] + getParametersResponseExample2: + description: A successful response for a user with write permissions to get a list of parameters. + summary: Write access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"], + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"], + "value": "value2" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Generic Error - summary: Create a KnowledgeBase for a resource + items: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + type: array + description: A successful response. + summary: Get parameters tags: - - Security AI Assistant API - - KnowledgeBase API - /api/security_ai_assistant/knowledge_base/entries: + - synthetics + x-metaTags: + - content: Kibana + name: product_name post: - description: Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add one or more parameters to the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-parameters requestBody: content: application/json: - example: - content: >- - To reset your password, go to the settings page and click 'Reset - Password'. - tags: - - password - - reset - - help - title: How to reset a password + examples: + postParametersRequestExample1: + description: Add a single parameter. + summary: Single parameter + value: |- + { + "key": "your-key-name", + "value": "your-parameter-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersRequestExample2: + description: Add multiple parameters. + summary: Multiple parameters + value: |- + [ + { + "key": "param1", + "value": "value1" + }, + { + "key": "param2", + "value": "value2" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_parameterRequest' + type: array + - $ref: '#/components/schemas/Synthetics_parameterRequest' + description: The request body can contain either a single parameter object or an array of parameter objects. required: true responses: '200': content: application/json: - example: - content: >- - To reset your password, go to the settings page and click - 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning Knowledge Base Entries - '400': - content: - application/json: - example: - error: Invalid input - message: The 'title' field is required. + examples: + postParametersResponseExample1: + description: A successful response for a single added parameter. + summary: Single parameter + value: |- + { + "id": "unique-parameter-id", + "key": "your-key-name", + "value": "your-param-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersResponseExample2: + description: A successful response for multiple added parameters. + summary: Multiple parameters + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "value": "value2" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as invalid input or missing required - fields. - summary: Create a Knowledge Base Entry + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_postParameterResponse' + type: array + - $ref: '#/components/schemas/Synthetics_postParameterResponse' + description: A successful response. + summary: Add parameters tags: - - Security AI Assistant API - - Knowledge Base Entries API - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/_bulk_delete: post: - description: >- - The bulk action is applied to all Knowledge Base Entries that match the - filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete parameters from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameters requestBody: content: application/json: + examples: + deleteParametersRequestExample1: + description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. + value: |- + { + "ids": ["param1-id", "param2-id"] + } schema: type: object properties: - create: - description: List of Knowledge Base Entries to create. - example: - - content: This is the content of the new entry. - title: New Entry - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - content: Updated content. - id: '123' - title: Updated Entry + ids: + description: An array of parameter IDs to delete. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps + type: string type: array + required: true responses: '200': content: application/json: + examples: + deleteParametersResponseExample1: + value: |- + [ + { + "id": "param1-id", + "deleted": true + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse - description: Successful bulk operation request - '400': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Generic Error - summary: Applies a bulk action to multiple Knowledge Base Entries - tags: - - Security AI Assistant API - - Knowledge Base Entries Bulk API - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: >- - A list of fields to include in the response. If not provided, all - fields will be included. - in: query - name: fields - required: false - schema: - example: - - title - - created_at - items: - type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - schema: - type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' - type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Generic Error indicating an issue with the request. - summary: Finds Knowledge Base Entries that match the given query. + items: + type: object + properties: + deleted: + description: | + Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. + type: boolean + id: + description: The unique identifier for the deleted parameter. + type: string + type: array + description: A successful response. + summary: Delete parameters tags: - - Security AI Assistant API - - Knowledge Base Entries API - /api/security_ai_assistant/knowledge_base/entries/{id}: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/{id}: delete: - description: Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a parameter from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameter parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' + - description: The ID for the parameter to delete. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string responses: '200': - content: - application/json: - example: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields - description: >- - Successful request returning the `id` of the deleted Knowledge Base - Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as an invalid `id` or the entry not - being found. - summary: Deletes a single Knowledge Base Entry using the `id` field + description: OK + summary: Delete a parameter tags: - - Security AI Assistant API - - Knowledge Base Entries API + - synthetics + x-metaTags: + - content: Kibana + name: product_name get: - description: Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a parameter from the Synthetics app. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameter parameters: - - description: >- - The unique identifier (`id`) of the Knowledge Base Entry to - retrieve. - example: '12345' + - description: The unique identifier for the parameter. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string responses: '200': content: application/json: - example: - content: >- - To reset your password, go to the settings page and click - 'Reset Password'. - id: '12345' - tags: - - password - - reset - - help - title: How to reset a password - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - example: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. + examples: + getParameterResponseExample1: + description: A successful response for a user with read-only permissions to get a single parameter. + summary: Read access + value: |- + { + "id": "unique-parameter-id", + "key": "your-api-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"] + } + getParameterResponseExample2: + description: A successful response for a user with write permissions to get a single parameter. + summary: Write access + value: |- + { + "id": "unique-parameter-id", + "key": "your-param-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"], + "value": "your-param-value" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as an invalid `id` or the entry not - being found. - summary: Read a Knowledge Base Entry + $ref: '#/components/schemas/Synthetics_getParameterResponse' + description: A successful response. + summary: Get a parameter tags: - - Security AI Assistant API - - Knowledge Base Entries API + - synthetics + x-metaTags: + - content: Kibana + name: product_name put: - description: Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a parameter in the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: put-parameter parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' + - description: The unique identifier for the parameter. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string requestBody: content: application/json: - example: - content: >- - To reset your password, go to the settings page, click 'Reset - Password', and follow the instructions. - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) + examples: + putParameterRequestExample1: + value: |- + { + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps + type: object + properties: + description: + description: The updated description of the parameter. + type: string + key: + description: The key of the parameter. + type: string + tags: + description: An array of updated tags to categorize the parameter. + items: + type: string + type: array + value: + description: The updated value associated with the parameter. + type: string + description: The request body cannot be empty; at least one attribute is required. required: true responses: '200': content: application/json: - example: - content: >- - To reset your password, go to the settings page, click 'Reset - Password', and follow the instructions. - id: '12345' - tags: - - password - - reset - - help - - update - title: How to reset a password (updated) + examples: + putParameterResponseExample1: + value: |- + { + "id": "param_id1", + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the updated Knowledge Base Entry. - '400': + type: object + description: A successful response. + summary: Update a parameter + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of private locations. + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-locations + responses: + '200': content: application/json: - example: - error: Invalid input - message: The 'content' field cannot be empty. + examples: + getPrivateLocationsResponseExample1: + value: |- + [ + { + "label": "Test private location", + "id": "fleet-server-policy", + "agentPolicyId": "fleet-server-policy", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + }, + { + "label": "Test private location 2", + "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "test" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: >- - A generic error occurred, such as invalid input or the entry not - being found. - summary: Update a Knowledge Base Entry + items: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + type: array + description: A successful response. + summary: Get private locations tags: - - Security AI Assistant API - - Knowledge Base Entries API - /api/security_ai_assistant/prompts/_bulk_action: + - synthetics + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: post-private-location requestBody: content: application/json: - example: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 + examples: + postPrivateLocationRequestExample1: + description: Run `POST /api/private_locations` to create a private location. + value: |- + { + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + "spaces": ["default"] + } schema: type: object properties: - create: - description: List of prompts to be created. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - description: Criteria for deleting prompts in bulk. + agentPolicyId: + description: The ID of the agent policy associated with the private location. + type: string + geo: + description: Geographic coordinates (WGS84) for the location. type: object properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + label: + description: A label for the private location. + type: string + spaces: + description: | + An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: string + type: array + tags: + description: An array of tags to categorize the private location. + items: + type: string type: array + required: + - agentPolicyId + - label + required: true responses: '200': content: application/json: examples: - success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: + postPrivateLocationResponseExample1: + value: |- + { + "id": "abcd1234", + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + } schema: type: object - properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. - type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Indicates a generic error due to a bad request. - summary: Apply a bulk action to prompts + description: A successful response. + '400': + description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. + summary: Create a private location tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/prompts/_find: - get: - description: >- - Get a list of all prompts based on optional filters, sorting, and - pagination. - operationId: FindPrompts + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. + A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. + operationId: delete-private-location parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: - type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false + - description: The unique identifier of the private location to be deleted. + in: path + name: id + required: true schema: - example: error handling + maxLength: 1024 + minLength: 1 type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false + responses: + '200': + description: OK + summary: Delete a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-location + parameters: + - description: A private location identifier or label. + in: path + name: id + required: true schema: - default: 20 - example: 20 - minimum: 0 - type: integer + type: string responses: '200': content: application/json: + examples: + getPrivateLocationResponseExample1: + value: |- + { + "label": "Test private location", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + } schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: >- - The list of prompts returned based on the search query, - sorting, and pagination. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': - content: - application/json: - schema: - type: object - properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. - type: string - statusCode: - description: HTTP status code for the error. - example: 400 - type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + summary: Get a private location tags: - - Security AI Assistant API - - Prompts API - /api/security/session/_invalidate: - post: - description: > - Invalidate user sessions that match a query. To use this API, you must - be a superuser. - operationId: post-security-session-invalidate + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing private location's label. + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. + operationId: put-private-location parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier of the private location to be updated. + in: path + name: id required: true schema: - example: 'true' type: string requestBody: content: application/json: examples: - invalidateRequestExample1: - description: >- - Run `POST api/security/session/_invalidate` to invalidate all - existing sessions. - summary: Invalidate all sessions - value: |- - { - "match" : "all" - } - invalidateRequestExample2: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by any SAML authentication - provider. - summary: Invalidate all SAML sessions - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml" } - } - } - invalidateRequestExample3: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by the SAML authentication provider - named `saml1`. - summary: Invalidate sessions for a provider - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml", "name": "saml1" } - } - } - invalidateRequestExample4: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by any OpenID Connect - authentication provider for the user with the username - `user@my-oidc-sso.com`. - summary: Invalidate sessions for a user + putPrivateLocationRequestExample1: + description: Update a private location's label. value: |- { - "match" : "query", - "query": { - "provider" : { "type": "oidc" }, - "username": "user@my-oidc-sso.com" - } + "label": "Updated Private Location Name" } schema: type: object properties: - match: - description: > - The method Kibana uses to determine which sessions to - invalidate. If it is `all`, all existing sessions will be - invalidated. If it is `query`, only the sessions that match - the query will be invalidated. - enum: - - all - - query - type: string - query: - description: > - The query that Kibana uses to match the sessions to - invalidate when the `match` parameter is set to `query`. - type: object - properties: - provider: - description: >- - The authentication providers that will have their user - sessions invalidated. - type: object - properties: - name: - description: The authentication provider name. - type: string - type: - description: > - The authentication provide type. For example: - `basic`, `token`, `saml`, `oidc`, `kerberos`, or - `pki`. - type: string - required: - - type - username: - description: The username that will have its sessions invalidated. - type: string - required: - - provider + label: + description: A new label for the private location. Must be at least 1 character long. + minLength: 1 + type: string required: - - match + - label + required: true responses: '200': content: application/json: + examples: + putPrivateLocationResponseExample1: + value: |- + { + "label": "Updated Private Location Name", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "tags": ["private", "testing", "updated"], + "geo": { + "lat": 37.7749, + "lon": -122.4194 + }, + "spaces": ["*"] + } schema: - type: object - properties: - total: - description: The number of sessions that were successfully invalidated. - type: integer + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + '400': + description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. + '404': + description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. + summary: Update a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + '200': + content: + application/json: + examples: + taskManagerHealthResponse1: + $ref: '#/components/examples/Task_manager_health_APIs_health_200response' + schema: + $ref: '#/components/schemas/Task_manager_health_APIs_health_response' description: Indicates a successful call - '403': - description: >- - Indicates that the user may not be authorized to invalidate sessions - for other users. - summary: Invalidate user sessions + summary: Get the task manager health tags: - - user session - /api/short_url: - post: - description: > - Kibana URLs may be long and cumbersome, short URLs are much easier to - remember and share. + - task manager + x-metaTags: + - content: Kibana + name: product_name + /api/timeline: + delete: + description: |- + **Spaces method and path for this operation:** - Short URLs are created by specifying the locator ID and locator - parameters. When a short URL is resolved, the locator ID and locator - parameters are used to redirect user to the right Kibana page. - operationId: post-url +
delete /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines requestBody: content: application/json: + examples: + deleteByIds: + summary: Delete timelines by saved object id + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 schema: type: object properties: - humanReadableSlug: - description: > - When the `slug` parameter is omitted, the API will generate - a random human-readable slug if `humanReadableSlug` is set - to true. - type: boolean - locatorId: - description: The identifier for the locator. - type: string - params: - description: > - An object which contains all necessary parameters for the - given locator to resolve to a Kibana location. - - > warn - - > When you create a short URL, locator params are not - validated, which allows you to pass arbitrary and ill-formed - data into the API that can break Kibana. Make sure any data - that you send to the API is properly formed. - type: object - slug: - description: > - A custom short URL slug. The slug is the part of the short - URL that identifies it. You can provide a custom slug which - consists of latin alphabet letters, numbers, and `-._` - characters. The slug must be at least 3 characters long, but - no longer than 255 characters. - type: string + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete + items: + type: string + maxItems: 100 + type: array + searchIds: + description: Saved search IDs that should be deleted alongside the timelines + items: + type: string + maxItems: 100 + type: array required: - - locatorId - - params + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. required: true responses: '200': content: application/json: + examples: + success: + summary: Success + value: {} schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + additionalProperties: true + type: object description: Indicates a successful call. - summary: Create a short URL + summary: Delete Timelines or Timeline templates tags: - - short url - x-state: Technical Preview - /api/short_url/_slug/{slug}: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name get: - description: | - Resolve a Kibana short URL by its slug. - operationId: resolve-url + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline parameters: - - description: The slug of the short URL. - in: path - name: slug - required: true + - description: The `savedObjectId` of the Timeline template to retrieve. + in: query + name: template_timeline_id + schema: + type: string + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id schema: type: string responses: '200': content: application/json: + examples: + timelineDetail: + summary: Timeline detail + value: + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Resolve a short URL - tags: - - short url - x-state: Technical Preview - /api/short_url/{id}: - delete: - description: | - Delete a Kibana short URL. - operationId: delete-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' - responses: - '200': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. - summary: Delete a short URL + summary: Get Timeline or Timeline template details tags: - - short url - x-state: Technical Preview - get: - description: | - Get a single Kibana short URL. - operationId: get-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: The version of the Timeline or Timeline template that you’re updating. + example: WzE0LDFd + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true responses: '200': content: application/json: + examples: + patched: + summary: Updated timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. - summary: Get a short URL - tags: - - short url - x-state: Technical Preview - /api/synthetics/monitor/test/{monitorId}: - post: - description: > - Trigger an immediate test execution for the specified monitor. The - response includes the generated `testRunId`. If the test encounters - issues in one or more service locations, an `errors` array is also - returned with details about the failures. - operationId: post-synthetics-monitor-test - parameters: - - description: The ID (config_id) of the monitor to test. - in: path - name: monitorId - required: true - schema: - type: string - responses: - '200': + '405': content: application/json: examples: - testNowMonitorResponseExample1: - value: |- - { - "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", - "errors": [ - { - "locationId": "us_central_staging", - "error": { - "status": 401, - "reason": "no auth credentials provided", - "failed_monitors": null - } - } - ] - } + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 schema: type: object properties: - errors: - description: >- - Array of errors encountered while triggering the test, one - per service location. - items: - type: object - properties: - error: - type: object - properties: - failed_monitors: - description: >- - Optional list of monitors that failed at the - location. - items: - type: object - nullable: true - type: array - reason: - description: Human-readable explanation of the failure. - type: string - status: - description: HTTP status code returned by the agent. - type: integer - required: - - status - - reason - - failed_monitors - locationId: - description: >- - Identifier of the service location where the error - occurred. - type: string - required: - - locationId - - error - type: array - testRunId: - description: Unique identifier for the triggered test run. + body: + description: The error message. + example: update timeline error type: string - required: - - testRunId - description: Test run triggered successfully. - '404': - description: Monitor not found. - summary: Trigger an on-demand test run for a monitor + statusCode: + example: 405 + type: number + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline tags: - - synthetics - x-state: Generally available; added in 9.2.0 - /api/synthetics/monitors: - get: - description: > - Get a list of monitors. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** - You must have `read` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: get-synthetic-monitors - parameters: - - description: Additional filtering criteria. - in: query - name: filter - schema: - type: string - - description: The locations to filter by. - in: query - name: locations - schema: - oneOf: - - type: string - - type: array - - description: The monitor types to filter. - in: query - name: monitorTypes - schema: - oneOf: - - enum: - - browser - - http - - icmp - - tcp - type: string - - type: array - - description: The page number for paginated results. - in: query - name: page - schema: - type: integer - - description: The number of items to return per page. - in: query - name: per_page - schema: - type: integer - - description: The projects to filter by. - in: query - name: projects - schema: - oneOf: - - type: string - - type: array - - description: A free-text query string. - in: query - name: query - schema: - type: string - - description: The schedules to filter by. - in: query - name: schedules - schema: - oneOf: - - type: array - - type: string - - description: The field to sort the results by. - in: query - name: sortField - schema: - enum: - - name - - createdAt - - updatedAt - - status - type: string - - description: The sort order. - in: query - name: sortOrder - schema: - enum: - - asc - - desc - type: string - - description: The status to filter by. - in: query - name: status - schema: - oneOf: - - type: array - - type: string - - description: Tags to filter monitors. - in: query - name: tags - schema: - oneOf: - - type: string - - type: array - - description: > - Specifies whether to apply logical AND filtering for specific - fields. Accepts either a string with values "tags" or "locations" or - an array containing both. - in: query - name: useLogicalAndFor - schema: - oneOf: - - enum: - - tags - - locations - type: string - - items: - enum: - - tags - - locations +
post /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true type: string - type: array + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true responses: '200': content: application/json: examples: - getSyntheticMonitorsResponseExample1: - description: >- - A successful response from `GET - /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. - value: |- - { - "page": 1, - "total": 24, - "monitors": [ - { - "type": "icmp", - "enabled": false, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "timeout": "16", - "name": "8.8.8.8:80", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "max_attempts": 2, - "wait": "7", - "revision": 3, - "mode": "all", - "ipv4": true, - "ipv6": true, - "created_at": "2023-11-07T09:57:04.152Z", - "updated_at": "2023-12-04T19:19:34.039Z", - "host": "8.8.8.8:80" - } - ], - "absoluteTotal": 24, - "perPage": 10, - } + created: + summary: Created timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 schema: type: object - description: A successful response. - summary: Get monitors + properties: + body: + description: The error message + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template tags: - - synthetics + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_copy: post: - description: > - Create a new monitor with the specified attributes. A monitor can be one - of the following types: HTTP, TCP, ICMP, or Browser. The required and - default fields may vary based on the monitor type. + description: | + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: post-synthetic-monitors +
post /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline requestBody: content: application/json: examples: - postSyntheticMonitorsRequestExample1: - description: Create an HTTP monitor to check a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample2: - description: Create a TCP monitor to monitor a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - postSyntheticMonitorsRequestExample3: - description: Create an ICMP monitor to perform ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample4: - description: Create a browser monitor to check a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - description: > - The request body should contain the attributes of the monitor - you want to create. The required and default fields differ - depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: The `savedObjectId` of the timeline or template to duplicate. + type: string + required: + - timeline + - timelineIdToCopy + description: Source timeline id to copy plus timeline fields for the new saved object. required: true responses: '200': content: application/json: examples: - postSyntheticMonitorsResponseWithWarning: - description: >- - A response when a browser monitor specifies a timeout but - has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } + copied: + summary: Newly saved timeline + value: + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_draft: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines + parameters: + - description: Which draft to load (`default` investigation timeline or `template` timeline template). + in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + responses: + '200': + content: + application/json: + examples: + draftPayload: + summary: Draft timeline payload + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 schema: type: object properties: - warnings: - description: > - An optional array of warnings about the monitor - configuration. - items: - $ref: '#/components/schemas/Synthetics_monitorWarning' - type: array - description: > - A successful response. The response may include a `warnings` array - when the monitor configuration has non-critical issues. For example, - if a browser monitor specifies a timeout but has no private - locations configured, a warning is returned indicating the timeout - will have no effect. - '400': + message: + type: string + status_code: + type: number + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - invalidBrowserTimeout: - description: >- - A 400 error when a browser monitor timeout is below 30 - seconds. - summary: Invalid browser timeout - value: |- - { - "statusCode": 400, - "error": "Bad Request", - "message": "Browser Monitor timeout is invalid", - "attributes": { - "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." - } - } + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 schema: type: object properties: - attributes: - type: object - properties: - details: - example: >- - Invalid timeout 20 seconds supplied. Minimum timeout - for browser monitors is 30 seconds. - type: string - error: - example: Bad Request - type: string message: - example: Browser Monitor timeout is invalid type: string - statusCode: - example: 400 - type: integer - description: > - Bad request. For browser monitors, a 400 error is returned if the - timeout is less than 30 seconds. - summary: Create a monitor + status_code: + type: number + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details tags: - - synthetics - /api/synthetics/monitors/_bulk_delete: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name post: description: | - Delete multiple monitors by sending a list of config IDs. - operationId: delete-synthetic-monitors + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines requestBody: content: application/json: examples: - bulkDeleteRequestExample1: - description: >- - Run `POST /api/synthetics/monitors/_bulk_delete` to delete a - list of monitors. - value: |- - { - "ids": [ - "monitor1-id", - "monitor2-id" - ] - } + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default schema: type: object properties: - ids: - description: An array of monitor IDs to delete. - items: - type: string - type: array + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - - ids + - timelineType + description: The type of Timeline to create. Valid values are `default` and `template`. required: true responses: '200': content: application/json: examples: - deleteMonitorsResponseExample1: - description: A response from successfully deleting multiple monitors. - value: |- - [ - { - "id": "monitor1-id", - "deleted": true - }, - { - "id": "monitor2-id", - "deleted": true - } - ] + draftResponse: + summary: Draft after reset or creation + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd schema: - items: - description: >- - The API response includes information about the deleted - monitors. - type: object - properties: - deleted: - description: > - If it is `true`, the monitor was successfully deleted If - it is `false`, the monitor was not deleted. - type: boolean - ids: - description: The unique identifier of the deleted monitor. - type: string - type: array - description: A successful response. - summary: Delete monitors + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that the user does not have the required permissions to create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template tags: - - synthetics - /api/synthetics/monitors/{id}: - delete: - description: > - Delete a monitor from the Synthetics app. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_export: + post: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-synthetic-monitor - parameters: - - description: The identifier for the monitor that you want to delete. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: OK - summary: Delete a monitor - tags: - - synthetics - get: - operationId: get-synthetic-monitor +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines parameters: - - description: The ID of the monitor. - in: path - name: id + - description: The name of the file to export + in: query + name: file_name required: true schema: type: string + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true responses: '200': content: - application/json: + application/ndjson: examples: - getSyntheticMonitorResponseExample1: - description: >- - A successful response from `GET - /api/synthetics/monitors/`. - value: |- - { - "type": "http", - "enabled": true, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "timeout": "16", - "name": "am i something", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "max_attempts": 2, - "__ui": { - "is_tls_enabled": false - }, - "max_redirects": "0", - "response.include_body": "on_error", - "response.include_headers": true, - "check.request.method": "GET", - "mode": "any", - "response.include_body_max_bytes": "1024", - "ipv4": true, - "ipv6": true, - "ssl.verification_mode": "full", - "ssl.supported_protocols": [ - "TLSv1.1", - "TLSv1.2", - "TLSv1.3" - ], - "revision": 13, - "created_at": "2023-11-08T08:45:29.334Z", - "updated_at": "2023-12-18T20:31:44.770Z", - "url": "https://fast.com" - } + ndjsonLine: + summary: Single NDJSON line + value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates a successful call. + '400': + content: + application/ndjson: + examples: + badRequest: + summary: Export error + value: + body: Export limit exceeded + statusCode: 400 schema: type: object - description: A successful response. - '404': - description: If the monitor is not found, the API returns a 404 error. - summary: Get a monitor + properties: + body: + type: string + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines tags: - - synthetics - put: - description: > - Update a monitor with the specified attributes. The required and default - fields may vary based on the monitor type. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. +
patch /s/{space_id}/api/timeline/_favorite
- You can also partially update a monitor. This will only update the - fields that are specified in the request body. All other fields are left - unchanged. The specified fields should conform to the monitor type. For - example, you can't update the `inline_scipt` field of a HTTP monitor. - operationId: put-synthetic-monitor - parameters: - - description: The identifier for the monitor that you want to update. - in: path - name: id - required: true - schema: - type: string + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute requestBody: content: application/json: examples: - putSyntheticMonitorsRequestExample1: - description: Update an HTTP monitor that checks a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample2: - description: Update a TCP monitor that monitors a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - putSyntheticMonitorsRequestExample3: - description: Update an ICMP monitor that performs ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample4: - description: Update a browser monitor that checks a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default schema: - description: > - The request body should contain the attributes of the monitor - you want to update. The required and default fields differ - depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. required: true responses: '200': content: application/json: examples: - putSyntheticMonitorResponseWithWarning: - description: >- - A response when a browser monitor specifies a timeout but - has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } + favoriteResponse: + summary: Favorite metadata updated + value: + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd schema: - type: object - properties: - warnings: - description: > - An optional array of warnings about the monitor - configuration. - items: - $ref: '#/components/schemas/Synthetics_monitorWarning' - type: array - description: > - A successful response. The response may include a `warnings` array - when the monitor configuration has non-critical issues. - '400': - description: > - Bad request. For browser monitors, a 400 error is returned if the - timeout is less than 30 seconds. - summary: Update a monitor - tags: - - synthetics - /api/synthetics/params: - get: - description: > - Get a list of all parameters. You must have `read` privileges for the - Synthetics feature in the Observability section of the Kibana feature - privileges. - operationId: get-parameters - responses: - '200': + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - getParametersResponseExample1: - description: >- - A successful response for a user with read-only permissions - to get a list of parameters. - summary: Read access - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"] - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"] - } - ] - getParametersResponseExample2: - description: >- - A successful response for a user with write permissions to - get a list of parameters. - summary: Write access - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"], - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"], - "value": "value2" - } - ] + forbidden: + summary: Forbidden + value: + body: Forbidden + statusCode: 403 schema: - items: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - type: array - description: A successful response. - summary: Get parameters + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template tags: - - synthetics + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_import: post: - description: > - Add one or more parameters to the Synthetics app. + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: post-parameters +
post /s/{space_id}/api/timeline/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import Timelines. + operationId: ImportTimelines requestBody: content: application/json: examples: - postParametersRequestExample1: - description: Add a single parameter. - summary: Single parameter - value: |- - { - "key": "your-key-name", - "value": "your-parameter-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersRequestExample2: - description: Add multiple parameters. - summary: Multiple parameters - value: |- - [ - { - "key": "param1", - "value": "value1" - }, - { - "key": "param2", - "value": "value2" - } - ] + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) + value: + file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' + isImmutable: 'false' schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_parameterRequest' - type: array - - $ref: '#/components/schemas/Synthetics_parameterRequest' - description: >- - The request body can contain either a single parameter object or an - array of parameter objects. + type: object + properties: + file: {} + isImmutable: + description: Whether the Timeline should be immutable + enum: + - 'true' + - 'false' + type: string + required: + - file + description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: - postParametersResponseExample1: - description: A successful response for a single added parameter. - summary: Single parameter - value: |- - { - "id": "unique-parameter-id", - "key": "your-key-name", - "value": "your-param-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersResponseExample2: - description: A successful response for multiple added parameters. - summary: Multiple parameters - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "value": "value2" - } - ] + importSummary: + summary: Import summary + value: + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_postParameterResponse' - type: array - - $ref: '#/components/schemas/Synthetics_postParameterResponse' - description: A successful response. - summary: Add parameters + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Invalid import + value: + body: Invalid file extension + statusCode: 400 + schema: + type: object + properties: + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + '404': + content: + application/json: + examples: + notFound: + summary: Saved objects client missing + value: + body: Unable to find saved object client + statusCode: 404 + schema: + type: object + properties: + body: + description: The error message + example: Unable to find saved object client + type: string + statusCode: + example: 404 + type: number + description: Not found response. + '409': + content: + application/json: + examples: + conflict: + summary: Import conflict + value: + body: Could not import timelines + statusCode: 409 + schema: + type: object + properties: + body: + description: The error message + example: Could not import timelines + type: string + statusCode: + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines tags: - - synthetics - /api/synthetics/params/_bulk_delete: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_prepackaged: post: - description: > - Delete parameters from the Synthetics app. + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-parameters +
post /s/{space_id}/api/timeline/_prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: - deleteParametersRequestExample1: - description: >- - Run `POST /api/synthetics/params/_bulk_delete` to delete - multiple parameters. - value: |- - { - "ids": ["param1-id", "param2-id"] - } + emptyArrays: + summary: Installer payload shape + value: + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] schema: type: object properties: - ids: - description: An array of parameter IDs to delete. + prepackagedTimelines: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: - deleteParametersResponseExample1: - value: |- - [ - { - "id": "param1-id", - "deleted": true - } - ] + installResult: + summary: Install result counts + value: + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 + schema: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '500': + content: + application/json: + examples: + serverError: + summary: Server error + value: + body: Internal error + statusCode: 500 + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json: + examples: + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome + value: + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Bad request + value: {} + schema: + additionalProperties: true + type: object + description: Bad Request response. + '404': + content: + application/json: + examples: + notFound: + summary: Not found + value: {} + schema: + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timelines: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timelines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: If `true`, only Timelines that the current user has marked as favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: Restrict results to `default` investigation timelines or `template` timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json: + examples: + timelineList: + summary: Example list response + value: + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 + schema: + type: object + properties: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + type: array + totalCount: + description: The total amount of results + example: 100 + type: number + required: + - timeline + - totalCount + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Error response body + value: + body: get timeline error + statusCode: 400 schema: - items: - type: object - properties: - deleted: - description: > - Indicates whether the parameter was successfully - deleted. It is `true` if it was deleted. It is `false` - if it was not deleted. - type: boolean - id: - description: The unique identifier for the deleted parameter. - type: string - type: array - description: A successful response. - summary: Delete parameters - tags: - - synthetics - /api/synthetics/params/{id}: - delete: - description: > - Delete a parameter from the Synthetics app. - - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-parameter - parameters: - - description: The ID for the parameter to delete. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: OK - summary: Delete a parameter + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates tags: - - synthetics + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/upgrade_assistant/status: get: - description: > - Get a parameter from the Synthetics app. - - You must have `read` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: get-parameter - parameters: - - description: The unique identifier for the parameter. - in: path - name: id - required: true - schema: - type: string + description: Check the status of your cluster. + operationId: get-upgrade-status responses: '200': content: application/json: examples: - getParameterResponseExample1: - description: >- - A successful response for a user with read-only permissions - to get a single parameter. - summary: Read access - value: |- - { - "id": "unique-parameter-id", - "key": "your-api-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"] - } - getParameterResponseExample2: - description: >- - A successful response for a user with write permissions to - get a single parameter. - summary: Write access + getUpgradeStatusResponseExample1: value: |- { - "id": "unique-parameter-id", - "key": "your-param-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"], - "value": "your-param-value" + "readyForUpgrade": false, + "cluster": [ + { + "message": "Cluster deprecated issue", + "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." + } + ] } - schema: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - description: A successful response. - summary: Get a parameter + description: Indicates a successful call. + summary: Get the upgrade readiness status tags: - - synthetics - put: - description: > - Update a parameter in the Synthetics app. + - upgrade + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/uptime/settings: + get: + description: | + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: put-parameter - parameters: - - description: The unique identifier for the parameter. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putParameterRequestExample1: - value: |- - { - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } - schema: - type: object - properties: - description: - description: The updated description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - tags: - description: An array of updated tags to categorize the parameter. - items: - type: string - type: array - value: - description: The updated value associated with the parameter. - type: string - description: The request body cannot be empty; at least one attribute is required. - required: true +
get /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-uptime-settings responses: '200': content: application/json: examples: - putParameterResponseExample1: + getUptimeSettingsResponseExample1: value: |- { - "id": "param_id1", - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } } schema: type: object - description: A successful response. - summary: Update a parameter + description: Indicates a successful call + summary: Get uptime settings tags: - - synthetics - /api/synthetics/private_locations: - get: - description: > - Get a list of private locations. + - uptime + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** - You must have `read` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: get-private-locations - responses: - '200': - content: - application/json: - examples: - getPrivateLocationsResponseExample1: - value: |- - [ - { - "label": "Test private location", - "id": "fleet-server-policy", - "agentPolicyId": "fleet-server-policy", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - }, - { - "label": "Test private location 2", - "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "test" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - type: array - description: A successful response. - summary: Get private locations - tags: - - synthetics - post: - description: >- - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: post-private-location +
put /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. + operationId: put-uptime-settings requestBody: content: application/json: examples: - postPrivateLocationRequestExample1: - description: >- - Run `POST /api/private_locations` to create a private - location. + putUptimeSettingsRequestExample1: + description: Run `PUT api/uptime/settings` to update multiple Uptime settings. + summary: Update multiple settings value: |- { - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - "spaces": ["default"] + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } + putUptimeSettingsRequestExample2: + description: Run `PUT api/uptime/settings` to update a single Uptime setting. + summary: Update a setting + value: |- + { + "heartbeatIndices": "heartbeat-8*", } schema: type: object properties: - agentPolicyId: - description: >- - The ID of the agent policy associated with the private - location. - type: string - geo: - description: Geographic coordinates (WGS84) for the location. + certAgeThreshold: + default: 730 + description: The number of days after a certificate is created to trigger an alert. + type: number + certExpirationThreshold: + default: 30 + description: The number of days before a certificate expires to trigger an alert. + type: number + defaultConnectors: + default: [] + description: A list of connector IDs to be used as default connectors for new alerts. + type: array + defaultEmail: + description: | + The default email configuration for new alerts. type: object properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - label: - description: A label for the private location. + bcc: + default: [] + items: + type: string + type: array + cc: + default: [] + items: + type: string + type: array + to: + default: [] + items: + type: string + type: array + heartbeatIndices: + default: heartbeat-* + description: | + An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. type: string - spaces: - description: > - An array of space IDs where the private location is - available. If it is not provided, the private location is - available in all spaces. - items: - type: string - type: array - tags: - description: An array of tags to categorize the private location. - items: - type: string - type: array - required: - - agentPolicyId - - label - required: true responses: '200': content: application/json: examples: - postPrivateLocationResponseExample1: + putUptimeSettingsResponseExample1: + description: A successful response from `PUT api/uptime/settings`. value: |- { - "id": "abcd1234", - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } } schema: type: object - description: A successful response. - '400': - description: >- - If the `agentPolicyId` is already used by an existing private - location or if the `label` already exists, the API will return a 400 - Bad Request response with a corresponding error message. - summary: Create a private location + description: Indicates a successful call + summary: Update uptime settings tags: - - synthetics - /api/synthetics/private_locations/{id}: + - uptime + x-metaTags: + - content: Kibana + name: product_name + /api/workflows: delete: - description: > - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - - The API does not return a response body for deletion, but it will return - an appropriate status code upon successful deletion. + description: |- + **Spaces method and path for this operation:** - A location cannot be deleted if it has associated monitors in use. You - must delete all monitors associated with the location before deleting - the location. - operationId: delete-private-location - parameters: - - description: The unique identifier of the private location to be deleted. - in: path - name: id - required: true - schema: - maxLength: 1024 - minLength: 1 - type: string - responses: - '200': - description: OK - summary: Delete a private location - tags: - - synthetics - get: - description: > - You must have `read` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: get-private-location - parameters: - - description: A private location identifier or label. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPrivateLocationResponseExample1: - value: |- - { - "label": "Test private location", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - summary: Get a private location - tags: - - synthetics - put: - description: > - Update an existing private location's label. +
delete /s/{space_id}/api/workflows
- You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - When a private location's label is updated, all monitors using this - location will also be updated to maintain data consistency. - operationId: put-private-location + Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows parameters: - - description: The unique identifier of the private location to be updated. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - putPrivateLocationRequestExample1: - description: Update a private location's label. - value: |- - { - "label": "Updated Private Location Name" - } + bulkDeleteWorkflowsRequestExample: + description: Example request for deleting multiple workflows + value: + ids: + - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 + - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: + additionalProperties: false type: object properties: - label: - description: >- - A new label for the private location. Must be at least 1 - character long. - minLength: 1 - type: string + ids: + description: Array of workflow IDs to delete. + items: + description: Workflow ID to delete. + type: string + maxItems: 1000 + type: array required: - - label - required: true + - ids responses: '200': content: application/json: examples: - putPrivateLocationResponseExample1: - value: |- - { - "label": "Updated Private Location Name", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "tags": ["private", "testing", "updated"], - "geo": { - "lat": 37.7749, - "lon": -122.4194 - }, - "spaces": ["*"] - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - '400': - description: >- - If the `label` is shorter than 1 character the API will return a 400 - Bad Request response with a corresponding error message. - '404': - description: >- - If the private location with the specified ID does not exist, the - API will return a 404 Not Found response. - summary: Update a private location + bulkDeleteWorkflowsResponseExample: + description: Example response after deleting multiple workflows + value: + deleted: 2 + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk delete workflows tags: - - synthetics - /api/task_manager/_health: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - lang: Console + source: | + DELETE kbn://api/workflows + { + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows + parameters: + - description: Free-text search query. + in: query + name: query + required: false + schema: + type: string + - description: Number of results per page. + in: query + name: size + required: false + schema: + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Filter by enabled state. + in: query + name: enabled + required: false + schema: + items: + type: boolean + maxItems: 2 + type: array + - description: Filter by creator. + in: query + name: createdBy + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by tags. + in: query + name: tags + required: false + schema: + items: + type: string + maxItems: 1000 + type: array responses: '200': content: application/json: examples: - taskManagerHealthResponse1: - $ref: >- - #/components/examples/Task_manager_health_APIs_health_200response - schema: - $ref: '#/components/schemas/Task_manager_health_APIs_health_response' - description: Indicates a successful call - summary: Get the task manager health + getWorkflowsResponseExample: + description: Example response returning a paginated list of workflows + value: + page: 1 + results: + - createdAt: '2025-11-20T10:30:00.000Z' + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + history: + - duration: 5000 + finishedAt: '2025-11-20T12:00:05.000Z' + id: exec-001 + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowName: Example definition + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + tags: + - example + valid: true + size: 20 + total: 1 + description: Indicates a successful response + summary: Get workflows tags: - - task manager - /api/timeline: - delete: - description: Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows?size=20&page=1 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. + operationId: post-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to overwrite existing workflows. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches + bulkCreateWorkflowsRequestExample: + description: Example request for creating multiple workflows at once value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 + workflows: + - yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: | + name: Second workflow + enabled: false + description: Another workflow + triggers: + - type: manual + steps: + - name: log_step + type: console + with: + message: "Hello from second workflow" schema: + additionalProperties: false type: object properties: - savedObjectIds: - description: >- - The list of IDs of the Timelines or Timeline templates to - delete - items: - type: string - maxItems: 100 - type: array - searchIds: - description: >- - Saved search IDs that should be deleted alongside the - timelines + workflows: items: - type: string - maxItems: 100 + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + maxItems: 500 type: array required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true + - workflows responses: '200': content: application/json: examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates + bulkCreateWorkflowsResponseExample: + description: Example response after creating multiple workflows + value: + created: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk create workflows tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + }' + - lang: Console + source: | + POST kbn://api/workflows?overwrite=false + { + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/aggs: get: - description: Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/aggs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-aggs parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. - in: query - name: template_timeline_id - schema: - type: string - - description: The `savedObjectId` of the Timeline to retrieve. + - description: Field or fields to aggregate on. in: query - name: id + name: fields + required: true schema: - type: string + description: Fields to aggregate on. + items: + description: Field name to aggregate. + type: string + maxItems: 25 + type: array responses: '200': content: application/json: examples: - timelineDetail: - summary: Timeline detail + getAggsResponseExample: + description: Example response with tag and createdBy aggregations value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details + createdBy: + - doc_count: 2 + key: elastic + tags: + - doc_count: 1 + key: reporting + - doc_count: 1 + key: security + - doc_count: 1 + key: triage + description: Indicates a successful response + summary: Get workflow aggregations tags: - - Security Timeline API - - access:securitySolution - patch: - description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. - operationId: PatchTimeline - requestBody: - content: - application/json: - examples: - patchTitle: - summary: Update title - value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: >- - The timeline object of the Timeline or Timeline template - that you’re updating. - timelineId: - description: >- - The `savedObjectId` of the Timeline or Timeline template - that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: >- - The version of the Timeline or Timeline template that you’re - updating. - example: WzE0LDFd - nullable: true - type: string - required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/aggs?fields=tags&fields=createdBy + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-connectors + parameters: [] responses: '200': content: application/json: examples: - patched: - summary: Updated timeline + getConnectorsResponseExample: + description: Example response with available connector types and their instances value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': + connectorTypes: + .email: + actionTypeId: .email + displayName: Email + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: [] + minimumLicenseRequired: gold + subActions: + - displayName: Send + name: send + .slack_api: + actionTypeId: .slack_api + displayName: Slack + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: + - id: slack-connector-1 + isDeprecated: false + isPreconfigured: false + name: Team Notifications + minimumLicenseRequired: gold + subActions: + - displayName: Post Message + name: postMessage + totalConnectors: 1 + description: Indicates a successful response + summary: Get available connectors + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/connectors" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/connectors + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Include execution input data. + in: query + name: includeInput + required: false + schema: + default: false + type: boolean + - description: Include execution output data. + in: query + name: includeOutput + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - error: - summary: Error body + getExecutionResponseExample: + description: Example response returning a workflow execution with step details value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: >- - Indicates that the user does not have the required access to create - a Timeline. - summary: Update a Timeline + duration: 3000 + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-a1b2c3d4-e5f6-7890 + input: + message: hello world + isTestRun: false + output: hello world + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + triggeredBy: manual + workflowDefinition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow execution tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/cancel: post: - description: Create a new Timeline or Timeline template. - operationId: CreateTimelines - requestBody: - content: - application/json: - examples: - createDefault: - summary: Create a default timeline - value: - timeline: - status: active - timelineType: default - title: Malware containment - schema: - type: object - properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string - required: - - timeline - description: >- - The required Timeline fields used to create a new Timeline, along with - optional fields that will be created if not provided. - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-executions-executionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + responses: + '200': + description: Indicates a successful response + summary: Cancel a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/cancel + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/children: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/children
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-children + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string responses: '200': content: application/json: examples: - created: - summary: Created timeline + getChildrenExecutionsResponseExample: + description: Example response returning child workflow executions spawned by sub-workflow steps value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': + - executionId: child-exec-001 + parentStepExecutionId: step-exec-003 + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:07.000Z' + globalExecutionIndex: 0 + id: child-step-001 + isTestRun: false + scopeStack: [] + startedAt: '2025-11-20T12:00:06.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowRunId: child-exec-001 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowName: Child Workflow + description: Indicates a successful response + summary: Get child executions + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/children + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/logs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/logs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-logs + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Filter logs by a specific step execution ID. + in: query + name: stepExecutionId + required: false + schema: + type: string + - description: Number of log entries per page. + in: query + name: size + required: false + schema: + default: 100 + maximum: 100 + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: Field to sort by. + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order. + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': content: application/json: examples: - error: - summary: Error body + getExecutionLogsResponseExample: + description: Example response returning paginated execution logs value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template + logs: + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 150 + id: log-001 + level: info + message: Workflow execution started + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:01.000Z' + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 200 + id: log-002 + level: info + message: Step completed successfully + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:02.000Z' + page: 1 + size: 100 + total: 2 + description: Indicates a successful response + summary: Get execution logs tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_copy: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/resume: post: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/resume
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. + operationId: post-workflows-executions-executionid-resume + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string requestBody: content: application/json: examples: - copyWithTitle: - summary: Copy with a new title + resumeExecutionRequestExample: + description: Example request to resume a paused workflow execution value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + input: + approved: true + comment: Approved by analyst schema: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: >- - The `savedObjectId` of the timeline or template to - duplicate. - type: string + input: + additionalProperties: + nullable: true + description: Input data to resume the execution with. + type: object required: - - timeline - - timelineIdToCopy - description: >- - Source timeline id to copy plus timeline fields for the new saved - object. - required: true + - input responses: '200': content: application/json: examples: - copied: - summary: Newly saved timeline + resumeExecutionResponseExample: + description: Example response confirming the resume was scheduled value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - summary: Copies timeline or timeline template + executionId: exec-a1b2c3d4-e5f6-7890 + message: Workflow resume scheduled + success: true + description: Indicates a successful response + summary: Resume a workflow execution tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_draft: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": { + "approved": true, + "comment": "Approved by analyst" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/resume + { + "input": { + "approved": true, + "comment": "Approved by analyst" + } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/step/{stepExecutionId}: get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. - operationId: GetDraftTimelines + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-step-stepexecutionid parameters: - - description: >- - Which draft to load (`default` investigation timeline or `template` - timeline template). - in: query - name: timelineType + - description: Workflow execution ID. + in: path + name: executionId required: true schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + type: string + - description: Step execution ID. + in: path + name: stepExecutionId + required: true + schema: + type: string responses: '200': content: application/json: examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied + getStepExecutionResponseExample: + description: Example response returning a single step execution value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft Timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft Timeline. - '409': + error: null + executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + output: hello world + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + state: null + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Get a step execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + exportWorkflowsRequestExample: + description: Example request to export workflows + value: + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + schema: + additionalProperties: false + type: object + properties: + ids: + description: Array of workflow IDs to export. + items: + description: Workflow ID to export. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + required: + - ids + responses: + '200': content: application/json: examples: - conflict: - summary: Draft conflict + exportWorkflowsResponseExample: + description: Workflow entries with YAML content and export manifest value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft Timeline was not found and - we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details + entries: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: |- + name: My Workflow + steps: + - type: http.request + with: + url: https://example.com + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: |- + name: Another Workflow + steps: + - type: http.request + with: + url: https://example.com + manifest: + exportedAt: '2026-03-26T12:00:00.000Z' + exportedCount: 2 + version: '1' + description: JSON containing exported workflow YAML entries and manifest metadata + summary: Export workflows tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + }' + - lang: Console + source: | + POST kbn://api/workflows/export + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/mget: post: - description: > - Create a clean draft Timeline or Timeline template for the current user. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/workflows/mget
- > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. - operationId: CleanDraftTimelines + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-mget + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - defaultDraft: - summary: Create a default draft timeline + mgetWorkflowsRequestExample: + description: Example request to retrieve multiple workflows by their IDs value: - timelineType: default + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + source: + - name + - enabled schema: + additionalProperties: false type: object properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + ids: + description: Array of workflow IDs to look up. + items: + description: Workflow ID. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + source: + description: Array of source fields to include. + items: + description: Source field. + maxLength: 255 + type: string + maxItems: 10 + minItems: 1 + type: array required: - - timelineType - description: >- - The type of Timeline to create. Valid values are `default` and - `template`. - required: true + - ids responses: '200': content: application/json: examples: - draftResponse: - summary: Draft after reset or creation + mgetWorkflowsResponseExample: + description: Example response returning the requested workflows with projected fields value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': + - enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + description: Indicates a successful response + summary: Get workflows by IDs + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/mget" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + }' + - lang: Console + source: | + POST kbn://api/workflows/mget + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/schema: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-schema + parameters: + - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. + in: query + name: loose + required: true + schema: + type: boolean + responses: + '200': content: application/json: examples: - forbidden: - summary: Permission denied + getSchemaResponseExample: + description: Example response returning the workflow JSON schema (truncated) value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft Timeline. - '409': + $schema: http://json-schema.org/draft-07/schema# + type: object + properties: + description: + type: string + enabled: + default: true + type: boolean + name: + minLength: 1 + type: string + tags: + items: + type: string + type: array + version: + const: '1' + default: '1' + description: The version of the workflow schema + type: string + required: + - name + - triggers + - steps + description: Indicates a successful response + summary: Get workflow JSON schema + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/schema?loose=false + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows-stats + parameters: [] + responses: + '200': content: application/json: examples: - conflict: - summary: Draft conflict + getStatsResponseExample: + description: Example response with workflow counts and 30-day execution history value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template + executions: + - cancelled: 1 + completed: 45 + date: '2025-11-20' + failed: 2 + timestamp: '2025-11-20T00:00:00.000Z' + - cancelled: 0 + completed: 50 + date: '2025-11-21' + failed: 0 + timestamp: '2025-11-21T00:00:00.000Z' + workflows: + disabled: 3 + enabled: 12 + description: Indicates a successful response + summary: Get workflow statistics tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_export: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/stats" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/stats + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/step/test: post: - description: Export Timelines as an NDJSON file. - operationId: ExportTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/step/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-step-test parameters: - - description: The name of the file to export - in: query - name: file_name + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - exportIds: - summary: Export by timeline ids + testStepRequestExample: + description: Example request to test a single workflow step value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + contextOverride: + inputs: + message: override message + stepId: hello_world_step + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - ids: - items: - type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true + contextOverride: + additionalProperties: + nullable: true + description: Context overrides for the step execution. + type: object + executionContext: + additionalProperties: + nullable: true + description: Execution context for the step execution. + type: object + stepId: + description: ID of the step to test. + type: string + workflowId: + description: ID of the workflow containing the step. + type: string + workflowYaml: + description: YAML definition of the workflow containing the step. + type: string + required: + - stepId + - contextOverride + - workflowYaml responses: '200': content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: + application/json: examples: - badRequest: - summary: Export error + testStepResponseExample: + description: Example response returning the step test execution ID value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines + workflowExecutionId: step-test-exec-a1b2c3d4 + description: Indicates a successful response + summary: Test a workflow step tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_favorite: - patch: - description: Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/step/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + }' + - lang: Console + source: | + POST kbn://api/workflows/step/test + { + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - favoriteDefault: - summary: Favorite a default timeline + testWorkflowByIdRequestExample: + description: Example request to test a saved workflow by its ID value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default + inputs: + message: test message + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + testWorkflowByYamlRequestExample: + description: Example request to test an unsaved workflow YAML draft + value: + inputs: + message: test message + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - templateTimelineId: - nullable: true + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the test execution. + type: object + workflowId: + description: ID of an existing workflow to test. type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true + workflowYaml: + description: YAML definition to test. type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true + - inputs responses: '200': content: application/json: examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden + testWorkflowResponseExample: + description: Example response returning the test execution ID value: - body: Forbidden - statusCode: 403 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Favorite a Timeline or Timeline template + workflowExecutionId: test-exec-a1b2c3d4-e5f6 + description: Indicates a successful response + summary: Test a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_import: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + }' + - lang: Console + source: | + POST kbn://api/workflows/test + { + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow: post: - description: Import Timelines. - operationId: ImportTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. + operationId: post-workflows-workflow + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) + createWorkflowRequestExample: + description: Example request for creating a workflow from a YAML definition value: - file: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n - isImmutable: 'false' + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + createWorkflowWithIdRequestExample: + description: Example request for creating a workflow with a custom ID + value: + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 type: string required: - - file - description: The Timelines to import as a readable stream. - required: true + - yaml responses: '200': content: application/json: examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message - example: Invalid file extension - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing + createWorkflowResponseExample: + description: Example response returning the created workflow value: - body: Unable to find saved object client - statusCode: 404 - schema: - type: object - properties: - body: - description: The error message - example: Unable to find saved object client - type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-20T10:30:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Create a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow + { + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + description: Indicates a successful response + summary: Delete a workflow + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/workflows/workflow/{id} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-workflow-id + parameters: + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflict: - summary: Import conflict + getWorkflowResponseExample: + description: Example response returning a single workflow value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines - type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-21T14:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_prepackaged: - post: - description: Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{id} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. + operationId: put-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - emptyArrays: - summary: Installer payload shape + updateWorkflowEnableExample: + description: Example request to enable a workflow and update its tags value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] + enabled: true + tags: + - production + updateWorkflowFullExample: + description: Example request to update multiple workflow fields + value: + description: Updated workflow description + enabled: true + name: Updated example + tags: + - example + - updated + yaml: | + name: Updated example + enabled: true + description: Updated workflow description + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: + description: + type: string + enabled: + type: boolean + name: + type: string + tags: items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true + type: string type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true + yaml: + type: string responses: '200': content: application/json: examples: - installResult: - summary: Install result counts + updateWorkflowResponseExample: + description: Example response returning the updated workflow value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '500': + enabled: false + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2026-03-23T13:38:59.568Z' + lastUpdatedBy: elastic + valid: true + validationErrors: [] + description: Indicates a successful response + summary: Update a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "enabled": true, + "tags": ["production"] + }' + - lang: Console + source: | + PUT kbn://api/workflows/workflow/{id} + { + "enabled": true, + "tags": ["production"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}/clone: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/clone
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. + operationId: post-workflows-workflow-id-clone + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - serverError: - summary: Server error + cloneWorkflowResponseExample: + description: Example response returning the cloned workflow with a new ID value: - body: Internal error - statusCode: 500 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged Timelines was - unsuccessful. - summary: Install prepackaged Timelines + createdAt: '2025-11-22T11:00:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: false + inputs: + - default: hello world + name: message + type: string + name: Example definition (copy) + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + lastUpdatedAt: '2025-11-22T11:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition (copy) + valid: true + yaml: | + name: Example definition (copy) + enabled: false + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Clone a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/resolve: - get: - description: >- - Resolve a Timeline or Timeline template, surfacing outcomes such as - `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been - remapped during upgrades or imports. Provide **either** `id` for default - Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/clone + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}/run: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/run
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-workflow-id-run parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: The ID of the timeline to resolve - in: query + - description: Workflow ID + in: path name: id + required: true schema: type: string + requestBody: + content: + application/json: + examples: + runWorkflowRequestExample: + description: Example request to execute a workflow with inputs + value: + inputs: + message: hello from the API + schema: + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the workflow execution. + type: object + metadata: + additionalProperties: + nullable: true + description: Optional metadata for the execution. + type: object + required: + - inputs responses: '200': content: application/json: examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome + runWorkflowResponseExample: + description: Example response returning the execution ID value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template + workflowExecutionId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Run a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timelines: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "inputs": { + "message": "hello from the API" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/run + { + "inputs": { + "message": "hello from the API" + } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions: get: - description: Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions parameters: - - description: >- - If `true`, only Timelines that the current user has marked as - favorite are returned. - in: query - name: only_user_favorite + - description: Workflow ID + in: path + name: workflowId + required: true schema: - enum: - - 'true' - - 'false' - nullable: true type: string - - description: >- - Restrict results to `default` investigation timelines or `template` - timeline templates. - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: >- - Field used to sort the list (`title`, `description`, `updated`, or - `created`). + - description: Filter by execution status. in: query - name: sort_field + name: statuses + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` + items: + enum: + - pending + - waiting + - waiting_for_input + - running + - completed + - failed + - cancelled + - timed_out + - skipped + type: string + maxItems: 9 + type: array + - description: Filter by execution type. in: query - name: sort_order + name: executionTypes + required: false schema: - enum: - - asc - - desc - type: string - - description: How many results should returned at once + items: + enum: + - test + - production + type: string + maxItems: 2 + type: array + - description: Filter by the user who triggered the execution. in: query - name: page_size + name: executedBy + required: false schema: - nullable: true - type: string - - description: How many pages should be skipped + items: + type: string + maxItems: 100 + type: array + - description: Whether to exclude step-level execution data. in: query - name: page_index + name: omitStepRuns + required: false schema: - nullable: true - type: string - - description: Allows to search for timelines by their title + type: boolean + - description: Page number. in: query - name: search + name: page + required: false schema: - nullable: true - type: string - - description: >- - Filter by timeline lifecycle state (`active`, `draft`, or - `immutable`). + minimum: 1 + type: number + - description: Number of results per page. in: query - name: status + name: size + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true + maximum: 100 + minimum: 1 + type: number responses: '200': content: application/json: examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: - type: object - properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body + getWorkflowExecutionsResponseExample: + description: Example response returning a paginated list of executions for a workflow value: - body: get timeline error - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message. - example: get timeline error - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates + page: 1 + results: + - duration: 3000 + error: null + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-001 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - duration: 2000 + error: + message: Step 'hello_world_step' failed + executedBy: elastic + finishedAt: '2025-11-20T13:00:02.000Z' + id: exec-002 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T13:00:00.000Z' + status: failed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + size: 20 + total: 2 + description: Indicates a successful response + summary: Get workflow executions tags: - - Security Timeline API - - access:securitySolution - /api/upgrade_assistant/status: - get: - description: Check the status of your cluster. - operationId: get-upgrade-status + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-workflow-workflowid-executions-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string responses: '200': - content: - application/json: - examples: - getUpgradeStatusResponseExample1: - value: |- - { - "readyForUpgrade": false, - "cluster": [ - { - "message": "Cluster deprecated issue", - "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." - } - ] - } - description: Indicates a successful call. - summary: Get the upgrade readiness status + description: Indicates a successful response + summary: Cancel all active workflow executions tags: - - upgrade - x-state: Technical Preview - /api/uptime/settings: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{workflowId}/executions/cancel + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions/steps: get: - description: > - You must have `read` privileges for the uptime feature in the - Observability section of the Kibana feature privileges. - operationId: get-uptime-settings - responses: - '200': - content: - application/json: - examples: - getUptimeSettingsResponseExample1: - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Get uptime settings - tags: - - uptime - put: - description: > - Update uptime setting attributes like `heartbeatIndices`, - `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or - `defaultEmail`. You must have `all` privileges for the uptime feature in - the Observability section of the Kibana feature privileges. A partial - update is supported, provided settings keys will be merged with existing - settings. - operationId: put-uptime-settings - requestBody: - content: - application/json: - examples: - putUptimeSettingsRequestExample1: - description: >- - Run `PUT api/uptime/settings` to update multiple Uptime - settings. - summary: Update multiple settings - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - putUptimeSettingsRequestExample2: - description: >- - Run `PUT api/uptime/settings` to update a single Uptime - setting. - summary: Update a setting - value: |- - { - "heartbeatIndices": "heartbeat-8*", - } - schema: - type: object - properties: - certAgeThreshold: - default: 730 - description: >- - The number of days after a certificate is created to trigger - an alert. - type: number - certExpirationThreshold: - default: 30 - description: >- - The number of days before a certificate expires to trigger - an alert. - type: number - defaultConnectors: - default: [] - description: >- - A list of connector IDs to be used as default connectors for - new alerts. - type: array - defaultEmail: - description: | - The default email configuration for new alerts. - type: object - properties: - bcc: - default: [] - items: - type: string - type: array - cc: - default: [] - items: - type: string - type: array - to: - default: [] - items: - type: string - type: array - heartbeatIndices: - default: heartbeat-* - description: > - An index pattern string to be used within the Uptime app and - alerts to query Heartbeat data. - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions-steps + parameters: + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by step ID. + in: query + name: stepId + required: false + schema: + type: string + - description: Include step input data. + in: query + name: includeInput + required: false + schema: + type: boolean + - description: Include step output data. + in: query + name: includeOutput + required: false + schema: + type: boolean + - description: Page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Number of results per page. + in: query + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number responses: '200': content: application/json: examples: - putUptimeSettingsResponseExample1: - description: A successful response from `PUT api/uptime/settings`. - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Update uptime settings + getWorkflowStepExecutionsResponseExample: + description: Example response returning step execution records for a workflow + value: + results: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-001 + total: 1 + description: Indicates a successful response + summary: Get workflow step executions tags: - - uptime + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -27489,18 +85396,14 @@ paths: name: kqlQuery schema: type: string - - description: >- - The page size to use for cursor-based pagination, must be greater or - equal than 1 + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - - description: >- - The cursor to use for fetching the results from, when using a - cursor-base pagination. + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query name: searchAfter schema: @@ -27544,9 +85447,7 @@ paths: - asc - desc type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: @@ -27570,9 +85471,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name - : "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -27627,9 +85526,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -27642,9 +85539,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user + message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -27665,10 +85560,12 @@ paths: summary: Get a paginated list of SLOs tags: - slo + x-metaTags: + - content: Kibana + name: product_name post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -27681,14 +85578,10 @@ paths: summary: Create an SLO with a KQL indicator value: budgetingMethod: occurrences - description: >- - Availability of my web service measured by successful HTTP - responses + description: Availability of my web service measured by successful HTTP responses indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -27742,9 +85635,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -27757,9 +85648,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -27780,13 +85669,13 @@ paths: summary: Create an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete: post: - description: > - Bulk delete SLO definitions and their associated summary and rollup - data. This endpoint initiates a bulk deletion operation for SLOs, which - may take some time to complete. The status of the operation can be - checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + description: | + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -27837,9 +85726,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -27852,24 +85739,21 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response - summary: >- - Bulk delete SLO definitions and their associated summary and rollup - data. + summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: > - Retrieve the status of the bulk deletion operation for SLOs. This - endpoint returns the status of the bulk deletion operation, including - whether it is completed and the results of the operation. + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -27929,9 +85813,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -27944,9 +85826,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -27954,12 +85834,13 @@ paths: summary: Retrieve the status of the bulk deletion tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: - description: > - The deletion occurs for the specified list of `sloId`. You must have - `all` privileges for the **SLOs** feature in the **Observability** - section of the Kibana feature privileges. + description: | + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28021,9 +85902,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28036,9 +85915,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28046,12 +85923,13 @@ paths: summary: Batch delete rollup and summary data tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_delete_instances: post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28095,9 +85973,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28110,9 +85986,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28120,11 +85994,13 @@ paths: summary: Batch delete rollup and summary data tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}: delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28154,9 +86030,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28169,9 +86043,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28192,10 +86064,12 @@ paths: summary: Delete an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28223,9 +86097,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -28279,9 +86151,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28294,9 +86164,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user + message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28317,10 +86185,12 @@ paths: summary: Get an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28361,9 +86231,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -28408,9 +86276,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28423,9 +86289,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28446,11 +86310,13 @@ paths: summary: Update an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28472,9 +86338,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -28519,9 +86383,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28534,9 +86396,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28557,11 +86417,13 @@ paths: summary: Reset an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/disable: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28591,9 +86453,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28606,9 +86466,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28629,11 +86487,13 @@ paths: summary: Disable an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/enable: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -28663,9 +86523,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -28678,9 +86536,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -28701,18 +86557,18 @@ paths: summary: Enable an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/internal/observability/slos/_definitions: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - - description: >- - Indicates if the API returns only outdated SLO or all SLO - definitions + - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query name: includeOutdatedOnly schema: @@ -28776,23 +86632,22 @@ paths: summary: Get the SLO definitions tags: - slo + x-metaTags: + - content: Kibana + name: product_name components: examples: Alerting_401_health_response: summary: Unauthorized response for the get alerting health API. value: error: Unauthorized - message: >- - [security_exception] missing authentication credentials for REST - request + message: '[security_exception] missing authentication credentials for REST request' statusCode: 401 Alerting_401_rule_types_response: summary: Unauthorized response for the get rule types API. value: error: Unauthorized - message: >- - [security_exception] missing authentication credentials for REST - request + message: '[security_exception] missing authentication credentials for REST request' statusCode: 401 Alerting_get_health_response: summary: Retrieve information about the health of the alerting framework. @@ -29031,9 +86886,7 @@ components: name: Recovered rule_task_timeout: 5m APM_UI_agent_configuration_environments_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/environments`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. value: environments: - alreadyConfigured: true @@ -29043,23 +86896,17 @@ components: - alreadyConfigured: false name: ALL_OPTION_VALUE APM_UI_agent_configuration_intake_object_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/settings/agent-configuration`. + description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. value: result: deleted APM_UI_agent_configuration_intake_object_delete_request1: - description: >- - Run `DELETE /api/apm/settings/agent-configuration` to delete a - configuration. + description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. value: service: environment: production name: frontend APM_UI_agent_configuration_intake_object_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. value: - '@timestamp': 1581934104843 agent_name: go @@ -29091,15 +86938,10 @@ components: settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_put_200_response1: - description: >- - An example of a successful response from `PUT - /api/apm/settings/agent-configuration`. The response body is - intentionally empty. + description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. value: {} APM_UI_agent_configuration_intake_object_put_request1: - description: >- - Run `PUT /api/apm/settings/agent-configuration` to create or update - configuration details. + description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. value: agent_name: nodejs service: @@ -29110,9 +86952,7 @@ components: transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_configuration_intake_object_search_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/settings/agent-configuration/search`. + description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. value: _id: CIaqXXABmQCdPphWj8EJ _index: .apm-agent-configuration @@ -29127,18 +86967,14 @@ components: settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_search_request1: - description: >- - Run `POST /api/apm/settings/agent-configuration/search` to search - configuration details. + description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. value: etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: frontend APM_UI_agent_configuration_intake_object_view_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/view`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. value: '@timestamp': 1582031336265 agent_name: nodejs @@ -29153,9 +86989,7 @@ components: transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_keys_object_post_200_response1: - description: >- - An example of a successful response from `POST /api/apm/agent_keys`, - which creates an APM agent API key. + description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. value: agentKey: api_key: PjGloCGOTzaZr8ilUPvkjA @@ -29163,19 +86997,14 @@ components: id: 3DCLmn0B3ZMhLUa7WBG9 name: apm-key APM_UI_agent_keys_object_post_request1: - description: >- - Run `POST /api/apm/agent_keys` to create an APM agent API key with the - specified privileges. + description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. value: name: apm-key privileges: - event:write - config_agent:read APM_UI_annotation_object_post_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/services/opbeans-java/annotation`, which creates an annotation - for a service named `opbeans-java`. + description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. value: _id: Lc9I93EBh6DbmkeV7nFX _index: observability-annotations @@ -29198,9 +87027,7 @@ components: _version: 1 found: true APM_UI_annotation_object_post_request1: - description: >- - Run `POST /api/apm/services/{serviceName}/annotation` to create a - deployment annotation for a service. + description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. value: '@timestamp': '2024-01-15T12:00:00.000Z' message: Deployment 1.2.0 @@ -29211,15 +87038,10 @@ components: - apm - deployment APM_UI_fleet_apm_server_schema_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/fleet/apm_server_schema`. The response body is intentionally - empty. + description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. value: {} APM_UI_source_maps_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. value: {} APM_UI_source_maps_get_200_response1: description: A successful response from `GET /api/apm/sourcemaps`. @@ -29249,18 +87071,15 @@ components: encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_200_response1: description: A successful response from `POST /api/apm/sourcemaps`. value: - body: >- - eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 @@ -29268,12 +87087,10 @@ components: encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap Cases_add_comment_request: summary: Adds a comment to a case. @@ -29282,9 +87099,7 @@ components: owner: cases type: user Cases_add_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. + summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null @@ -29372,9 +87187,7 @@ components: - tag-1 title: Case title 1 Cases_create_case_response: - summary: >- - The create case API returns a JSON object that contains details about - the case. + summary: The create case API returns a JSON object that contains details about the case. value: assignees: [] closed_at: null @@ -29520,9 +87333,7 @@ components: per_page: 20 total: 1 Cases_find_case_response: - summary: >- - Retrieve the first five cases with the `tag-1` tag, in ascending order - by last update time. + summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. value: cases: - assignees: [] @@ -29653,9 +87464,7 @@ components: updated_by: null version: WzEyLDNd Cases_get_case_observability_response: - summary: >- - Get case response (Observability). Comments are not included; use the - find case comments API. totalComment reflects the actual count. + summary: Get case response (Observability). Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 @@ -29700,9 +87509,7 @@ components: username: elastic version: WzI0NywyXQ== Cases_get_case_response: - summary: >- - Get case response. Comments are not included; use the find case comments - API. totalComment reflects the actual count. + summary: Get case response. Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 @@ -29790,9 +87597,7 @@ components: - tag 1 - tag 2 Cases_push_case_response: - summary: >- - The push case API returns a JSON object with details about the case and - the external service. + summary: The push case API returns a JSON object with details about the case and the external service. value: assignees: [] category: null @@ -29856,9 +87661,7 @@ components: message: Unable to authenticate with the provided credentials. statusCode: 401 Cases_set_case_configuration_request: - summary: >- - Set the closure type, custom fields, and default connector for Stack - Management cases. + summary: Set the closure type, custom fields, and default connector for Stack Management cases. value: closure_type: close-by-user connector: @@ -30046,9 +87849,7 @@ components: - tag-1 version: WzIzLDFd Cases_update_case_response: - summary: >- - This is an example response when the case description, tags, and - connector were updated. + summary: This is an example response when the case description, tags, and connector were updated. value: - assignees: [] category: null @@ -30120,9 +87921,7 @@ components: type: user version: Wzk1LDFd Cases_update_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. + summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null @@ -30208,9 +88007,7 @@ components: source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: - summary: >- - The get data view API returns a JSON object that contains information - about the data view. + summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false @@ -31161,10 +88958,7 @@ components: value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false @@ -31673,9 +89467,7 @@ components: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. + summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg @@ -31758,10 +89550,8 @@ components: } Observability_AI_Assistant_API_ChatCompleteResponseExample: summary: Get a chat completion from the Observability AI Assistant - value: > - data: - {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - + value: | + data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} data: [DONE] Saved_objects_key_rotation_response: @@ -33039,6 +90829,893 @@ components: } } } + get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - id: .gen-ai + name: OpenAI + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .bedrock + name: AWS Bedrock + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .gemini + name: Google Gemini + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + is_system_action_type: false + get_connector_response: + summary: Get connector details. + value: + id: df770e30-8b8b-11ed-a780-3b746c987a81 + name: my_server_log_connector + config: {} + connector_type_id: .server-log + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + update_index_connector_request: + summary: Update an index connector. + value: + name: updated-connector + config: + index: updated-index + create_email_connector_request: + summary: Create an email connector. + value: + name: email-connector-1 + connector_type_id: .email + config: + from: tester@example.com + hasAuth: true + host: https://example.com + port: 1025 + secure: false + service: other + secrets: + user: username + password: password + create_index_connector_request: + summary: Create an index connector. + value: + name: my-connector + connector_type_id: .index + config: + index: test-index + create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + name: my-webhook-connector + connector_type_id: .webhook + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + name: my-xmatters-connector + connector_type_id: .xmatters + config: + usesBasic: false + secrets: + secretsUrl: https://example.com?apiKey=xxxxx + create_email_connector_response: + summary: A new email connector. + value: + id: 90a82c60-478f-11ee-a343-f98a117c727f + connector_type_id: .email + name: email-connector-1 + config: + from: tester@example.com + service: other + host: https://example.com + port: 1025 + secure: false + hasAuth: true + tenantId: null + clientId: null + oauthTokenUrl: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_index_connector_response: + summary: A new index connector. + value: + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + connector_type_id: .index + name: my-connector + config: + index: test-index + refresh: false + executionTimeField: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_webhook_connector_response: + summary: A new webhook connector. + value: + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + name: my-webhook-connector + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + verificationMode: full + headers: null + hasAuth: true + connector_type_id: .webhook + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + run_index_connector_request: + summary: Run an index connector. + value: + params: + documents: + - id: my_doc_id + name: my_doc_name + message: hello, world + run_jira_connector_request: + summary: Run a Jira connector to retrieve the list of issue types. + value: + params: + subAction: issueTypes + run_servicenow_itom_connector_request: + summary: Run a ServiceNow ITOM connector to retrieve the list of choices. + value: + params: + subAction: getChoices + subActionParams: + fields: + - severity + - urgency + run_slack_api_connector_request: + summary: Run a Slack connector that uses the web API method to post a message on a channel. + value: + params: + subAction: postMessage + subActionParams: + channelIds: + - C123ABC456 + text: A test message. + run_swimlane_connector_request: + summary: Run a Swimlane connector to create an incident. + value: + params: + subAction: pushToService + subActionParams: + comments: + - commentId: 1 + comment: A comment about the incident. + incident: + caseId: '1000' + caseName: Case name + description: Description of the incident. + run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok + run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok + run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok + run_servicenow_itom_connector_response: + summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok + run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + status: ok + data: + ok: true + channel: C123ABC456 + ts: '1234567890.123456' + message: + bot_id: B12BCDEFGHI + type: message + text: A test message + user: U12A345BC6D + ts: '1234567890.123456' + app_id: A01BC2D34EF + blocks: + - type: rich_text + block_id: /NXe + elements: + - type: rich_text_section + elements: + - type: text + text: A test message. + team: T01ABCDE2F + bot_profile: + id: B12BCDEFGHI + app_id: A01BC2D34EF + name: test + icons: + image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png + deleted: false + updated: 1672169705 + team_id: T01ABCDE2F + connector_id: .slack_api + run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. + value: + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 + data: + id: aKPmBHWzmdRQtx6Mx + title: TEST-457 + url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + comments: + - commentId: 1 + pushedDate: '2022-09-08T16:52:27.865Z' + status: ok + get_connectors_response: + summary: A list of connectors + value: + - id: preconfigured-email-connector + name: my-preconfigured-email-notification + connector_type_id: .email + is_preconfigured: true + is_deprecated: false + referenced_by_count: 0 + is_system_action: false + - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + name: my-index-connector + config: + index: test-index + refresh: false + executionTimeField: null + connector_type_id: .index + is_preconfigured: false + is_deprecated: false + referenced_by_count: 2 + is_missing_secrets: false + is_system_action: false + get_roles_response1: + summary: Get all role details + value: + - name: my_kibana_role + description: My kibana role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + indices: [] + cluster: [] + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - '*' + - name: my_admin_role + description: My admin role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + field_security: + grant: + - title + - body + query: '{\"match\": {\"title\": \"foo\"}}' + kibana: [] + get_role_response1: + summary: Get role details + value: + name: my_kibana_role + description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + remote_cluster: + - privileges: + - monitor_enrich + clusters: + - remote_cluster1 + indices: + - names: + - index1 + - index2 + privileges: + - all + allow_restricted_indices: false + remote_indices: + - names: + - remote_index1 + - remote_index2 + privileges: + - all + allow_restricted_indices: false + clusters: + - remote_cluster1 + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + _transform_error: [] + _unrecognized_applications: [] + create_role_request1: + summary: Feature privileges in multiple spaces + description: Grant access to various features in some spaces. + value: + description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + discover: + - all + dashboard: + - all + spaces: + - default + - base: + - read + spaces: + - marketing + - sales + create_role_request2: + summary: Dashboard privileges in a space + description: Grant access to dashboard features in a Marketing space. + value: + description: Grant dashboard access in the Marketing space. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + dashboard: + - read + spaces: + - marketing + create_role_request3: + summary: Feature privileges in a space + description: Grant full access to all features in the default space. + value: + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + create_role_request4: + summary: Elasticsearch and Kibana feature privileges + description: Grant Elasticsearch and Kibana feature privileges. + value: + description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. + metadata: + version: 1 + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + remote_indices: + - clusters: + - remote_cluster1 + names: + - remote_index1 + - remote_index2 + privileges: + - all + remote_cluster: + - clusters: + - remote_cluster1 + privileges: + - monitor_enrich + kibana: + - base: + - all + feature: {} + spaces: + - default + copy_saved_objects_request1: + summary: Copy with createNewCopies + description: | + Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. + value: + objects: + - type: dashboard + id: my-dashboard + spaces: + - marketing + includeReferences: true + copy_saved_objects_request2: + summary: Copy without createNewCopies + description: | + Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. + value: + objects: + - type: dashboard + id: my-dashboard + spaces: + - marketing + includeReferences: true + createNewCopies: false + copy_saved_objects_response1: + summary: Copy with createNewCopies + description: | + The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. + value: + marketing: + success: true + successCount: 3 + successResults: + - id: my-dashboard + type: dashboard + destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-index-pattern + type: index-pattern + destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b + meta: + icon: indexPatternApp + title: my-pattern-* + copy_saved_objects_response2: + summary: Copy without createNewCopies + description: | + The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. + value: + marketing: + success: true + successCount: 3 + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-index-pattern + type: index-pattern + meta: + icon: indexPatternApp + title: my-pattern-* + copy_saved_objects_response3: + summary: Failed copy response with conflict errors + description: | + A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. + value: + marketing: + success: true + successCount: 4 + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-canvas + type: canvas-workpad + meta: + icon: canvasApp + title: Look at my canvas + - id: my-index-pattern + type: index-pattern + meta: + icon: indexPatternApp + title: my-pattern-* + sales: + success: false + successCount: 1, + errors: + - id: my-pattern + type: index-pattern + title: my-pattern-* + error: + type: conflict + meta: + icon: indexPatternApp + title: my-pattern-* + - id: my-visualization + type: my-vis + title: Look at my visualization + error: + type: conflict + destinationId: another-vis + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-canvas + type: canvas-workpad + title: Look at my canvas + error: + type: ambiguous_conflict + destinations: + - id: another-canvas + title: Look at another canvas + updatedAt: '2020-07-08T16:36:32.377Z' + - id: yet-another-canvas + title: Look at yet another canvas + updatedAt: '2020-07-05T12:29:54.849Z' + meta: + icon: canvasApp + title: Look at my canvas + successResults": + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + copy_saved_objects_response4: + summary: Failed copy with missing reference errors + description: | + The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. + value: + marketing: + success: false + successCount: 2 + errors: + - id: my-vis + type: visualization + title: Look at my visualization + error: + type: missing_references + references: + - type: index-pattern + id: my-pattern-* + meta: + icon: visualizeApp + title: Look at my visualization + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-canvas + type: canvas-workpad + meta: + icon: canvasApp + title: Look at my canvas + disable_legacy_url_request1: + summary: Disable legacy URL aliases + description: | + This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. + value: + aliases: + - targetSpace: bills-space + targetType: dashboard + sourceId: 123 + get_shareable_references_request1: + summary: Get shareable references + description: | + Collect references and space contexts for a dashboard saved object. + value: + objects: + - type: dashboard + id: my-dashboard-id + get_shareable_references_response1: + summary: Get shareable references response + description: | + A response that includes the collected references and the spaces where the objects exist. + value: + objects: + - type: dashboard + id: my-dashboard-id + spaces: + - default + - marketing + inboundReferences: [] + resolve_copy_saved_objects_request1: + summary: Resolve conflict errors + description: | + Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. + value: + objects: + - type: dashboard + id: my-dashboard + includeReferences: true + createNewCopies: false + retries: + sales: + - type: index-pattern + id: my-pattern + overwrite: true + - type: visualization + id: my-vis + overwrite: true, + destinationId: another-vis + - type: canvas + id: my-canvas + overwrite: true + destinationId: yet-another-canvas + - type: dashboard + id: my-dashboard + resolve_copy_saved_objects_request2: + summary: Resolve missing reference errors + description: | + Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. + value: + objects: + - type: dashboard + id: my-dashboard + includeReferences: true + createNewCopies: false + retries: + marketing: + - type: visualization + id: my-vis + ignoreMissingReferences: true + - type: canvas + id: my-canvas + - type: dashboard + id: my-dashboard + update_saved_objects_spaces_request1: + summary: Update saved object spaces + description: Update the spaces of each saved object and all its references. + value: + objects: + - type: index-pattern + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + spacesToAdd: + - test + spacesToRemove: [] + update_saved_objects_spaces_response1: + summary: Update saved object spaces + description: | + The response from updating the spaces of saved objects. + value: + objects: + - type: index-pattern + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + spaces: + - default + - test + get_spaces_response1: + summary: Get all spaces + description: Get all spaces without specifying any options. + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUr": '' + solution: oblt + get_spaces_response2: + summary: Get all spaces with custom options + description: | + The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUrl: '' + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: false + findSavedObjects: true + shareSavedObjectsIntoSpace: false + create_space_request: + summary: Create a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== + get_space_response: + summary: Get details about a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + solution: es + update_space_request: + summary: Update a marketing space + description: Update the marketing space to remove the imageUrl. + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' parameters: APM_UI_elastic_api_version: description: The version of the API to use @@ -33067,10 +91744,8 @@ components: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: - description: > - Filters the returned cases by assignees. Valid values are `none` or - unique identifiers for the user profiles. These identifiers can be found - by using the suggest user profile API. + description: | + Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. in: query name: assignees schema: @@ -33078,9 +91753,7 @@ components: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: - description: >- - The identifier for the case. To retrieve case IDs, use the search cases - (`_find)` API. All non-ASCII characters must be URL encoded. + description: The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true @@ -33096,9 +91769,8 @@ components: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - case or search cases (`_find`) APIs. + description: | + The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs. in: path name: commentId required: true @@ -33113,3659 +91785,17849 @@ components: schema: example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 type: string - Cases_connector_id: - description: >- - An identifier for the connector. To retrieve connector IDs, use the find - connectors API. - in: path - name: connectorId - required: true - schema: - example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + Cases_connector_id: + description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. + in: path + name: connectorId + required: true + schema: + example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + example: OR + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: | + Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + example: now-1d + type: string + Cases_ids: + description: | + The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` + in: query + name: ids + required: true + schema: + items: + example: d4e7abb0-b462-11ec-9a8d-698504725a43 + maxItems: 100 + minItems: 1 + type: string + type: array + Cases_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_owner_filter: + description: | + A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. + example: cases + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owner' + - $ref: '#/components/schemas/Cases_owners' + Cases_page_index: + description: The page number to return. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + example: 20 + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + example: elastic + in: query + name: reporters + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_search: + description: An Elasticsearch simple_query_string query that filters the objects in the response. + example: Case title 1 + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' + Cases_severity: + description: The severity of the case. + example: low + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + example: desc + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + example: updatedAt + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + example: open + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + example: tag-1 + in: query + name: tags + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_to: + description: | + Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. + example: now+1d + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + example: create_case + type: string + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Saved_objects_saved_object_id: + description: An identifier for the saved object. + in: path + name: id + required: true + schema: + type: string + Saved_objects_saved_object_type: + description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. + in: path + name: type + required: true + schema: + type: string + Short_URL_APIs_idParam: + description: The identifier for the short URL. + in: path + name: id + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + Alerting_401_response: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unsuccessful rule API response + type: object + Alerting_fieldmap_properties: + title: Field map objects in the get rule types response + type: object + properties: + array: + description: Indicates whether the field is an array. + type: boolean + dynamic: + description: Indicates whether it is a dynamic field mapping. + type: boolean + format: + description: | + Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. + type: string + ignore_above: + description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. + type: boolean + path: + description: TBD + type: string + properties: + additionalProperties: + type: object + properties: + type: + description: The data type for each object property. + type: string + description: | + Details about the object properties. This property is applicable when `type` is `object`. + type: object + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: | + The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. + type: integer + type: + description: Specifies the data type for the field. + example: scaled_float + type: string + APM_UI_400_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: + type: object + properties: + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read + type: string + type: array + required: + - name + - privileges + APM_UI_agent_keys_response: + type: object + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: + type: string + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: + type: object + properties: + title: + type: string + type: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: | + If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. + This is useful for cases where the agent configuration was not applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object + properties: + body: + type: object + properties: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: + type: object + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + example: create + type: string + Cases_actions_comment_response_properties: + title: Case response properties for actions comments + type: object + properties: + actions: + type: object + properties: + targets: + items: + type: object + properties: + endpointId: + example: 1 + type: string + hostname: + example: host-01 + type: string + type: array + type: + example: isolate + type: string + comment: + example: Isolating the host from the case UI. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - actions + example: actions + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + Cases_add_case_comment_request: + description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_case_file_request: + description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. + type: object + properties: + file: + description: The file being attached to the case. + format: binary + type: string + filename: + description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** + type: string + required: + - file + title: Add case file request properties + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + title: Add case comment response properties for alerts + type: object + properties: + alertId: + items: + example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + type: string + type: array + created_at: + example: '2023-11-06T19:29:38.424Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 73362370-ab1a-11ec-985f-97e55adae8b9 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + example: alert + type: string + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzMwNDgsMV0= + type: string + required: + - type + Cases_alert_identifiers: + description: | + The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-state: Technical preview + Cases_alert_indices: + description: | + The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-state: Technical preview + Cases_alert_response_properties: + type: object + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + type: object + properties: + uid: + description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. + example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + type: string + required: + - uid + maxItems: 10 + nullable: true + type: array + Cases_attachment_totals: + description: Counts of alerts, events, and user comments attached to a case. + properties: + alerts: + description: Number of alert attachments on the case. + type: integer + events: + description: Number of event attachments on the case. + type: integer + userComments: + description: Number of user comment attachments on the case. + type: integer + required: + - alerts + - events + - userComments + title: Attachment totals + type: object + Cases_case_categories: + items: + $ref: '#/components/schemas/Cases_case_category' + maxItems: 100 + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_close_sync_reason: + description: | + The close reason to sync to attached alerts when closing the case. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user. + oneOf: + - enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + - type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_observable: + description: A single observable attached to a case. + properties: + createdAt: + description: When the observable was created. + example: '2024-11-14T10:00:00.000Z' + format: date-time + type: string + description: + description: An optional description for the observable. + example: Source IP + nullable: true + type: string + id: + description: The observable identifier. + example: df927ab8-54ed-47d6-be07-9948c255c097 + type: string + typeKey: + description: The observable type key. + example: observable-type-ipv4 + type: string + updatedAt: + description: When the observable was last updated. + example: '2024-11-14T10:00:00.000Z' + format: date-time + nullable: true + type: string + value: + description: The observable value. + example: 10.0.0.8 + type: string + required: + - id + - typeKey + - value + - description + - createdAt + - updatedAt + title: Case observable + type: object + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + Cases_case_response_created_by_properties: + title: Case response properties for created_by + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + Cases_case_response_get_case: + description: | + Case details returned by the get case API. The comments property is not included in the response. Use the find case comments API to retrieve comments. totalComment reflects the actual number of user comments. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: | + A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + description: The number of user comments on the case. Use the find case comments API to retrieve comment content. + example: 1 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + title: Get case response + type: object + Cases_case_response_properties: + title: Case response properties + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + actions: '#/components/schemas/Cases_actions_comment_response_properties' + alert: '#/components/schemas/Cases_alert_comment_response_properties' + event: '#/components/schemas/Cases_event_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_actions_comment_response_properties' + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_event_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: | + A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + example: 0 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for pushed_by + type: object + Cases_case_response_updated_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + Cases_case_severity: + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: | + The words and phrases that help categorize cases. It can be an empty array. + items: + maxLength: 256 type: string - Cases_defaultSearchOperator: - description: he default operator to use for the simple_query_string. - example: OR - in: query - name: defaultSearchOperator - schema: - default: OR + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + fields: + example: null + nullable: true + type: string + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .cases-webhook + example: .cases-webhook + type: string + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + issueType: + description: The type of issue. + nullable: true + type: string + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true + type: string + priority: + description: The priority of the issue. + nullable: true + type: string + required: + - issueType + - parent + - priority + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. + example: null + nullable: true + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + type: + description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. + enum: + - .none + example: .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + nullable: true + type: object + properties: + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. + type: string + required: + - issueTypes + - severityCode + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + impact: + description: The effect an incident had on business. + nullable: true + type: string + severity: + description: The severity of the incident. + nullable: true + type: string + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true + type: string + required: + - category + - impact + - severity + - subcategory + - urgency + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow + example: .servicenow + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow ITSM connector + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs. + nullable: true + type: boolean + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs. + nullable: true + type: boolean + priority: + description: The priority of the issue. + nullable: true + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + required: + - caseId + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .swimlane + example: .swimlane + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + example: .none + type: string + Cases_create_case_request: + description: The create case API request body varies depending on the type of connector. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + required: + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_event_comment_response_properties: + title: Case response properties for event comments + type: object + properties: + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + eventId: + items: + example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f + type: string + type: array + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - event + example: event + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Cases_external_service: + nullable: true + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + Cases_find_comments_response: + title: Find case comments response + type: object + properties: + comments: + description: Paginated list of user comments for the case. + items: + $ref: '#/components/schemas/Cases_user_comment_response_properties' + type: array + page: + description: The current page index. + type: integer + per_page: + description: The number of items per page. + type: integer + total: + description: The total number of comments. + type: integer + required: + - comments + - page + - per_page + - total + Cases_owner: + description: | + The application that owns the cases: Stack Management, Observability, or Elastic Security. + enum: + - cases + - observability + - securitySolution + example: cases + type: string + Cases_owners: + items: + $ref: '#/components/schemas/Cases_owner' + type: array + Cases_payload_alert_comment: + type: object + properties: + comment: + type: object + properties: + alertId: + oneOf: + - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + type: string + - items: + type: string + type: array + index: + oneOf: + - example: .alerts-observability.logs.alerts-default + type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + type: string + Cases_payload_assignees: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + Cases_payload_connector: + type: object + properties: + connector: + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + Cases_payload_create_case: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + description: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + type: string + Cases_payload_delete: + description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. + nullable: true + type: object + Cases_payload_description: + type: object + properties: + description: + type: string + Cases_payload_pushed: + type: object + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + Cases_payload_settings: + type: object + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + Cases_payload_severity: + type: object + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + Cases_payload_status: + type: object + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + Cases_payload_tags: + type: object + properties: + tags: + example: + - tag-1 + items: + type: string + type: array + Cases_payload_title: + type: object + properties: + title: + type: string + Cases_payload_user_comment: + type: object + properties: + comment: + type: object + properties: + comment: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + enum: + - user + type: string + Cases_related_case: + description: | + Summary of a case returned when listing cases that contain a given alert. This is a subset of the full case response. + properties: + createdAt: + description: When the case was created. + format: date-time + type: string + description: + description: The case description. + type: string + id: + description: The case identifier. + type: string + status: + $ref: '#/components/schemas/Cases_case_status' + title: + description: The case title. + type: string + totals: + $ref: '#/components/schemas/Cases_attachment_totals' + required: + - id + - title + - description + - status + - createdAt + - totals + title: Related case + type: object + Cases_response_4xx: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful cases API response + type: object + Cases_rule: + description: | + The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + title: Alerting rule + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + x-state: Technical preview + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_searchFieldsTypeArray: + items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_set_case_configuration_request: + description: External connection details, such as the closure type and default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + required: + - key + - label + - required + - type + maxItems: 10 + minItems: 0 + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + type: object + properties: + extractObservables: + description: | + When true, observables (e.g. IPs, hashes, URLs) are automatically extracted from case comments. Optional; defaults to false when omitted. + example: false + type: boolean + syncAlerts: + description: Turns alert syncing on or off. + example: true + type: boolean + required: + - syncAlerts + Cases_string: + type: string + Cases_string_array: + items: + $ref: '#/components/schemas/Cases_string' + maxItems: 100 + type: array + Cases_template_tags: + description: | + The words and phrases that help categorize templates. It can be an empty array. + items: + maxLength: 256 type: string - Cases_from: - description: > - Returns only cases that were created after a specific date. The date - must be specified as a KQL data range or date match expression. - in: query - name: from - schema: - example: now-1d + maxItems: 200 + type: array + Cases_templates: + items: + type: object + properties: + caseFields: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + customFields: + description: Custom field values in the template. + items: + type: object + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: | + The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + type: array + x-state: Technical preview + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + description: + description: A description for the template. + type: string + key: + description: | + A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: array + x-state: Technical preview + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + example: Wzk1LDFd + type: string + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + Cases_update_case_comment_request: + description: The update case comment API request body varies depending on whether you are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: | + You can update settings such as the closure type, custom fields, templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + required: + - key + - label + - required + - type + type: array + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: | + The version of the connector. To retrieve the version value, use the get configuration API. + example: WzIwMiwxXQ== + type: string + required: + - version + title: Update case configuration request + type: object + Cases_update_case_request: + description: The update case API request body varies depending on the type of connector. + properties: + cases: + description: An array containing one or more case objects. + items: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + closeReason: + $ref: '#/components/schemas/Cases_case_close_sync_reason' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + id: + description: The identifier for the case. + maxLength: 30000 + type: string + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: | + The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs. + type: string + required: + - id + - version + maxItems: 100 + minItems: 1 + type: array + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + example: Wzk1LDFd + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - category + - comment + - connector + - create_case + - customFields + - delete_case + - description + - extended_fields + - observables + - pushed + - settings + - severity + - status + - tags + - title + example: create_case + type: string + version: + example: WzM1ODg4LDFd + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + Cases_user_comment_response_properties: + title: Case response properties for user comments + type: object + properties: + comment: + example: A new comment. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - user + example: user + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default type: string - Cases_ids: - description: > - The cases that you want to removed. To get the case identifiers, use the - search cases (`_find`) API. In the Dev Console, you can specify the - array of cases in the following format: - `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII - characters must be URL encoded. For example: - `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` - in: query - name: ids - required: true - schema: - items: - example: d4e7abb0-b462-11ec-9a8d-698504725a43 + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. + properties: + anomalyDetectorTypes: + description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. + items: + enum: + - txLatency + - txThroughput + - txFailureRate + type: string + minItems: 1 + type: array + anomalySeverityType: + description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: The environment from APM. + type: string + serviceName: + description: The service name from APM. + type: string + transactionType: + description: The transaction type from APM. + type: string + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + title: APM Anomaly Rule Params + type: object + rule_type_id: + enum: + - apm.anomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: APM anomaly + type: object + Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. + type: string + threshold: + description: The number of errors, which is the threshold for alerts. + type: number + useKqlFilter: + description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. + type: boolean + windowSize: + description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Error Count Rule Params + type: object + rule_type_id: + enum: + - apm.error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Error rate + type: object + Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + useKqlFilter: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: boolean + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window. For example: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - aggregationType + - environment + title: Transaction Duration Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_duration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction duration + type: object + Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. + properties: + environment: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + type: string + threshold: + type: number + transactionName: + type: string + transactionType: + type: string + useKqlFilter: + type: boolean + windowSize: + type: number + windowUnit: + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Transaction Error Rate Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction error rate + type: object + Kibana_HTTP_APIs_ClassicFieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_ClassicStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - classic + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_Condition: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' + - additionalProperties: false + description: A logical AND that groups multiple conditions. + type: object + properties: + and: + description: An array of conditions. All sub-conditions must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - and + - additionalProperties: false + description: A logical OR that groups multiple conditions. + type: object + properties: + or: + description: An array of conditions. At least one sub-condition must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - or + - additionalProperties: false + description: A logical NOT that negates a condition. + type: object + properties: + not: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: A condition that negates another condition. + required: + - not + - additionalProperties: false + description: A condition that always evaluates to false. + type: object + properties: + never: + additionalProperties: false + description: An empty object. This condition never matches. + type: object + properties: {} + required: + - never + - additionalProperties: false + description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. + type: object + properties: + always: + additionalProperties: false + description: An empty object. This condition always matches. + type: object + properties: {} + required: + - always + description: The root condition object. It can be a simple filter or a combination of other conditions. + Kibana_HTTP_APIs_ConditionWithSteps: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + - additionalProperties: false + type: object + properties: + else: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + required: + - steps + Kibana_HTTP_APIs_ContentPackIncludedObjects: + anyOf: + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + all: + additionalProperties: false + type: object + properties: {} + required: + - all + required: + - objects + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + mappings: + type: boolean + queries: + items: + type: object + properties: + id: + type: string + required: + - id + type: array + routing: + items: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + - type: object + properties: + destination: + type: string + required: + - destination + type: array + required: + - mappings + - queries + - routing + required: + - objects + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + title: core_status_redactedResponse + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + http: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + title: core_status_response + type: object + Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. + properties: + comparator: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + index: + type: string + required: + - index + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - timeUnit + - timeSize + - threshold + - comparator + - searchConfiguration + title: Degraded Docs Rule Params + type: object + rule_type_id: + enum: + - datasetQuality.degradedDocs + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Degraded docs + type: object + Kibana_HTTP_APIs_es-query-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + esqlQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition in Elasticsearch Query Language. + nullable: true + oneOf: + - additionalProperties: false + type: object + properties: + esql: + minLength: 1 + type: string + required: + - esql + - not: {} + esQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - minLength: 1 + type: string + - not: {} + excludeHitsFromPreviousRun: + default: true + description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. + type: string + index: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The indices to query. + nullable: true + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - not: {} + searchConfiguration: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + nullable: true + oneOf: + - additionalProperties: true + type: object + properties: {} + - not: {} + searchType: + default: esQuery + description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' + enum: + - searchSource + - esQuery + - esqlQuery + type: string + size: + description: The number of documents to pass to the configured actions when the threshold condition is met. + maximum: 10000 + minimum: 0 + type: number + sourceFields: + description: The sourceFields param is ignored. + items: + additionalProperties: false + type: object + properties: + label: + type: string + searchPath: + type: string + required: + - label + - searchPath + maxItems: 5 + type: array + termField: + anyOf: + - minLength: 1 + type: string + - items: + type: string + maxItems: 4 + minItems: 2 + type: array + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The field that is used to calculate the time window. + nullable: true + oneOf: + - minLength: 1 + type: string + - minLength: 1 + type: string + x-oas-optional: true + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - size + - timeWindowSize + - timeWindowUnit + - threshold + - thresholdComparator + - timeField + - searchConfiguration + - esQuery + - index + - esqlQuery + title: ES Query Rule Params + type: object + rule_type_id: + enum: + - .es-query + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: ES query + type: object + Kibana_HTTP_APIs_FailureStore: + anyOf: + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + - additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + enabled: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + required: + - enabled + required: + - lifecycle + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + required: + - lifecycle + Kibana_HTTP_APIs_FieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_FieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + format: + not: {} + type: + not: {} + required: + - description + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_FilterCondition: + anyOf: + - additionalProperties: false + description: A condition that compares a field to a value or range using an operator as the key. + type: object + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + description: Contains comparison value. + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Ends-with comparison value. + eq: + anyOf: + - type: string + - type: number + - type: boolean + description: Equality comparison value. + field: + description: The document field to filter on. + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than comparison value. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than-or-equal comparison value. + includes: + anyOf: + - type: string + - type: number + - type: boolean + description: Checks if multivalue field includes the value. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than comparison value. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than-or-equal comparison value. + neq: + anyOf: + - type: string + - type: number + - type: boolean + description: Inequality comparison value. + range: + additionalProperties: false + description: Range comparison values. + type: object + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Starts-with comparison value. + required: + - field + - additionalProperties: false + description: A condition that checks for the existence or non-existence of a field. + type: object + properties: + exists: + description: Indicates whether the field exists or not. + type: boolean + field: + description: The document field to check. + minLength: 1 + type: string + required: + - field + description: A basic filter condition, either unary or binary. + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + filterKuery: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: string + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + type: string + index: + anyOf: + - minLength: 1 + type: string + - items: + minLength: 1 + type: string + minItems: 1 + type: array + description: The indices to query. + termField: + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + minLength: 1 + type: string + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + description: The field that is used to calculate the time window. + minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - index + - timeField + - timeWindowSize + - timeWindowUnit + - thresholdComparator + - threshold + title: Index Threshold Rule Params + type: object + rule_type_id: + enum: + - .index-threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Index threshold + type: object + Kibana_HTTP_APIs_IngestStreamLifecycle: + anyOf: + - additionalProperties: false + type: object + properties: + dsl: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + downsample: + items: + type: object + properties: + after: + description: A non-empty string. + minLength: 1 + type: string + fixed_interval: + description: A non-empty string. + minLength: 1 + type: string + required: + - after + - fixed_interval + type: array + required: + - dsl + - additionalProperties: false + type: object + properties: + ilm: + additionalProperties: false + type: object + properties: + policy: + description: A non-empty string. + minLength: 1 + type: string + required: + - policy + required: + - ilm + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + anyOf: + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. + title: Log Threshold Rule Params + rule_type_id: + enum: + - logs.alert.document.count + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Log threshold + type: object + Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. + properties: + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + type: string + customMetric: + additionalProperties: false + type: object + properties: + aggregation: + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + required: + - type + - id + - field + - aggregation + metric: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + warningComparator: + type: string + warningThreshold: + items: + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + type: array + filterQuery: + type: string + nodeType: + type: string + schema: + type: string + sourceId: + type: string + required: + - criteria + - nodeType + - sourceId + title: Metric Inventory Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.inventory.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric inventory threshold + type: object + Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. + properties: + alertOnGroupDisappear: + description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + comparator: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - additionalProperties: false + type: object + properties: + aggType: + type: string + comparator: + type: string + metric: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + - aggType + - additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + customMetrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + equation: + type: string + label: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - customMetrics + type: array + filterQuery: + description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' + sourceId: + type: string + required: + - criteria + - sourceId + title: Metric Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric threshold + type: object + Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Cluster Health Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cluster_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Cluster health + type: object + Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CPU Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cpu_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CPU usage + type: object + Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Disk Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_disk_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Disk usage + type: object + Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: ES Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_elasticsearch_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Elasticsearch version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Memory Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_jvm_memory_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: JVM memory usage + type: object + Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Kibana Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_kibana_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Kibana version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: License Expiration Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_license_expiration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: License expiration + type: object + Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Logstash Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_logstash_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Logstash version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Missing Monitoring Data Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_missing_monitoring_data + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Missing monitoring data + type: object + Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Nodes Changed Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_nodes_changed + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Nodes changed + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Search Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_search_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool search rejections + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Write Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_write_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool write rejections + type: object + Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CCR Read Exceptions Rule Params + type: object + rule_type_id: + enum: + - monitoring_ccr_read_exceptions + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CCR read exceptions + type: object + Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + indexPattern: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + - indexPattern + title: Large Shard Size Rule Params + type: object + rule_type_id: + enum: + - monitoring_shard_size + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Large shard size + type: object + Kibana_HTTP_APIs_new_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_elasticsearch + type: object + Kibana_HTTP_APIs_new_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: false + type: object + properties: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: new_output_kafka + type: object + Kibana_HTTP_APIs_new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: new_output_logstash + type: object + Kibana_HTTP_APIs_new_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. + properties: + alertOnGroupDisappear: + type: boolean + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + equation: + type: string + label: + type: string + metrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - threshold + - comparator + - timeUnit + - timeSize + - metrics + type: array + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + noDataBehavior: + enum: + - recover + - remainActive + - alertOnNoData + type: string + searchConfiguration: + additionalProperties: false + type: object + properties: + filter: + items: + additionalProperties: false + type: object + properties: + meta: + additionalProperties: + nullable: true + type: object + query: + additionalProperties: + nullable: true + type: object + required: + - meta + type: array + index: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + allowHidden: + type: boolean + allowNoIndex: + type: boolean + fieldAttrs: + additionalProperties: + additionalProperties: false + type: object + properties: + count: + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + type: object + fieldFormats: + additionalProperties: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + type: object + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + aggregatable: + type: boolean + count: + minimum: 0 + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + esTypes: + items: + type: string + type: array + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + name: + maxLength: 1000 + type: string + readFromDocValues: + type: boolean + runtimeField: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + script: + maxLength: 1000000 + type: string + scripted: + type: boolean + searchable: + type: boolean + shortDotsEnable: + type: boolean + subType: + additionalProperties: false + type: object + properties: + multi: + additionalProperties: false + type: object + properties: + parent: + type: string + required: + - parent + nested: + additionalProperties: false + type: object + properties: + path: + type: string + required: + - path + type: + default: string + maxLength: 1000 + type: string + required: + - name + type: object + id: + type: string + managed: + type: boolean + name: + type: string + namespaces: + items: + type: string + type: array + runtimeFieldMap: + additionalProperties: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + type: object + sourceFilters: + items: + additionalProperties: false + type: object + properties: + clientId: + anyOf: + - type: string + - type: number + value: + type: string + required: + - value + type: array + timeFieldName: + type: string + title: + type: string + type: + type: string + typeMeta: + additionalProperties: true + type: object + properties: {} + version: + type: string + required: + - title + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + type: string + required: + - language + - query + required: + - index + - query + required: + - criteria + - searchConfiguration + title: Custom Threshold Rule Params + type: object + rule_type_id: + enum: + - observability.rules.custom_threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Custom threshold + type: object + Kibana_HTTP_APIs_output_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 minItems: 1 + type: array + id: type: string - type: array - Cases_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Cases_owner_filter: - description: > - A filter to limit the response to a specific set of applications. If - this parameter is omitted, the response contains information about all - the cases that the user has access to read. - example: cases - in: query - name: owner - schema: - oneOf: - - $ref: '#/components/schemas/Cases_owner' - - $ref: '#/components/schemas/Cases_owners' - Cases_page_index: - description: The page number to return. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - type: integer - Cases_page_size: - description: The number of items to return. Limited to 100 items. - example: 20 - in: query - name: perPage - required: false - schema: - default: 20 - maximum: 100 - type: integer - Cases_reporters: - description: Filters the returned cases by the user name of the reporter. - example: elastic - in: query - name: reporters - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_search: - description: >- - An Elasticsearch simple_query_string query that filters the objects in - the response. - example: Case title 1 - in: query - name: search - schema: - type: string - Cases_searchFields: - description: The fields to perform the simple_query_string parsed query against. - in: query - name: searchFields - schema: - oneOf: - - $ref: '#/components/schemas/Cases_searchFieldsType' - - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' - Cases_severity: - description: The severity of the case. - example: low - in: query - name: severity - schema: - enum: - - critical - - high - - low - - medium - type: string - Cases_sort_order: - description: Determines the sort order. - example: desc - in: query - name: sortOrder - required: false - schema: - default: desc - enum: - - asc - - desc - type: string - Cases_sortField: - description: Determines which field is used to sort the results. - example: updatedAt - in: query - name: sortField - schema: - default: createdAt - enum: - - createdAt - - updatedAt - - closedAt - - title - - category - - status - - severity - type: string - Cases_status: - description: Filters the returned cases by state. - example: open - in: query - name: status - schema: - enum: - - closed - - in-progress - - open - type: string - Cases_tags: - description: Filters the returned cases by tags. - example: tag-1 - in: query - name: tags - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_to: - description: > - Returns only cases that were created before a specific date. The date - must be specified as a KQL data range or date match expression. - example: now+1d - in: query - name: to - schema: - type: string - Cases_user_action_types: - description: Determines the types of user actions to return. - in: query - name: types - schema: - items: + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: enum: - - action - - alert - - assignees - - attachment - - comment - - connector - - create_case - - description - - pushed - - settings - - severity - - status - - tags - - title - - user - example: create_case + - balanced + - custom + - throughput + - scale + - latency type: string - type: array - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Saved_objects_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Saved_objects_saved_object_id: - description: An identifier for the saved object. - in: path - name: id - required: true - schema: - type: string - Saved_objects_saved_object_type: - description: >- - Valid options include `visualization`, `dashboard`, `search`, - `index-pattern`, `config`. - in: path - name: type - required: true - schema: - type: string - Short_URL_APIs_idParam: - description: The identifier for the short URL. - in: path - name: id - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - Alerting_401_response: + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_elasticsearch + type: object + Kibana_HTTP_APIs_output_kafka: + additionalProperties: true properties: - error: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: true + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: true + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: enum: - - Unauthorized - example: Unauthorized + - random + - round_robin + - hash type: string - message: + password: + nullable: true type: string - statusCode: + proxy_id: + nullable: true + type: string + random: + additionalProperties: true + type: object + properties: + group_events: + type: number + required_acks: enum: - - 401 - example: 401 + - 1 + - 0 + - -1 type: integer - title: Unsuccessful rule API response - type: object - Alerting_fieldmap_properties: - title: Field map objects in the get rule types response + round_robin: + additionalProperties: true + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: true + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: true + type: object + properties: + password: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: output_kafka type: object + Kibana_HTTP_APIs_output_logstash: + additionalProperties: true properties: - array: - description: Indicates whether the field is an array. + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false type: boolean - dynamic: - description: Indicates whether it is a dynamic field mapping. + is_default_monitoring: + default: false type: boolean - format: - description: > - Indicates the format of the field. For example, if the `type` is - `date_range`, the `format` can be - `epoch_millis||strict_date_optional_time`. + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: type: string - ignore_above: - description: >- - Specifies the maximum length of a string field. Longer strings are - not indexed or stored. - type: integer - index: - description: Indicates whether field values are indexed. + otel_disable_beatsauth: + nullable: true type: boolean - path: - description: TBD + otel_exporter_config_yaml: + nullable: true type: string - properties: - additionalProperties: - type: object - properties: - type: - description: The data type for each object property. - type: string - description: > - Details about the object properties. This property is applicable - when `type` is `object`. + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true type: object - required: - description: Indicates whether the field is required. - type: boolean - scaling_factor: - description: > - The scaling factor to use when encoding values. This property is - applicable when `type` is `scaled_float`. Values will be multiplied - by this factor at index time and rounded to the closest long value. - type: integer + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true type: - description: Specifies the data type for the field. - example: scaled_float + enum: + - logstash type: string - APM_UI_400_response: + required: + - name + - type + - hosts + title: output_logstash type: object + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true properties: - error: - description: Error type - example: Not Found - type: string - message: - description: Error message - example: Not Found + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: - type: object - properties: - error: - description: Error type - example: Unauthorized + ca_trusted_fingerprint: + nullable: true type: string - message: - description: Error message + config_yaml: + nullable: true type: string - statusCode: - description: Error status code - example: 401 - type: number - APM_UI_403_response: - type: object - properties: - error: - description: Error type - example: Forbidden + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: type: string - message: - description: Error message + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: - type: object - properties: - error: - description: Error type - example: Not Found + kibana_url: + nullable: true type: string - message: - description: Error message - example: Not Found + name: type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: - type: object - properties: - error: - description: Error type - example: Internal Server Error + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true type: string - message: - description: Error message + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: - type: object - properties: - error: - description: Error type - example: Not Implemented + proxy_id: + nullable: true type: string - message: - description: Error message - example: Not Implemented + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: - type: object - properties: - agent_name: - description: >- - The agent name is used by the UI to determine which settings to - display. + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' + write_to_logs_streams: + nullable: true + type: boolean required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration + - name + - type + - hosts + title: output_remote_elasticsearch type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true properties: - '@timestamp': - description: Timestamp - example: 1730194190636 + compression_level: + nullable: true type: number - agent_name: - description: Agent name - type: string - applied_by_agent: - description: Applied by agent - example: true + disk_queue_compression_enabled: + nullable: true type: boolean - etag: - description: > - `etag` is sent by the APM agent to indicate the `etag` of the last - successfully applied configuration. If the `etag` matches an - existing configuration its `applied_by_agent` property will be set - to `true`. Every time a configuration is edited `applied_by_agent` - is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true properties: - configurations: - description: Agent configuration + certificate: + type: string + certificate_authorities: items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: string + maxItems: 10 type: array - APM_UI_agent_keys_object: + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + title: output_ssl + type: object + Kibana_HTTP_APIs_QueryStreamUpsertRequest: + additionalProperties: false type: object properties: - name: - description: The name of the APM agent key. - type: string - privileges: - description: > - The APM agent key privileges. It can take one or more of the - following values: - - * `event:write`, which is required for ingesting APM agent events. * - `config_agent:read`, which is required for APM agents to read agent - configuration remotely. + dashboards: items: - enum: - - event:write - - config_agent:read type: string type: array - required: - - name - - privileges - APM_UI_agent_keys_response: - type: object - properties: - agentKey: - description: Agent key + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false type: object properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: + description: type: string - name: + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + view: + type: string + required: + - view + - esql + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - query type: string required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: + - description + - type + - query + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_RecursiveRecord: + additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + type: array + - items: {} + type: array + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' type: object + Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: + additionalProperties: false properties: - annotations: - description: Annotations + actions: + default: [] items: + additionalProperties: false + description: An action that runs under defined conditions. type: object properties: - '@timestamp': - type: number - id: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string - text: + id: + description: The identifier for the connector saved object. type: string - type: - enum: - - version + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. type: string + required: + - id type: array - APM_UI_base_source_map_object: - type: object - properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier - type: string - packageName: - description: Package name - type: string - relative_url: - description: Relative URL + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - type: - description: Type + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - APM_UI_create_annotation_object: - type: object - properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - message: - description: >- - The message displayed in the annotation. It defaults to - `service.version`. + params: + additionalProperties: false + description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. + properties: + dependencies: + items: + additionalProperties: false + type: object + properties: + actionGroupsToSuppressOn: + items: + type: string + type: array + ruleId: + type: string + required: + - ruleId + - actionGroupsToSuppressOn + type: array + sloId: + type: string + windows: + items: + additionalProperties: false + type: object + properties: + actionGroup: + type: string + burnRateThreshold: + type: number + id: + type: string + longWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + maxBurnRateThreshold: + nullable: true + type: number + shortWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + required: + - id + - burnRateThreshold + - maxBurnRateThreshold + - longWindow + - shortWindow + - actionGroup + type: array + required: + - sloId + - windows + title: SLO Burn Rate Rule Params + type: object + rule_type_id: + enum: + - slo.rules.burnRate type: string - service: - description: The service that identifies the configuration to create or update. + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - environment: - description: The environment of the service. - type: string - version: - description: The version of the service. + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string required: - - version + - interval tags: - description: > - Tags are used by the Applications UI to distinguish APM annotations - from other annotations. Tags may have additional functionality in - future releases. It defaults to `[apm]`. While you can add - additional tags, you cannot remove the `apm` tag. + default: [] + description: The tags for the rule. items: type: string type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string required: - - '@timestamp' - - service - APM_UI_create_annotation_response: + - name + - consumer + - schedule + - rule_type_id + - params + title: SLO burn rate + type: object + Kibana_HTTP_APIs_StreamlangConditionBlock: + additionalProperties: false type: object properties: - _id: - description: Identifier - type: string - _index: - description: Index + condition: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' + customIdentifier: type: string - _source: - description: Response - type: object - properties: - '@timestamp': - type: string - annotation: + required: + - condition + Kibana_HTTP_APIs_StreamlangStep: + anyOf: + - anyOf: + - additionalProperties: false + description: Grok processor - Extract fields from text using grok patterns + type: object + properties: + action: + enum: + - grok + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with grok patterns + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + description: Grok patterns applied in order to extract fields + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser + type: object + properties: + action: + enum: + - dissect + type: string + append_separator: + description: Separator inserted when target fields are concatenated + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with dissect pattern + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern: + description: Dissect pattern describing field boundaries + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - additionalProperties: false + description: Date processor - Parse dates from strings using one or more expected formats + type: object + properties: + action: + enum: + - date + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + formats: + description: Accepted input date formats, tried in order + items: + description: A non-empty string. + minLength: 1 + type: string + type: array + from: + description: Source field containing the date/time text + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + locale: + description: Optional locale for date parsing + minLength: 1 + type: string + output_format: + description: Optional output format for storing the parsed date as text + minLength: 1 + type: string + timezone: + description: Optional timezone for date parsing + minLength: 1 + type: string + to: + description: Target field for the parsed date (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - formats + - additionalProperties: false + type: object + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - additionalProperties: false + type: object + properties: + action: + enum: + - math + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: A non-empty string. + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - to + - additionalProperties: false + description: Rename processor - Change a field name and optionally its location + type: object + properties: + action: + enum: + - rename + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Existing source field to rename or move + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip when source field is missing + type: boolean + override: + description: Allow overwriting the target field if it already exists + type: boolean + to: + description: New field name or destination path + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - additionalProperties: false + description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) + type: object + properties: + action: + enum: + - set + type: string + copy_from: + description: Copy value from another field instead of providing a literal + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + override: + description: Allow overwriting an existing target field + type: boolean + to: + description: Target field to set or create + minLength: 1 + type: string + value: + description: Literal value to assign to the target field + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - additionalProperties: false + description: Append processor - Append one or more values to an existing or new array field + type: object + properties: + action: + enum: + - append + type: string + allow_duplicates: + description: If true, do not deduplicate appended values + type: boolean + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + to: + description: Array field to append values to + minLength: 1 + type: string + value: + description: Values to append (must be literal, no templates) + items: {} + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - value + - additionalProperties: false + description: Remove by prefix processor - Remove a field and all nested fields matching the prefix + type: object + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove along with all its nested fields + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + required: + - action + - from + - additionalProperties: false + description: Remove processor - Delete one or more fields from the document + type: object + properties: + action: + enum: + - remove + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove from the document + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - replace + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + replacement: + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - replacement + - additionalProperties: false + description: Redact processor - Mask sensitive data using Grok patterns + type: object + properties: + action: + enum: + - redact + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to redact sensitive data from + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing (defaults to true) + type: boolean + pattern_definitions: + additionalProperties: + type: string + description: Custom pattern definitions to use in the patterns + type: object + patterns: + description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + prefix: + description: Prefix to prepend to the redacted pattern name (defaults to "<") + type: string + suffix: + description: Suffix to append to the redacted pattern name (defaults to ">") + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + type: object + properties: + action: + enum: + - uppercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - lowercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - trim + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - join + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + delimiter: + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + minLength: 1 + type: string + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - delimiter + - to + - additionalProperties: false + description: Split processor - Split a field value into an array using a separator type: object properties: - title: + action: + enum: + - split + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to split into an array + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + preserve_trailing: + description: Preserve empty trailing fields in the split result + type: boolean + separator: + description: Regex separator used to split the field value into an array + minLength: 1 + type: string + to: + description: Target field for the split array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - separator + - additionalProperties: false + type: object + properties: + action: + enum: + - sort + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Array field to sort + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + order: + description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" + enum: + - asc + - desc + type: string + to: + description: Target field for the sorted array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) + type: object + properties: + action: + enum: + - convert + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to convert to a different data type + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + to: + description: Target field for the converted value (defaults to source) + minLength: 1 type: string type: + description: 'Target data type: integer, long, double, boolean, or string' + enum: + - integer + - long + - double + - boolean + - string type: string - event: + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - type + - additionalProperties: false type: object properties: - created: + action: + enum: + - concat type: string - message: - type: string - service: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + anyOf: + - type: object + properties: + type: + enum: + - field + type: string + value: + minLength: 1 + type: string + required: + - type + - value + - type: object + properties: + type: + enum: + - literal + type: string + value: + type: string + required: + - type + - value + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - allOf: + - additionalProperties: false + type: object + properties: + action: + enum: + - network_direction + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + destination_ip: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + source_ip: + minLength: 1 + type: string + target_field: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - source_ip + - destination_ip + - anyOf: + - additionalProperties: false + type: object + properties: + internal_networks: + items: + type: string + type: array + required: + - internal_networks + - additionalProperties: false + type: object + properties: + internal_networks_field: + minLength: 1 + type: string + required: + - internal_networks_field + - additionalProperties: false + description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors type: object properties: - environment: + action: + enum: + - json_extract type: string - name: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 type: string - version: + description: + description: Human-readable notes about this processor step type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result - type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: > - If provided, the agent configuration will be marked as error and - `applied_by_agent` will be set to `false`. - - This is useful for cases where the agent configuration was not - applied successfully. - type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - mark_as_applied_by_agent: - description: > - `markAsAppliedByAgent=true` means "force setting it to true - regardless of etag". - - This is needed for Jaeger agent that doesn't have etags - type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs - type: string - APM_UI_service_environment_object: - type: object - properties: - alreadyConfigured: - description: Already configured - type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE - type: string - APM_UI_service_environments_response: - type: object - properties: - environments: - description: Service environment list - items: - $ref: '#/components/schemas/APM_UI_service_environment_object' - type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod - type: string - name: - description: The name of the service. - example: node - type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object - properties: - id: - type: string - required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: - artifacts: - description: Artifacts - items: - allOf: - - type: object - properties: - body: + extractions: + description: List of extraction specifications + items: + description: A single extraction specification type: object properties: - bundleFilepath: + selector: + description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") + minLength: 1 type: string - serviceName: + target_field: + description: Target field to store the extracted value + minLength: 1 type: string - serviceVersion: + type: + description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. + enum: + - keyword + - integer + - long + - double + - boolean type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - type: array - APM_UI_upload_source_map_object: - type: object - properties: - bundle_filepath: - description: >- - The absolute path of the final bundle as used in the web - application. - type: string - service_name: - description: The name of the service that the service map should apply to. - type: string - service_version: - description: The version of the service that the service map should apply to. - type: string - sourcemap: - description: > - The source map. It can be a string or file upload. It must follow - the - - [source map format specification](https://tc39.es/ecma426/). - format: binary - type: string - required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object - properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Cases_actions: - enum: - - add - - create - - delete - - push_to_service - - update - example: create - type: string - Cases_actions_comment_response_properties: - title: Case response properties for actions comments - type: object - properties: - actions: - type: object - properties: - targets: - items: - type: object - properties: - endpointId: - example: 1 - type: string - hostname: - example: host-01 - type: string - type: array - type: - example: isolate - type: string - comment: - example: Isolating the host from the case UI. - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - enum: - - actions - example: actions - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd - type: string - required: - - type - Cases_add_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert - type: string - required: - - alertId - - index - - owner - - rule - - type - title: Add case comment request properties for alerts - Cases_add_case_comment_request: - description: >- - The add comment to case API request body varies depending on whether you - are adding an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_add_alert_comment_request_properties' - user: '#/components/schemas/Cases_add_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' - title: Add case comment request - Cases_add_case_file_request: - description: >- - Defines the file that will be attached to the case. Optional parameters - will be generated automatically from the file metadata if not defined. - type: object - properties: - file: - description: The file being attached to the case. - format: binary - type: string - filename: - description: >- - The desired name of the file being attached to the case, it can be - different than the name of the file in the filesystem. **This should - not include the file extension.** - type: string - required: - - file - title: Add case file request properties - Cases_add_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. - enum: - - user - example: user - type: string - required: - - comment - - owner - - type - title: Add case comment request properties for user comments - type: object - Cases_alert_comment_response_properties: - title: Add case comment response properties for alerts - type: object - properties: - alertId: - items: - example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 - type: string - type: array - created_at: - example: '2023-11-06T19:29:38.424Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - id: - example: 73362370-ab1a-11ec-985f-97e55adae8b9 - type: string - index: + required: + - selector + - target_field + minItems: 1 + type: array + field: + description: Source field containing the JSON string to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - field + - extractions + - additionalProperties: false + type: object + properties: + action: + enum: + - enrich + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + policy_name: + description: A non-empty string. + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - policy_name + - to + - additionalProperties: false + description: Manual ingest pipeline wrapper around native Elasticsearch processors + type: object + properties: + action: + description: Manual ingest pipeline - executes raw Elasticsearch ingest processors + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + on_failure: + description: Fallback processors to run when a processor fails + items: + additionalProperties: {} + type: object + type: array + processors: + description: List of raw Elasticsearch ingest processors to run + items: + additionalProperties: {} + type: object + type: array + tag: + description: Optional ingest processor tag for Elasticsearch + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - processors + - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' + Kibana_HTTP_APIs_StreamUpsertRequest: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' + Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - example: .internal.alerts-security.alerts-default-000001 - type: string + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - nullable: true + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number required: - - email - - full_name - - username - rule: + - active + artifacts: + additionalProperties: false type: object properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true - type: string - type: - enum: - - alert - example: alert - type: string - updated_at: - format: date-time - nullable: true + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - updated_by: + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number required: - - email - - full_name - - username - version: - example: WzMwNDgsMV0= - type: string - required: - - type - Cases_alert_identifiers: - description: > - The alert identifiers. It is required only when `type` is `alert`. You - can use an array of strings to add multiple alerts to a case, provided - that they all relate to the same rule; `index` must also be an array - with the same length or number of elements. Adding multiple alerts in - this manner is recommended rather than calling the API multiple times. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 - oneOf: - - type: string - - items: - type: string - maxItems: 1000 - type: array - title: Alert identifiers - x-state: Technical preview - Cases_alert_indices: - description: > - The alert indices. It is required only when `type` is `alert`. If you - are adding multiple alerts to a case, use an array of strings; the - position of each index name in the array must match the position of the - corresponding alert identifier in the `alertId` array. This - functionality is in technical preview and may be changed or removed in a - future release. Elastic will work to fix any issues, but features in - technical preview are not subject to the support SLA of official GA - features. - oneOf: - - type: string - - items: - type: string - maxItems: 1000 - type: array - title: Alert indices - x-state: Technical preview - Cases_alert_response_properties: - type: object - properties: - attached_at: - format: date-time - type: string - id: - description: The alert identifier. - type: string - index: - description: The alert index. - type: string - Cases_assignees: - description: An array containing users that are assigned to the case. - items: - type: object - properties: - uid: - description: >- - A unique identifier for the user profile. These identifiers can be - found by using the suggest user profile API. - example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - type: string - required: - - uid - maxItems: 10 - nullable: true - type: array - Cases_attachment_totals: - description: Counts of alerts, events, and user comments attached to a case. - properties: - alerts: - description: Number of alert attachments on the case. - type: integer - events: - description: Number of event attachments on the case. - type: integer - userComments: - description: Number of user comment attachments on the case. - type: integer - required: - - alerts - - events - - userComments - title: Attachment totals - type: object - Cases_case_categories: - items: - $ref: '#/components/schemas/Cases_case_category' - maxItems: 100 - type: array - Cases_case_category: - description: A word or phrase that categorizes the case. - maxLength: 50 - type: string - Cases_case_close_sync_reason: - description: > - The close reason to sync to attached alerts when closing the case. Can - be one of following predefined reasons: [false_positive, duplicate, - true_positive, benign_positive, automated_closure, other] or a custom - reason provided by the user. - oneOf: - - enum: - - false_positive - - duplicate - - true_positive - - benign_positive - - automated_closure - - other - type: string - - type: string - Cases_case_description: - description: The description for the case. - maxLength: 30000 - type: string - Cases_case_observable: - description: A single observable attached to a case. - properties: - createdAt: - description: When the observable was created. - example: '2024-11-14T10:00:00.000Z' - format: date-time - type: string - description: - description: An optional description for the observable. - example: Source IP - nullable: true - type: string - id: - description: The observable identifier. - example: df927ab8-54ed-47d6-be07-9948c255c097 - type: string - typeKey: - description: The observable type key. - example: observable-type-ipv4 - type: string - updatedAt: - description: When the observable was last updated. - example: '2024-11-14T10:00:00.000Z' - format: date-time - nullable: true - type: string - value: - description: The observable value. - example: 10.0.0.8 - type: string - required: - - id - - typeKey - - value - - description - - createdAt - - updatedAt - title: Case observable - type: object - Cases_case_response_closed_by_properties: - nullable: true - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - title: Case response properties for closed_by - type: object - Cases_case_response_created_by_properties: - title: Case response properties for created_by - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - Cases_case_response_get_case: - description: > - Case details returned by the get case API. The comments property is not - included in the response. Use the find case comments API to retrieve - comments. totalComment reflects the actual number of user comments. - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true - type: string - closed_at: - format: date-time - nullable: true - type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - type: array - description: - example: A case description. - type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 - nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - type: string - incremental_id: - description: > - A monotonically increasing number assigned to each case, unique per - space. This value is generated asynchronously after the case is - created and may not be present immediately in the response. - example: 1 - nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 - items: - type: string - type: array - title: - example: Case title 1 - type: string - total_observables: - description: The number of observables attached to the case. - example: 0 - nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - description: >- - The number of user comments on the case. Use the find case comments - API to retrieve comment content. - example: 1 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== - type: string - required: - - closed_at - - closed_by - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - title: Get case response - type: object - Cases_case_response_properties: - title: Case response properties - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - closed_at: - format: date-time + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - comments: - description: An array of comment objects for the case. + params: + additionalProperties: false + description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. + properties: + excludeTransforms: + default: [] + items: + type: string + nullable: true + type: array + includeTransforms: + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: false + type: boolean + healthCheck: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + notStarted: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - notStarted + - errorMessages + - healthCheck + required: + - includeTransforms + - testsConfig + title: Transform Health Rule Params + type: object + rule_type_id: + enum: + - transform_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - discriminator: - mapping: - actions: '#/components/schemas/Cases_actions_comment_response_properties' - alert: '#/components/schemas/Cases_alert_comment_response_properties' - event: '#/components/schemas/Cases_event_comment_response_properties' - user: '#/components/schemas/Cases_user_comment_response_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_actions_comment_response_properties' - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_event_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - maxItems: 10000 - title: Case response properties for comments + type: string type: array - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transform health + type: object + Kibana_HTTP_APIs_update_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean + type: string + maxItems: 1000 type: array - description: - example: A case description. + ca_sha256: + nullable: true type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 + ca_trusted_fingerprint: nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string - incremental_id: - description: > - A monotonically increasing number assigned to each case, unique per - space. This value is generated asynchronously after the case is - created and may not be present immediately in the response. - example: 1 + config_yaml: nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 + type: string + hosts: items: + format: uri type: string + maxItems: 10 + minItems: 1 type: array - title: - example: Case title 1 + id: type: string - total_observables: - description: The number of observables attached to the case. - example: 0 + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - example: 0 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time + type: boolean + otel_exporter_config_yaml: nullable: true type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency type: string - required: - - closed_at - - closed_by - - comments - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - Cases_case_response_pushed_by_properties: - nullable: true - properties: - email: - example: null + proxy_id: nullable: true type: string - full_name: - example: null + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true + type: + enum: + - elasticsearch type: string - required: - - email - - full_name - - username - title: Case response properties for pushed_by + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_elasticsearch type: object - Cases_case_response_updated_by_properties: - nullable: true + Kibana_HTTP_APIs_update_output_kafka: + additionalProperties: false properties: - email: - example: null - nullable: true + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos type: string - full_name: - example: null + broker_timeout: + type: number + ca_sha256: nullable: true type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + ca_trusted_fingerprint: nullable: true type: string - required: - - email - - full_name - - username - title: Case response properties for updated_by - type: object - Cases_case_severity: - description: The severity of the case. - enum: - - critical - - high - - low - - medium - type: string - Cases_case_status: - description: The status of the case. - enum: - - closed - - in-progress - - open - type: string - Cases_case_tags: - description: > - The words and phrases that help categorize cases. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_case_title: - description: A title for the case. - maxLength: 160 - type: string - Cases_closure_types: - description: >- - Indicates whether a case is automatically closed when it is pushed to - external systems (`close-by-pushing`) or not automatically closed - (`close-by-user`). - enum: - - close-by-pushing - - close-by-user - example: close-by-user - type: string - Cases_connector_properties_cases_webhook: - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - fields: - example: null - nullable: true + client_id: type: string - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + compression: + enum: + - gzip + - snappy + - lz4 + - none type: string - name: - description: The name of the connector. + compression_level: + type: number + config_yaml: + nullable: true type: string - type: - description: The type of connector. + connection_type: enum: - - .cases-webhook - example: .cases-webhook + - plaintext + - encryption type: string - required: - - fields - - id - - name - - type - title: Create or upate case request properties for Cases Webhook connector - Cases_connector_properties_jira: - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + hash: + additionalProperties: false type: object properties: - issueType: - description: The type of issue. - nullable: true - type: string - parent: - description: The key of the parent issue, when the issue type is sub-task. - nullable: true - type: string - priority: - description: The priority of the issue. - nullable: true + hash: type: string - required: - - issueType - - parent - - priority + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: type: string name: - description: The name of the connector. type: string - type: - description: The type of connector. + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: enum: - - .jira - example: .jira + - random + - round_robin + - hash type: string - required: - - fields - - id - - name - - type - title: Create or update case request properties for a Jira connector - Cases_connector_properties_none: - description: Defines properties for connectors when type is `.none`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case without - a connector, specify null. To update a case to remove the connector, - specify null. - example: null + password: nullable: true type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. To update a case to remove the connector, - specify `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, use - `none`. To update a case to remove the connector, specify `none`. - example: none + proxy_id: + nullable: true type: string - type: - description: >- - The type of connector. To create a case without a connector, use - `.none`. To update a case to remove the connector, specify `.none`. + random: + additionalProperties: false + type: object + properties: + group_events: + type: number + required_acks: enum: - - .none - example: .none - type: string - required: - - fields - - id - - name - - type - title: Create or update case request properties for no connector - Cases_connector_properties_resilient: - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: false nullable: true type: object properties: - issueTypes: - description: The type of incident. - items: - type: string - type: array - severityCode: - description: The severity code of the incident. + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - required: - - issueTypes - - severityCode - id: - description: The identifier for the connector. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .resilient - example: .resilient - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a IBM Resilient connector - Cases_connector_properties_servicenow: - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + secrets: + additionalProperties: false type: object properties: - category: - description: The category of the incident. - nullable: true - type: string - impact: - description: The effect an incident had on business. - nullable: true - type: string - severity: - description: The severity of the incident. - nullable: true - type: string - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - urgency: - description: The extent to which the incident resolution can be delayed. - nullable: true - type: string - required: - - category - - impact - - severity - - subcategory - - urgency - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: type: string type: - description: The type of connector. enum: - - .servicenow - example: .servicenow + - kafka + type: string + username: + nullable: true + type: string + version: type: string required: - - fields - - id - name - - type - title: Create case request properties for a ServiceNow ITSM connector - Cases_connector_properties_servicenow_sir: - description: Defines properties for connectors when type is `.servicenow-sir`. + title: update_output_kafka type: object + Kibana_HTTP_APIs_update_output_logstash: + additionalProperties: false properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs. - nullable: true - type: boolean - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs. - nullable: true - type: boolean - priority: - description: The priority of the issue. - nullable: true - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs. - nullable: true - type: boolean - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - required: - - category - - destIp - - malwareHash - - malwareUrl - - priority - - sourceIp - - subcategory + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean name: - description: The name of the connector. type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true type: - description: The type of connector. enum: - - .servicenow-sir - example: .servicenow-sir + - logstash type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow SecOps connector - Cases_connector_properties_swimlane: - description: Defines properties for connectors when type is `.swimlane`. + title: update_output_logstash type: object + Kibana_HTTP_APIs_update_output_remote_elasticsearch: + additionalProperties: false properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - nullable: true - type: string - required: - - caseId + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true type: string name: - description: The name of the connector. type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean type: - description: The type of connector. enum: - - .swimlane - example: .swimlane + - remote_elasticsearch type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a Swimlane connector - Cases_connector_types: - description: The type of connector. - enum: - - .cases-webhook - - .jira - - .none - - .resilient - - .servicenow - - .servicenow-sir - - .swimlane - example: .none - type: string - Cases_create_case_request: - description: >- - The create case API request body varies depending on the type of - connector. + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_WiredStreamUpsertRequest: + additionalProperties: false + type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields that are - not specified in the request are set to null. + dashboards: + items: + type: string + type: array + queries: items: type: object properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 type: string type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. + default: match enum: - - text - - toggle + - match + - stats type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean required: - - key - - type - - value - maxItems: 10 - minItems: 0 + - id + - title + - description + - esql type: array - description: - $ref: '#/components/schemas/Cases_case_description' - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - required: - - connector - - description - - owner - - settings - - tags - - title - title: Create case request - type: object - Cases_event_comment_response_properties: - title: Case response properties for event comments - type: object - properties: - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - eventId: + rules: items: - example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f type: string type: array - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - index: + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - wired + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - example: .internal.alerts-security.alerts-default-000001 - type: string + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - enum: - - event - example: event + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - updated_at: - example: null - format: date-time + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd - type: string - required: - - type - Cases_external_service: - nullable: true - type: object - properties: - connector_id: - type: string - connector_name: - type: string - external_id: - type: string - external_title: - type: string - external_url: - type: string - pushed_at: - format: date-time - type: string - pushed_by: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true - type: object + type: string + params: + additionalProperties: false + description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. properties: - email: - example: null + includeInterim: + default: true + type: boolean + jobSelection: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + kqlQueryString: nullable: true type: string - full_name: - example: null + lookbackInterval: nullable: true type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + resultType: + enum: + - record + - bucket + - influencer type: string - username: - example: elastic + severity: + maximum: 100 + minimum: 0 + type: number + topNBuckets: + minimum: 1 nullable: true + type: number + required: + - jobSelection + - severity + - resultType + - lookbackInterval + - topNBuckets + - kqlQueryString + title: Anomaly Detection Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_alert + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - Cases_find_comments_response: - title: Find case comments response - type: object - properties: - comments: - description: Paginated list of user comments for the case. + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - $ref: '#/components/schemas/Cases_user_comment_response_properties' + type: string type: array - page: - description: The current page index. - type: integer - per_page: - description: The number of items per page. - type: integer - total: - description: The total number of comments. - type: integer + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string required: - - comments - - page - - per_page - - total - Cases_owner: - description: > - The application that owns the cases: Stack Management, Observability, or - Elastic Security. - enum: - - cases - - observability - - securitySolution - example: cases - type: string - Cases_owners: - items: - $ref: '#/components/schemas/Cases_owner' - type: array - Cases_payload_alert_comment: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection type: object + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: + additionalProperties: false properties: - comment: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - alertId: - oneOf: - - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d - type: string - - items: - type: string - type: array - index: - oneOf: - - example: .alerts-observability.logs.alerts-default - type: string - - items: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - rule: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true + blob: + maxLength: 10000 type: string - type: - enum: - - alert - type: string - Cases_payload_assignees: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - Cases_payload_connector: - type: object - properties: - connector: + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true type: object properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. + properties: + excludeJobs: + additionalProperties: false nullable: true type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. + groupIds: + default: [] items: type: string type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - Cases_payload_create_case: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true + jobIds: + default: [] + items: + type: string + type: array + includeJobs: + additionalProperties: false type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. + groupIds: + default: [] items: type: string type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. + jobIds: + default: [] + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + behindRealtime: + additionalProperties: false nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. + type: object + properties: + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - timeInterval + datafeed: + additionalProperties: false nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. + type: object + properties: + enabled: + default: true + type: boolean + delayedData: + additionalProperties: false nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - description: + type: object + properties: + docsCount: + minimum: 1 + nullable: true + type: number + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - docsCount + - timeInterval + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + mml: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - datafeed + - mml + - delayedData + - behindRealtime + - errorMessages + required: + - includeJobs + - excludeJobs + - testsConfig + title: Anomaly Detection Jobs Health Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_jobs_health type: string - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - example: - - tag-1 + default: [] + description: The tags for the rule. items: type: string type: array - title: - type: string - Cases_payload_delete: - description: >- - If the `action` is `delete` and the `type` is `delete_case`, the payload - is nullable. - nullable: true - type: object - Cases_payload_description: - type: object - properties: - description: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - Cases_payload_pushed: - type: object - properties: - externalService: - $ref: '#/components/schemas/Cases_external_service' - Cases_payload_settings: - type: object - properties: - settings: - $ref: '#/components/schemas/Cases_settings' - Cases_payload_severity: - type: object - properties: - severity: - $ref: '#/components/schemas/Cases_case_severity' - Cases_payload_status: - type: object - properties: - status: - $ref: '#/components/schemas/Cases_case_status' - Cases_payload_tags: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection jobs health type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false properties: - tags: - example: - - tag-1 + actions: + default: [] items: - type: string + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id type: array - Cases_payload_title: - type: object - properties: - title: - type: string - Cases_payload_user_comment: - type: object - properties: - comment: + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - comment: - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - enum: - - user - type: string - Cases_related_case: - description: > - Summary of a case returned when listing cases that contain a given - alert. This is a subset of the full case response. - properties: - createdAt: - description: When the case was created. - format: date-time - type: string - description: - description: The case description. - type: string - id: - description: The case identifier. - type: string - status: - $ref: '#/components/schemas/Cases_case_status' - title: - description: The case title. - type: string - totals: - $ref: '#/components/schemas/Cases_attachment_totals' - required: - - id - - title - - description - - status - - createdAt - - totals - title: Related case - type: object - Cases_response_4xx: - properties: - error: - example: Unauthorized - type: string - message: - type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful cases API response - type: object - Cases_rule: - description: > - The rule that is associated with the alerts. It is required only when - `type` is `alert`. This functionality is in technical preview and may be - changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - title: Alerting rule - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold name: - description: The rule name. - example: security_rule + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - x-state: Technical preview - Cases_searchFieldsType: - description: The fields to perform the `simple_query_string` parsed query against. - enum: - - description - - title - type: string - Cases_searchFieldsTypeArray: - items: - $ref: '#/components/schemas/Cases_searchFieldsType' - type: array - Cases_set_case_configuration_request: - description: >- - External connection details, such as the closure type and default - connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true + condition: + additionalProperties: false type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none + properties: + alertOnNoData: + type: boolean + downThreshold: + type: number + groupBy: + type: string + includeRetests: + type: boolean + locationsThreshold: + type: number + recoveryStrategy: + enum: + - firstUp + - conditionNotMet + type: string + window: + anyOf: + - additionalProperties: false + type: object + properties: + time: + additionalProperties: false + type: object + properties: + size: + default: 5 + type: number + unit: + default: m + enum: + - s + - m + - h + - d + type: string + required: + - time + - additionalProperties: false + type: object + properties: + numberOfChecks: + default: 5 + maximum: 100 + minimum: 1 + type: number + required: + - window + kqlQuery: type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 + locations: + items: type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 + type: array + monitorIds: + items: type: string - type: - description: The type of the custom field. - enum: - - text - - toggle + type: array + monitorTypes: + items: type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - required: - - key - - label - - required - - type - maxItems: 10 - minItems: 0 + type: array + projects: + items: + type: string + type: array + tags: + items: + type: string + type: array + title: Synthetics Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string required: - - closure_type - - connector - - owner - title: Set case configuration request - type: object - Cases_settings: - description: An object that contains the case settings. + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics monitor status type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: + additionalProperties: false properties: - extractObservables: - description: > - When true, observables (e.g. IPs, hashes, URLs) are automatically - extracted from case comments. Optional; defaults to false when - omitted. - example: false - type: boolean - syncAlerts: - description: Turns alert syncing on or off. - example: true - type: boolean - required: - - syncAlerts - Cases_string: - type: string - Cases_string_array: - items: - $ref: '#/components/schemas/Cases_string' - maxItems: 100 - type: array - Cases_template_tags: - description: > - The words and phrases that help categorize templates. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_templates: - items: - type: object - properties: - caseFields: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, therefore - it is recommended to set it to `null`. - nullable: true + query: + additionalProperties: false type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector IDs, - use the find connectors API. - example: none + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use - the find connectors API. - example: none + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - customFields: - description: Custom field values in the template. - items: - type: object - properties: - key: - description: The unique key for the custom field. - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - value: - description: > - The default value for the custom field when a case uses - the template. If the `type` is `text`, the default value - must be a string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: - - type: string - - type: boolean - type: array - x-state: Technical preview - description: - $ref: '#/components/schemas/Cases_case_description' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - description: - description: A description for the template. - type: string - key: - description: > - A unique key for the template. Must be lower case and composed - only of a-z, 0-9, '_', and '-' characters. It is used in API calls - to refer to a specific template. - type: string - name: - description: The name of the template. - type: string - tags: - $ref: '#/components/schemas/Cases_template_tags' - type: array - x-state: Technical preview - Cases_update_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - required: - - alertId - - id - - index - - owner - - rule - - type - - version - title: Update case comment request properties for alerts - Cases_update_case_comment_request: - description: >- - The update case comment API request body varies depending on whether you - are updating an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_update_alert_comment_request_properties' - user: '#/components/schemas/Cases_update_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' - title: Update case comment request - Cases_update_case_configuration_request: - description: > - You can update settings such as the closure type, custom fields, - templates, and the default connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object + params: + additionalProperties: false + description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + kqlQuery: type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 + locations: + items: type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 + type: array + monitorIds: + items: type: string - type: - description: The type of the custom field. - enum: - - text - - toggle + type: array + monitorTypes: + items: type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - required: - - key - - label - - required - - type + type: array + projects: + items: + type: string + type: array + search: + type: string + tags: + items: + type: string + type: array + title: Synthetics TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.tls + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string type: array - templates: - $ref: '#/components/schemas/Cases_templates' - version: - description: > - The version of the connector. To retrieve the version value, use the - get configuration API. - example: WzIwMiwxXQ== + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - - version - title: Update case configuration request + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics TLS type: object - Cases_update_case_request: - description: >- - The update case API request body varies depending on the type of - connector. + Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: + additionalProperties: false properties: - cases: - description: An array containing one or more case objects. + actions: + default: [] items: + additionalProperties: false + description: An action that runs under defined conditions. type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - closeReason: - $ref: '#/components/schemas/Cases_case_close_sync_reason' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: >- - #/components/schemas/Cases_connector_properties_cases_webhook - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: >- - #/components/schemas/Cases_connector_properties_servicenow_sir - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields - that are not specified in the request are set to null. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key - value must exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified - in the case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, - it cannot be explicitly set to null. However, for cases - that existed when the required custom field was added, - the default value stored in Elasticsearch is - `undefined`. The value returned in the API and user - interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string id: - description: The identifier for the case. - maxLength: 30000 + description: The identifier for the connector saved object. type: string - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - version: - description: > - The current version of the case. To determine this value, use - the get case or search cases (`_find`) APIs. + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. type: string required: - id - - version - maxItems: 100 - minItems: 1 type: array - required: - - cases - title: Update case request - type: object - Cases_update_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - user - example: user - type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd - type: string - required: - - comment - - id - - owner - - type - - version - title: Update case comment request properties for user comments - type: object - Cases_user_actions_find_response_properties: - type: object - properties: - action: - $ref: '#/components/schemas/Cases_actions' - comment_id: - example: 578608d0-03b1-11ed-920c-974bfa104448 + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - type: object + params: + additionalProperties: false + description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + monitorId: type: string - username: - example: elastic - nullable: true + severity: + type: number + stackVersion: type: string required: - - email - - full_name - - username - id: - example: 22fd3e30-03b1-11ed-920c-974bfa104448 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - type: - description: The type of action. - enum: - - assignees - - category - - comment - - connector - - create_case - - customFields - - delete_case - - description - - extended_fields - - observables - - pushed - - settings + - monitorId - severity - - status - - tags - - title - example: create_case - type: string - version: - example: WzM1ODg4LDFd - type: string - required: - - action - - comment_id - - created_at - - created_by - - id - - owner - - payload - - type - - version - Cases_user_comment_response_properties: - title: Case response properties for user comments - type: object - properties: - comment: - example: A new comment. - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true - type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: + title: Uptime Duration Anomaly Rule Params + type: object + rule_type_id: enum: - - user - example: user + - xpack.uptime.alerts.durationAnomaly type: string - updated_at: - example: null - format: date-time + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd - type: string - required: - - type - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - type: string - statusCode: - example: 400 - type: number required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: - enum: - - Not Found - example: Not Found - type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found - type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: >- - Allows the data view saved object to exist before the data is available. - Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime duration anomaly type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false properties: - data_view: - description: The data view object. + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. + properties: + availability: + additionalProperties: false type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + required: + - range + - rangeUnit + - threshold + filters: + anyOf: + - additionalProperties: false + type: object + properties: + monitor.type: + items: + type: string + type: array + observer.geo.name: + items: + type: string + type: array + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + - type: string + isAutoGenerated: + type: boolean + locations: + items: + type: string + type: array + numTimes: + type: number + search: type: string - name: - description: The data view name. + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + stackVersion: type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' + timerange: + additionalProperties: false type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd + properties: + from: + type: string + to: + type: string + required: + - from + - to + timerangeCount: + type: number + timerangeUnit: type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + title: Uptime Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.monitorStatus type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - source: - description: Script for the runtime field. + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - type: - description: Mapping type of the runtime field. + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime monitor status type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: + additionalProperties: false properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - toId: - description: New saved object reference value to replace the old value. + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object params: - description: Properties for retrieving rollup fields. + additionalProperties: false + description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + stackVersion: + type: string + title: Uptime TLS Rule Params type: object - Data_views_update_data_view_request_object: - title: Update data view request - type: object - properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. + rule_type_id: + enum: + - xpack.uptime.alerts.tlsCertificate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string required: - - data_view + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime TLS certificate + type: object Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -36781,97 +109643,63 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -36879,11 +109707,7 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -36963,8 +109787,7 @@ components: description: The name associated with the message. type: string role: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' required: - role required: @@ -36998,34 +109821,16 @@ components: - message - statusCode Saved_objects_attributes: - description: > - The data that you want to create. WARNING: Attributes may be validated - depending on the saved object type. Supplying malformed data can cause - errors or break Kibana. When creating or persisting raw saved objects - outside of Kibana, preserve `coreMigrationVersion` and - `typeMigrationVersion` (and related migration metadata) to retain - forward compatibility across Kibana versions. + description: | + The data that you want to create. WARNING: Attributes may be validated depending on the saved object type. Supplying malformed data can cause errors or break Kibana. When creating or persisting raw saved objects outside of Kibana, preserve `coreMigrationVersion` and `typeMigrationVersion` (and related migration metadata) to retain forward compatibility across Kibana versions. type: object Saved_objects_initial_namespaces: - description: > - Identifiers for the spaces in which this object is created. If this is - provided, the object is created only in the explicitly defined spaces. - If this is not provided, the object is created in the current space - (default behavior). For shareable object types (registered with - `namespaceType: 'multiple'`), this option can be used to specify one or - more spaces, including the "All spaces" identifier ('*'). For isolated - object types (registered with `namespaceType: 'single'` or - `namespaceType: 'multiple-isolated'`), this option can only be used to - specify a single space, and the "All spaces" identifier ('*') is not - allowed. For global object types (`registered with `namespaceType: - agnostic`), this option cannot be used. + description: | + Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the "All spaces" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the "All spaces" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used. type: array Saved_objects_references: - description: > - Objects with `name`, `id`, and `type` properties that describe the other - saved objects that this object references. Use `name` in attributes to - refer to the other saved object, but never the `id`, which can update - automatically during migrations or import and export. + description: | + Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export. type: array Security_AI_Assistant_API_AnonymizationFieldCreateProps: type: object @@ -37118,8 +109923,7 @@ components: example: user.name type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id @@ -37137,15 +109941,12 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -37169,8 +109970,7 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: @@ -37181,14 +109981,12 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated @@ -37384,9 +110182,7 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: >- - List of field names within the data object that should be - anonymized. + description: List of field names within the data object that should be anonymized. example: - user.name - source.ip @@ -37409,18 +110205,12 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_EsqlContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_HrefContentReference + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object @@ -37572,9 +110362,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -37584,8 +110372,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -37603,18 +110390,14 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -37650,10 +110433,8 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -37673,16 +110454,13 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -37728,9 +110506,7 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: >- - The field by which to sort the conversations. Possible values are - `created_at`, `title`, and `updated_at`. + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -37791,9 +110567,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -37803,8 +110577,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -37822,27 +110595,21 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: >- - Fields to extract from the query result, defaults to all fields if - not provided or empty. + description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author @@ -37853,9 +110620,7 @@ components: type: object properties: description: - description: >- - Description for when this index or data stream should be queried for - Knowledge Base content. Passed to the LLM as a tool description. + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -37867,9 +110632,7 @@ components: example: knowledge_base_index type: string queryDescription: - description: >- - Description of query field used to fetch Knowledge Base content. - Passed to the LLM as part of the tool input schema. + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -37886,10 +110649,8 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -37909,20 +110670,15 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: - description: >- - Array of objects defining the input schema, allowing the LLM to extract - structured data to be used in retrieval. + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: @@ -37945,8 +110701,7 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -37986,11 +110741,9 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -38001,11 +110754,9 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -38024,8 +110775,7 @@ components: example: Skipped Entry type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason @@ -38045,15 +110795,12 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary @@ -38085,29 +110832,23 @@ components: id: '456' title: New Entry items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: - description: >- - List of IDs of Knowledge Base Entries that were successfully - deleted. + description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: - description: >- - List of Knowledge Base Entries that were skipped during the bulk - action. + description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -38116,8 +110857,7 @@ components: id: '123' title: Updated Entry items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated @@ -38132,15 +110872,11 @@ components: example: 2 type: integer skipped: - description: >- - Number of Knowledge Base Entries that were skipped during the bulk - action. + description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: - description: >- - Number of Knowledge Base Entries that were successfully processed - during the bulk action. + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: @@ -38177,16 +110913,12 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -38232,37 +110964,27 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: >- - Indicates if Defend Insights documentation exists in the - KnowledgeBase. + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. example: true type: boolean elser_exists: @@ -38282,9 +111004,7 @@ components: example: complete type: string security_labs_exists: - description: >- - Indicates if Security Labs documentation exists in the - KnowledgeBase. + description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: @@ -38292,9 +111012,7 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: >- - Knowledge Base resource name for grouping entries, e.g. 'security_labs', - 'user', etc. + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - defend_insights @@ -38382,16 +111100,10 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: >- - When the agent is resumed after an interrupt, this field is - populated with the details of the resume value. + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: >- - When the agent is interrupted (for example, when user input is - required), this field is populated with the details of the - interrupt. Messages containing interruptValues in the metadata are - excluded from the LLM context. + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -38407,9 +111119,7 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -38420,8 +111130,7 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. @@ -38449,8 +111158,7 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. @@ -38476,8 +111184,7 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. @@ -38636,8 +111343,7 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id @@ -38650,15 +111356,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -38696,8 +111399,7 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. @@ -38854,8 +111556,7 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -38864,9 +111565,7 @@ components: example: SELECT_OPTION type: string value: - description: >- - The value of the selected option to resume the graph execution - with + description: The value of the selected option to resume the graph execution with example: option_1 type: string required: @@ -38888,8 +111587,7 @@ components: - label: Option 1 - label: Option 2 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' type: array type: enum: @@ -38933,9 +111631,7 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: >- - Object containing Knowledge Base Entry text embeddings and modelId used - to create the embeddings. + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: @@ -39033,9 +111729,7 @@ components: type: string type: array alert_rule_uuid: - description: >- - The optional kibana.alert.rule.uuid of the rule that generated this - attack discovery (not applicable to ad hock runs) + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -39044,22 +111738,16 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: >- - The optional id of the user who last updated the attack discovery - alert + description: The optional id of the user who last updated the attack discovery alert type: string alert_updated_by_user_name: - description: >- - The optional username of the user who updated the attack discovery - alert + description: The optional username of the user who updated the attack discovery alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: >- - The optional time the attack discovery alert workflow status was - last updated + description: The optional time the attack discovery alert workflow status was last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -39070,20 +111758,13 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: >- - The (human readable) name of the connector that generated the attack - discovery + description: The (human readable) name of the connector that generated the attack discovery type: string details_markdown: - description: >- - Details of the attack with bulleted markdown that always uses - special syntax for field names and values from the source data. + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: >- - An optional, short (no more than a sentence) summary of the attack - discovery featuring only the host.name and user.name fields (when - they are applicable), using the same syntax + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -39092,9 +111773,7 @@ components: description: The unique ID of the attack discovery type: string index: - description: >- - The concrete Elasticsearch index where this attack discovery is - stored + description: The concrete Elasticsearch index where this attack discovery is stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -39103,13 +111782,9 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: >- - Key-value pairs that are used to replace placeholders in the - markdown fields + description: Key-value pairs that are used to replace placeholders in the markdown fields risk_score: - description: >- - The optional, (but typically populated after generation) risk score - of the alert + description: The optional, (but typically populated after generation) risk score of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -39129,14 +111804,10 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: >- - The optional username of the user who generated the attack - discovery, (not applicable to attack discoveries generated by rules) + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: >- - The optional array of users who may view the attack discovery. When - empty, (or not present), all users may view the attack discovery. + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -39157,8 +111828,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array created_at: description: The date the schedule was created @@ -39174,19 +111844,16 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -39208,30 +111875,22 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - schedule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' nullable: true required: - summary @@ -39244,9 +111903,7 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - onActiveAlert - onThrottleInterval @@ -39254,14 +111911,10 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. + description: Object containing the allowed connector fields, which varies according to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: >- - Defines how often schedule actions are taken. Time interval in seconds, - minutes, hours, or days. + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -39272,8 +111925,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array enabled: description: Indicates whether the schedule is enabled @@ -39282,12 +111934,10 @@ components: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -39307,8 +111957,7 @@ components: message: type: string status: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' description: Status of the execution required: - date @@ -39330,20 +111979,15 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' frequency: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' group: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -39393,11 +112037,9 @@ components: description: The action type used for sending notifications. type: string id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -39411,19 +112053,16 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -39431,9 +112070,7 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: >- - Allowed field names to sort Attack Discovery results by. Clients should - only pass one of the listed values. + description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. enum: - '@timestamp' type: string @@ -39441,10 +112078,7 @@ components: type: object properties: alerts_context_count: - description: >- - The number of alerts sent as context (max - kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM - for the generation + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -39454,29 +112088,19 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: >- - The average duration (avg event.duration) in nanoseconds of - successful generations for the same connector id, for the - current user + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user type: number successful_generations: - description: >- - The number of successful generations for the same connector id, - for the current user + description: The number of successful generations for the same connector id, for the current user type: number discoveries: - description: >- - The number of new Attack discovery alerts (max - kibana.alert.rule.execution.metrics.alert_counts.new) for this - generation + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: >- - The unique identifier (kibana.alert.rule.execution.uuid) for the - generation + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -39507,23 +112131,15 @@ components: type: object properties: alertsIndexPattern: - description: > - The (space specific) index pattern that contains the alerts to use - as - + description: | + The (space specific) index pattern that contains the alerts to use as context for the attack discovery. - Example: .alerts-security.alerts-default type: string anonymizationFields: - description: >- - The list of fields, and whether or not they are anonymized, allowed - to be sent to LLMs. Consider using the output of the - `/api/security_ai_assistant/anonymization_fields/_find` API (for a - specific Kibana space) to provide this value. + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -39534,10 +112150,8 @@ components: type: string filter: additionalProperties: true - description: >- - An Elasticsearch-style query DSL object used to filter alerts. For - example: - + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: ```json { "filter": { "bool": { @@ -39598,9 +112212,7 @@ components: example: 400 type: number Security_Attack_discovery_API_Filters: - description: >- - The filter array used to define the conditions for when alerts are - selected as an Attack Discovery context. Defaults to an empty array. + description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -39618,9 +112230,7 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -39676,18 +112286,14 @@ components: properties: add: items: - description: >- - A list of user profile `uid`s to assign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: >- - A list of user profile `uid`s to unassign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -39745,29 +112351,22 @@ components: type: object properties: requests_per_second: - description: >- - The throttle for the migration task in sub-requests per second. - Corresponds to requests_per_second on the Reindex API. + description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. minimum: 1 type: integer size: - description: >- - Number of alerts to migrate per batch. Corresponds to the - source.size option on the Reindex API. + description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. minimum: 1 type: integer slices: - description: >- - The number of subtasks for the migration task. Corresponds to slices - on the Reindex API. + description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. minimum: 1 type: integer Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -39775,9 +112374,7 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: >- - The status of an alert, which can be `open`, `acknowledged`, - `in-progress`, or `closed`. + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - acknowledged @@ -39788,21 +112385,18 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer @@ -39823,28 +112417,21 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created - suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: >- - Use alert tags to organize related alerts into categories that you can - filter and group. + description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: >- - List of keywords to organize related alerts into categories that you can - filter and group. + description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array @@ -39859,46 +112446,29 @@ components: - version - count Security_Detections_API_AnomalyThreshold: - description: >- - Anomaly score threshold above which the rule creates an alert. Valid - values are from 0 to 100. + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: > - Determines if the rule acts as a building block. If yes, the value must - be `default`. - - By default, building-block alerts are not displayed in the UI. These - rules are used as a foundation for other rules that do generate alerts. - - For more information, refer to [About building block - rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -39909,19 +112479,12 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: > + description: | Edits index patterns of rulesClient. - - - `add_index_patterns` adds index patterns to rules. If an index pattern - already exists for a rule, no changes are made. - - - `delete_index_patterns` removes index patterns from rules. If an index - pattern does not exist for a rule, no changes are made. - - - `set_index_patterns` sets index patterns for rules, overwriting any - existing index patterns. If the set of index patterns is the same as the - existing index patterns, no changes are made. + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -39939,20 +112502,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: > + description: | Edits investigation fields of rules. - - - `add_investigation_fields` adds investigation fields to rules. If an - investigation field already exists for a rule, no changes are made. - - - `delete_investigation_fields` removes investigation fields from rules. - If an investigation field does not exist for a rule, no changes are - made. - - - `set_investigation_fields` sets investigation fields for rules. If the - set of investigation fields is the same as the existing investigation - fields, no changes are made. + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -39967,18 +112522,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: > + description: | Edits rule actions of rules. - - - `add_rule_actions` adds rule actions to rules. This action is - non-idempotent, meaning that even if the same rule action already exists - for a rule, it will be added again with a new unique ID. - - - `set_rule_actions` sets rule actions for rules. This action is - non-idempotent, meaning that even if the same set of rule actions - already exists for a rule, it will be set again and the actions will - receive new unique IDs. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -39991,30 +112539,22 @@ components: properties: actions: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: > + description: | Overwrites schedule of rules. + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - - `set_schedule` sets a schedule for rules. If the same schedule already - exists for a rule, no changes are made. - - - Both `interval` and `lookback` have a format of "{integer}{time_unit}", - where accepted time units are `s` for seconds, `m` for minutes, and `h` - for hours. The integer must be positive and larger than 0. Examples: - "45s", "30m", "6h" + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -40025,20 +112565,15 @@ components: type: object properties: interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: > + description: | Lookback time for the rules. - - Additional look-back time that the rule analyzes. For example, - "10m" means the rule analyzes the last 10 minutes of data in - addition to the frequency interval. + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -40068,24 +112603,17 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: > + description: | Edits tags of rules. - - - `add_tags` adds tags to rules. If a tag already exists for a rule, no - changes are made. - - - `delete_tags` removes tags from rules. If a tag does not exist for a - rule, no changes are made. - - - `set_tags` sets tags for rules, overwriting any existing tags. If the - set of tags is the same as the existing tags, no changes are made. + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -40100,12 +112628,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: > + description: | Edits timeline of rules. - - - `set_timeline` sets a timeline for rules. If the same timeline already - exists for a rule, no changes are made. + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -40118,8 +112644,7 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title @@ -40150,8 +112675,7 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason @@ -40163,14 +112687,10 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40181,10 +112701,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40203,14 +112721,10 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40221,10 +112735,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40256,14 +112768,10 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40274,10 +112782,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40296,15 +112802,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary @@ -40343,13 +112846,7 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: >- - A rule can only be skipped when the bulk action to be performed on it - results in nothing being done. For example, if the `edit` action is used - to add a tag to a rule that already has that tag, or to delete an index - pattern that is not specified in a rule. Objects returned in - `attributes.results.skipped` will only include rules' `id`, `name`, and - `skip_reason`. + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: @@ -40379,14 +112876,10 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40397,10 +112890,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40424,14 +112915,10 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40442,10 +112929,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40466,14 +112951,10 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40484,10 +112965,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40510,9 +112989,7 @@ components: - fill_gaps type: string fill_gaps: - description: >- - Object that describes applying a manual gap fill action for the - specified time range. + description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: @@ -40525,14 +113002,10 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40543,10 +113016,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40566,14 +113037,10 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -40584,10 +113051,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -40618,9 +113083,7 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -40683,9 +113146,7 @@ components: - items: type: string type: array - description: >- - Map Osquery results columns or static values to Elastic Common Schema - (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object @@ -40745,18 +113206,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -40770,8 +113227,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -40787,35 +113243,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -40842,13 +113287,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -40887,18 +113330,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -40912,8 +113351,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -40929,35 +113367,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -40986,13 +113413,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41023,18 +113448,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41048,12 +113469,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -41067,35 +113487,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -41124,13 +113533,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41145,18 +113552,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41170,12 +113573,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -41189,35 +113591,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -41246,13 +113637,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41299,18 +113688,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41324,8 +113709,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -41341,35 +113725,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -41396,13 +113769,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41441,18 +113812,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41466,8 +113833,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -41483,35 +113849,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -41540,13 +113895,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41567,18 +113920,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41592,12 +113941,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -41613,13 +113961,11 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -41627,23 +113973,14 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -41672,13 +114009,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -41714,18 +114049,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41739,12 +114070,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -41758,35 +114088,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -41815,13 +114134,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41847,9 +114164,7 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: - description: >- - An array of customized field names — that is, fields that the user has - modified from their base value. Defaults to an empty array. + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. items: type: object properties: @@ -41860,27 +114175,18 @@ components: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: - description: >- - Determines whether an external/prebuilt rule has its original, - unmodified version present when the calculation of its customization - status is performed (`rule_source.is_customized` and - `rule_source.customized_fields`). + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' has_base_version: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external @@ -41915,12 +114221,7 @@ components: - error type: string Security_Detections_API_HistoryWindowStart: - description: >- - Start date to use when checking if a term has been seen before. Supports - relative dates – for example, now-30d will search the last 30 days of - data when checking if a term is new. We do not recommend using absolute - dates, which can cause issues with rule performance due to querying - increasing amounts of data over time. + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string @@ -41948,21 +114249,15 @@ components: - migrations - is_outdated Security_Detections_API_IndexPatternArray: - description: > - Indices on which the rule functions. Defaults to the Security Solution - indices defined on the Kibana Advanced Settings page (Kibana → Stack - Management → Advanced Settings → `securitySolution:defaultIndex`). - + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info - > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: @@ -41972,12 +114267,9 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: @@ -41991,19 +114283,14 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -42026,18 +114313,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42051,8 +114334,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -42068,35 +114350,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -42123,13 +114394,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42158,31 +114427,24 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42196,8 +114458,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -42213,35 +114474,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -42270,13 +114520,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42286,8 +114534,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -42300,32 +114547,26 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42339,12 +114580,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -42358,35 +114598,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -42415,19 +114644,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -42446,27 +114672,21 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42480,12 +114700,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -42499,35 +114718,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -42556,13 +114764,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42572,25 +114778,13 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 - description: > - Maximum number of alerts the rule can create during a single run (the - rule’s Max alerts per run [advanced - setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) - value). - + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). > info - - > This setting can be superseded by the [Kibana configuration - setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) - `xpack.alerting.rules.run.alerts.max`, which determines the maximum - alerts generated by any rule in the Kibana alerting framework. For - example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the - rule can generate no more than 1000 alerts even if `max_signals` is set - higher. + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: @@ -42703,18 +114897,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42728,8 +114918,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -42745,35 +114934,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -42800,13 +114978,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42835,33 +115011,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42875,8 +115043,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -42892,35 +115059,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -42949,13 +115105,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42965,8 +115119,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -42998,27 +115151,21 @@ components: enum: - new_terms type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -43032,12 +115179,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -43051,35 +115197,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -43108,13 +115243,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -43141,10 +115274,8 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: @@ -43156,18 +115287,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -43181,12 +115308,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -43200,35 +115326,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -43257,13 +115372,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -43273,8 +115386,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -43301,8 +115413,7 @@ components: type: object properties: err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: @@ -43321,31 +115432,20 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: >- - To specify a query pack, use the packId field. Example: "packId": - "processes_elastic" + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: >- - To run a single query, use the query field and enter a SQL query. - Example: "query": "SELECT * FROM processes;" + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: - description: >- - To run a saved query, use the saved_query_id field and specify the - saved query ID. Example: "saved_query_id": "processes_elastic" + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: - description: >- - A timeout period, in seconds, after which the query will stop - running. Overwriting the default timeout allows you to support - queries that require more time to complete. The default and minimum - supported value is 60. The maximum supported value is 900. Example: - "timeout": 120. + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object @@ -43399,18 +115499,13 @@ components: type: object properties: command: - description: >- - To run an endpoint response action, specify a value for the command - field. Example: "command": "isolate" + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log. Example: "comment": - "Check processes" + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object @@ -43462,18 +115557,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -43487,8 +115578,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -43504,35 +115594,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -43559,13 +115638,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -43599,25 +115676,20 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -43631,8 +115703,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -43648,35 +115719,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -43705,13 +115765,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -43752,25 +115810,20 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -43784,12 +115837,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -43803,35 +115855,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -43860,13 +115901,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -43900,18 +115939,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -43925,12 +115960,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -43944,35 +115978,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -44001,13 +116024,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -44019,11 +116040,7 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: - description: >- - The reason for closing the alerts. Can be one of following predefined - reasons: [false_positive, duplicate, true_positive, benign_positive, - automated_closure, other] or a custom reason provided by the user - through the advanced settings. + description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string @@ -44037,45 +116054,23 @@ components: - other type: string Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. - package's "integrations" that this package contains. It is represented - by 3 properties: + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -44097,35 +116092,23 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and + description: | + Describes an Elasticsearch field that is needed for the rule to function. + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - - Required field is an event field that must be present in the source - indices of a given rule. - + Required field is an event field that must be present in the source indices of a given rule. @example - const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; - @example - const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -44134,10 +116117,7 @@ components: type: object properties: ecs: - description: >- - Indicates whether the field is ECS-compliant. This property is only - present in responses. Its value is computed based on field’s name - and type. + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field @@ -44158,10 +116138,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: @@ -44197,7 +116174,7 @@ components: execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: @@ -44236,9 +116213,7 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event + description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: @@ -44301,34 +116276,27 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: > + description: | Object containing an action’s conditional filters. - - - `timeframe` (object, optional): Object containing the time frame for - when this action can be run. + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which - gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -44338,9 +116306,7 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. + description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -44354,10 +116320,8 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: > - Object containing the allowed connector fields, which varies according - to the connector type. - + description: | + Object containing the allowed connector fields, which varies according to the connector type. For Slack: @@ -44405,30 +116369,22 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. @@ -44445,11 +116401,8 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: > - Array of [exception - containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), - which define exceptions that prevent the rule from generating alerts - even when its other criteria are met. + description: | + Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: @@ -44483,10 +116436,7 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: >- - Count of frozen indices queried during the rule execution. These - indices could not be entirely excluded after applying the time range - filter. + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: @@ -44507,9 +116457,7 @@ components: type: object properties: type: - description: >- - The type of reason for the gap (rule_disabled or - rule_did_not_run) + description: The type of reason for the gap (rule_disabled or rule_did_not_run) enum: - rule_disabled - rule_did_not_run @@ -44517,50 +116465,25 @@ components: required: - type total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle + description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle + description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running @@ -44587,14 +116510,12 @@ components: message: type: string metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status @@ -44604,33 +116525,22 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: >- - String array used to describe common reasons why the rule may issue - false-positive alerts. Defaults to an empty array. + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: > - The query and filter context array used to define the conditions for - when alerts are created from events. Defaults to an empty array. - + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info - > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -44640,13 +116550,10 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: > + description: | Placeholder for metadata about the rule. - > info - - > This field is overwritten when you save changes to the rule’s - settings. + > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -44654,31 +116561,19 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: >- - Sets which field in the source event is used to populate the alert's - `signal.rule.name` value (in the UI, this value is displayed on the - Rules page in the Rule column). When unspecified, the rule’s `name` - value is used. The source field must be a string data type. + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: >- - A dynamic unique identifier for the rule object. It is randomly - generated when a rule is created and cannot be changed after that. It is - always a UUID. It is unique within a given Kibana space. The same - prebuilt Elastic rule, when installed in two different Kibana spaces or - two different Elastic environments, will have different object `id`s. + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -44704,8 +116599,7 @@ components: type: array requests: items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -44729,22 +116623,14 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: > - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used - by the rule to create alerts. - - - - For indicator match rules, only the query’s results are used to - determine whether an alert is generated. + description: | + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - - ES|QL rules have additional query requirements. Refer to [Create - ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) - rules for more information. + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: >- - Array containing notes about or references to relevant information about - the rule. Defaults to an empty array. + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array @@ -44770,47 +116656,26 @@ components: threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: - description: > + description: | The rule's revision number. - - It represents the version of rule's object in Kibana. It is set to `0` - when the rule is installed or created and then gets incremented on each - update. - + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info - - > Not all updates to any rule fields will increment the revision. Only - those fields that are considered static `rule parameters` can trigger - revision increments. For example, an update to a rule's query or index - fields will increment the rule's revision by `1`. However, changes to - dynamic or technical fields like enabled or execution_summary will not - cause revision increments. + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: >- - A stable unique identifier for the rule object. It can be assigned - during rule creation. It can be any string, but often is a UUID. It - should be unique not only within a given Kibana space, but also across - spaces and Elastic environments. The same prebuilt Elastic rule, when - installed in two different Kibana spaces or two different Elastic - environments, will have the same `rule_id`s. + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array @@ -44818,47 +116683,31 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' propertyName: type Security_Detections_API_RuleVersion: - description: > + description: | The rule's version number. - - - For prebuilt rules it represents the version of the rule's content in - the source [detection-rules](https://github.com/elastic/detection-rules) - repository (and the corresponding `security_detection_engine` Fleet - package that is used for distributing prebuilt rules). - + - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. - > info - - > It is not incremented on each update. Compare this to the `revision` - field. + > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: @@ -44884,22 +116733,17 @@ components: - runscript type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log + description: Add a note that explains or describes the action. You can find your comment in the response actions history log type: string config: type: object properties: linux: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' macos: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' windows: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -44916,28 +116760,21 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: >- - Kibana [saved - search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) - used by the rule to create alerts. + description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -44951,8 +116788,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -44968,35 +116804,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -45023,13 +116848,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -45058,33 +116881,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -45098,8 +116913,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -45115,35 +116929,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -45172,13 +116975,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -45188,8 +116989,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -45219,27 +117019,21 @@ components: enum: - saved_query type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -45253,12 +117047,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -45272,35 +117065,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -45329,19 +117111,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -45357,10 +117136,8 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: @@ -45372,18 +117149,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -45397,376 +117170,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SetAlertAssigneesBody: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - required: - - assignees - - ids - Security_Detections_API_SetAlertsStatusByIds: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase - Security_Detections_API_SetAlertsStatusByIdsBase: - type: object - properties: - signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase - Security_Detections_API_SetAlertsStatusByQueryBase: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - query - - status - Security_Detections_API_SetAlertTags: - description: Object with list of tags to add and remove. - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetAlertTagsBody: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - Security_Detections_API_SetupGuide: - description: >- - Populates the rule’s setup guide with instructions on rule prerequisites - such as required integrations, configuration steps, and anything else - needed for the rule to work correctly. - type: string - Security_Detections_API_Severity: - description: > - Severity level of alerts produced by the rule, which must be one of the - following: - - * `low`: Alerts that are of interest but generally not considered to be - security incidents - - * `medium`: Alerts that require investigation - - * `high`: Alerts that require immediate investigation - - * `critical`: Alerts that indicate it is highly likely a security - incident has occurred - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - description: Source event field used to override the default `severity`. - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Detections_API_SkippedAlertsIndexMigration: - type: object - properties: - index: - type: string - required: - - index - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - description: > - > info - - > Currently, only threats described using the MITRE ATT&CK™ - framework are supported. - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - description: Elasticsearch indices used to check which field values generate alerts. - items: - type: string - type: array - Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) - type: string - Security_Detections_API_ThreatMapping: - description: > - Array of entries objects that define mappings between the source event - fields and the values in the Elasticsearch threat index. Each entries - object must contain these fields: - - - - field: field from the event indices on which the rule runs - - - type: must be mapping - - - value: field from the Elasticsearch threat index - - You can use Boolean and and or logic to define the conditions for when - matching fields and values generate alerts. Sibling entries objects are - evaluated using or logic, whereas multiple entries in a single entries - object use and logic. See Example of Threat Match rule which uses both - `and` and `or` logic. - items: - type: object - properties: - entries: - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMappingEntry: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - negate: - type: boolean - type: - enum: - - mapping - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -45780,35 +117188,340 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SetAlertAssigneesBody: + type: object + properties: + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + required: + - assignees + - ids + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' + Security_Detections_API_SetAlertsStatusByIdsBase: + type: object + properties: + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' + Security_Detections_API_SetAlertsStatusByQueryBase: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - query + - status + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetAlertTagsBody: + type: object + properties: + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + required: + - ids + - tags + Security_Detections_API_SetupGuide: + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents + * `medium`: Alerts that require investigation + * `high`: Alerts that require immediate investigation + * `critical`: Alerts that indicate it is highly likely a security incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + description: Source event field used to override the default `severity`. + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: | + > info + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: Defines the path to the threat indicator in the indicator documents (optional) + type: string + Security_Detections_API_ThreatMapping: + description: | + Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + - field: field from the event indices on which the rule runs + - type: must be mapping + - value: field from the Elasticsearch threat index + + You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. + items: + type: object + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMappingEntry: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + Security_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -45835,13 +117548,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -45870,33 +117581,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -45910,8 +117613,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -45927,35 +117629,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -45984,13 +117675,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -46000,8 +117689,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -46047,27 +117735,21 @@ components: enum: - threat_match type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -46081,12 +117763,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -46100,35 +117781,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -46157,19 +117827,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -46194,10 +117861,8 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: @@ -46209,18 +117874,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -46234,12 +117895,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -46253,35 +117913,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -46310,13 +117959,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -46326,12 +117973,9 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: - description: >- - Query used to determine which fields in the Elasticsearch index are used - for generating alerts. + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -46406,8 +118050,7 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: @@ -46419,9 +118062,7 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: >- - The threshold value from which an alert is generated based on - unique number of values of cardinality.field. + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -46429,10 +118070,7 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: >- - The field on which the threshold is applied. If you specify an empty - array ([]), alerts are generated when the query returns at least the - number of results specified in the value field. + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: @@ -46445,18 +118083,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -46470,8 +118104,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -46487,35 +118120,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -46542,13 +118164,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -46577,33 +118197,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -46617,8 +118229,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -46634,35 +118245,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -46691,13 +118291,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -46707,8 +118305,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -46718,8 +118315,7 @@ components: type: object properties: alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -46741,27 +118337,21 @@ components: enum: - threshold type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -46775,12 +118365,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -46794,35 +118383,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -46851,19 +118429,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -46882,10 +118457,8 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: @@ -46897,18 +118470,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -46922,12 +118491,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -46941,35 +118509,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -46998,13 +118555,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -47014,26 +118569,17 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: > + description: | Defines the maximum interval in which a rule’s actions are executed. - > info - - > The rule level `throttle` field is deprecated in Elastic Security 8.8 - and will remain active for at least the next 12 months. - - > In Elastic Security 8.8 and later, you can use the `frequency` field - to define frequencies for individual actions. Actions without - frequencies will acquire a converted version of the rule’s `throttle` - field. In the response, the converted `throttle` setting appears in the - individual actions' `frequency` field. + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h @@ -47050,17 +118596,10 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: >- - Specifies the name of the event timestamp field used for sorting a - sequence of events. Not to be confused with `timestamp_override`, which - specifies the more general field used for querying events within a - range. Defaults to the @timestamp ECS field. + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: >- - Sets the time field used to query indices. When unspecified, rules query - the `@timestamp` field. The source field must be an Elasticsearch date - data type. + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -47095,10 +118634,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -47108,39 +118644,28 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -47149,8 +118674,7 @@ components: description: Autogenerated value - user that last updated object. type: string version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id @@ -47170,30 +118694,17 @@ components: example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -47208,14 +118719,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -47224,46 +118731,32 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -47316,32 +118809,24 @@ components: - comment (string): Comments about the exception item. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -47349,8 +118834,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -47375,8 +118859,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -47392,8 +118875,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -47411,16 +118893,14 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: @@ -47434,8 +118914,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -47452,8 +118931,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -47468,21 +118946,16 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: @@ -47507,14 +118980,11 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -47541,20 +119011,15 @@ components: Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -47570,21 +119035,14 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -47598,17 +119056,12 @@ components: minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -47671,8 +119124,7 @@ components: isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' @@ -47690,8 +119142,7 @@ components: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object @@ -47703,9 +119154,7 @@ components: type: object properties: canEncrypt: - description: >- - Whether the Kibana instance has encryption enabled for - response actions. + description: Whether the Kibana instance has encryption enabled for response actions. type: boolean required: - data @@ -47721,11 +119170,9 @@ components: type: object properties: agent_id: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentId + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions @@ -47762,8 +119209,7 @@ components: type: string Security_Endpoint_Management_API_Cancel: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -47789,10 +119235,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -47803,9 +119246,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -47818,8 +119259,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -47889,10 +119329,8 @@ components: type: object properties: downloadUri: - description: > - The server relative URI to download the file associated with the - output of the response action. - + description: | + The server relative URI to download the file associated with the output of the response action. URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference @@ -47920,9 +119358,7 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -48002,8 +119438,7 @@ components: properties: {} Security_Endpoint_Management_API_Execute: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -48012,8 +119447,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -48051,10 +119485,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -48065,9 +119496,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -48080,8 +119509,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -48096,9 +119524,7 @@ components: minLength: 1 type: string timeout: - description: >- - The maximum timeout value in seconds before the command is - terminated. + description: The maximum timeout value in seconds before the command is terminated. minimum: 1 type: integer required: @@ -48176,8 +119602,7 @@ components: data: description: The list of response actions. items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. @@ -48211,8 +119636,7 @@ components: type: array Security_Endpoint_Management_API_GetFile: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -48221,8 +119645,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -48257,10 +119680,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -48271,9 +119691,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -48286,8 +119704,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -48310,10 +119727,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be specified - here. The action will be logged in any cases associated with the - specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -48376,8 +119790,7 @@ components: type: array Security_Endpoint_Management_API_Isolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: @@ -48387,12 +119800,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -48443,9 +119854,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: @@ -48454,10 +119863,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -48468,9 +119874,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -48483,8 +119887,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -48510,9 +119913,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -48523,9 +119924,7 @@ components: example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: - description: >- - Parameters for Run Script response action against Microsoft Defender - Endpoint agent type. + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: @@ -48548,8 +119947,7 @@ components: type: object Security_Endpoint_Management_API_MemoryDump: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -48561,17 +119959,13 @@ components: code: type: string disk_free_space: - description: >- - The free space on the host machine in bytes after the - memory dump is written to disk + description: The free space on the host machine in bytes after the memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: - description: >- - The path to the memory dump compressed file on the - host machine + description: The path to the memory dump compressed file on the host machine type: string title: Memory dump output type: object @@ -48625,10 +120019,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -48639,9 +120030,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -48654,8 +120043,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -48708,9 +120096,7 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -48769,9 +120155,7 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: >- - 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 - UTC 2021 + kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux @@ -48794,9 +120178,7 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -48903,40 +120285,31 @@ components: - type: object properties: execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending execute actions. get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending get-file actions. isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending isolate actions. kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending kill-process actions. running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending running-processes (get processes) actions. scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending scan actions. suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending suspend-process actions. unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending unisolate (release) actions. upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending upload actions. - additionalProperties: true type: object @@ -48944,9 +120317,7 @@ components: type: object properties: note: - description: >- - A note associated with the protection updates for the given package - policy. + description: A note associated with the protection updates for the given package policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object @@ -48991,8 +120362,7 @@ components: type: object properties: data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: @@ -49008,9 +120378,7 @@ components: type: object properties: completedAt: - description: >- - The date and time the response action was completed for the - agent ID + description: The date and time the response action was completed for the agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID @@ -49018,9 +120386,7 @@ components: wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean - description: >- - The state of the response action for each agent ID that it was sent - to + description: The state of the response action for each agent ID that it was sent to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' @@ -49041,9 +120407,7 @@ components: name: description: The host name type: string - description: >- - An object containing the host names associated with the agent IDs - the response action was sent to + description: An object containing the host names associated with the agent IDs the response action was sent to type: object id: description: The response action ID @@ -49061,9 +120425,7 @@ components: format: uuid properties: content: - description: >- - The response action output content for the agent ID. Exact - format depends on the response action command. + description: The response action output content for the agent ID. Exact format depends on the response action command. oneOf: - type: object - type: string @@ -49077,17 +120439,12 @@ components: - content title: Agent ID type: object - description: > - The outputs of the response action for each agent ID that it was - sent to. Content different depending on the - - response action command and will only be present for agents that - have responded to the response action + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action type: object parameters: - description: >- - The parameters of the response action. Content different depending - on the response action command + description: The parameters of the response action. Content different depending on the response action command type: object startedAt: description: The response action start time @@ -49103,8 +120460,7 @@ components: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -49113,10 +120469,8 @@ components: properties: content: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` @@ -49147,8 +120501,7 @@ components: type: string Security_Endpoint_Management_API_Runscript: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -49157,8 +120510,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -49170,12 +120522,9 @@ components: type: object parameters: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: @@ -49210,10 +120559,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -49224,9 +120570,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -49239,8 +120583,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -49251,22 +120594,16 @@ components: description: | One of the following set of parameters must be provided oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' required: - parameters Security_Endpoint_Management_API_Scan: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -49291,10 +120628,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -49305,9 +120639,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -49320,8 +120652,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -49340,9 +120671,7 @@ components: required: - parameters Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: >- - Parameters for Run Script response action against SentinelOne agent - type. + description: Parameters for Run Script response action against SentinelOne agent type. example: agent_type: sentinel_one endpoint_ids: @@ -49352,9 +120681,7 @@ components: scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: - description: >- - The script ID from SentinelOne scripts library that will be - executed. + description: The script ID from SentinelOne scripts library that will be executed. minLength: 1 type: string scriptInput: @@ -49395,8 +120722,7 @@ components: type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -49443,10 +120769,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -49457,9 +120780,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -49472,8 +120793,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -49516,8 +120836,7 @@ components: type: array Security_Endpoint_Management_API_Unisolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: @@ -49527,12 +120846,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_Upload: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -49550,10 +120867,8 @@ components: type: string type: object parameters: - description: > - The parameters for upload returned on the details are derived - via the API from the file that - + description: | + The parameters for upload returned on the details are derived via the API from the file that was uploaded at the time that the response action was submitted type: object properties: @@ -49572,10 +120887,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -49586,9 +120898,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -49601,8 +120911,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -49640,9 +120949,7 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: >- - A list of action IDs that should include the complete output of the - action. Max of 50. + description: A list of action IDs that should include the complete output of the action. Max of 50. example: - action-id-1 - action-id-2 @@ -49664,8 +120971,7 @@ components: description: Business unit the asset belongs to. type: string criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' description: The criticality level assigned to this asset. nullable: true environment: @@ -49721,10 +121027,7 @@ components: - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: >- - The criticality level of the asset for bulk upload. The value - `unassigned` is used to indicate that the criticality level is not - assigned and is only used for bulk upload. + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact @@ -49734,10 +121037,8 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': @@ -49765,8 +121066,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: @@ -49776,8 +121076,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: @@ -49791,8 +121090,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -49806,8 +121104,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -49821,8 +121118,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -49888,13 +121184,11 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_DateRange: @@ -49905,17 +121199,13 @@ components: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: - description: >- - Start of the lookback period (date math or ISO string, e.g. - "now-10d") + description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: - description: >- - The type of Elasticsearch or Kibana resource backing an engine - component. + description: The type of Elasticsearch or Kibana resource backing an engine component. enum: - entity_engine - entity_definition @@ -49930,9 +121220,7 @@ components: - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: - description: >- - Status of an individual Elasticsearch or Kibana resource backing an - engine. + description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: errors: @@ -49963,10 +121251,9 @@ components: description: Whether the component is currently installed. type: boolean metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' resource: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed @@ -49990,23 +121277,17 @@ components: required: - type Security_Entity_Analytics_API_EngineDescriptor: - description: >- - Describes a single entity engine, including its configuration and - current status. + description: Describes a single entity engine, including its configuration and current status. type: object properties: delay: default: 1m - description: >- - The delay before the transform processes new data, allowing - late-arriving documents to be included. + description: The delay before the transform processes new data, allowing late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: - description: >- - Throttle value for the number of documents processed per second. Use - -1 for no throttle. + description: Throttle value for the number of documents processed per second. Use -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. @@ -50028,9 +121309,7 @@ components: example: 10 type: integer filter: - description: >- - An optional Kibana Query Language (KQL) filter applied to source - documents before aggregation. + description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. example: 'host.name: "my-host"' type: string frequency: @@ -50097,10 +121376,7 @@ components: required: - entities Security_Entity_Analytics_API_Entity: - description: >- - An entity record from the Entity Store. The `entity` namespace is a - root-level field in the latest index, unlike source logs where it is - nested under `host`, `user`, or `service`. + description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' @@ -50155,333 +121431,853 @@ components: - record Security_Entity_Analytics_API_EntityField: additionalProperties: false - description: >- - Core entity fields shared across all entity types. The `entity` - namespace is a root-level field in the Entity Store latest index. + description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. + type: object + properties: + attributes: + additionalProperties: false + description: Boolean flags describing characteristics of the entity. + type: object + properties: + asset: + description: Whether the entity is classified as an asset. + type: boolean + managed: + description: Whether the entity is managed (for example, via a directory service). + type: boolean + mfa_enabled: + description: Whether multi-factor authentication is enabled for the entity. + type: boolean + privileged: + description: Whether the entity has elevated privileges. + type: boolean + behaviors: + additionalProperties: false + description: Boolean flags indicating observed behavioral signals. + type: object + properties: + brute_force_victim: + description: Whether the entity has been targeted by brute-force attacks. + type: boolean + new_country_login: + description: Whether the entity has logged in from a new country. + type: boolean + used_usb_device: + description: Whether the entity has used a USB device. + type: boolean + EngineMetadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' + id: + description: Unique identifier for this entity. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + lifecycle: + additionalProperties: false + description: Timestamps tracking the entity lifecycle. + type: object + properties: + first_seen: + description: When the entity was first observed. + format: date-time + type: string + last_activity: + description: When the entity last generated activity. + format: date-time + type: string + last_seen: + description: When the entity was last observed. + format: date-time + type: string + name: + description: Human-readable name of the entity. + example: jane.doe + type: string + relationships: + additionalProperties: false + description: Connections between this entity and other entities. + type: object + properties: + accessed_frequently_by: + description: Entity IDs that frequently access this entity. + items: + type: string + type: array + accesses_frequently: + description: Entity IDs this entity accesses frequently. + items: + type: string + type: array + accesses_infrequently: + description: Entity IDs this entity accesses infrequently. + items: + type: string + type: array + communicates_with: + description: Entity IDs this entity communicates with. + items: + type: string + type: array + dependent_of: + description: Entity IDs that depend on this entity. + items: + type: string + type: array + depends_on: + description: Entity IDs this entity depends on. + items: + type: string + type: array + owned_by: + description: Entity IDs that own this entity. + items: + type: string + type: array + owns: + description: Entity IDs owned by this entity. + items: + type: string + type: array + supervised_by: + description: Entity IDs that supervise this entity. + items: + type: string + type: array + supervises: + description: Entity IDs supervised by this entity. + items: + type: string + type: array + risk: + additionalProperties: false + description: Risk scoring information for the entity. + type: object + properties: + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + source: + description: The source that produced this entity record. + type: string + sub_type: + description: Optional sub-type classification for the entity. + type: string + type: + description: The entity type. + example: user + type: string + required: + - id + Security_Entity_Analytics_API_EntityRiskLevels: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + Security_Entity_Analytics_API_EntityRiskScoreRecord: + type: object + properties: + '@timestamp': + description: The time at which the risk score was calculated. + example: '2017-07-21T17:32:28Z' + format: date-time + type: string + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + calculation_run_id: + description: Unique identifier for the scoring run that produced this document. + type: string + category_1_count: + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). + type: integer + category_1_score: + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: + type: integer + category_2_score: + format: double + type: number + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + criticality_modifier: + format: double + type: number + id_field: + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. + example: host.name + type: string + id_value: + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. + example: example.host + type: string + inputs: + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' + type: array + modifiers: + description: A list of modifiers that were applied to the risk score calculation. + items: + type: object + properties: + contribution: + format: double + type: number + metadata: + additionalProperties: true + type: object + modifier_value: + format: double + type: number + subtype: + type: string + type: + type: string + required: + - type + - contribution + type: array + notes: + items: + type: string + type: array + related_entities: + items: + type: object + properties: + entity_id: + type: string + relationship_type: + type: string + type: array + score_type: + description: Distinguishes base, propagated, and resolution scores. + enum: + - base + - propagated + - resolution + type: string + required: + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + Security_Entity_Analytics_API_EntitySourceType: + enum: + - index + - entity_analytics_integration + - store + type: string + Security_Entity_Analytics_API_EntityType: + description: The type of entity. + enum: + - user + - host + - service + - generic + type: string + Security_Entity_Analytics_API_Filter: + type: object + properties: + kuery: + oneOf: + - type: string + - type: object + Security_Entity_Analytics_API_GenericEntity: + additionalProperties: false + description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + required: + - entity + Security_Entity_Analytics_API_HostEntity: + additionalProperties: false + description: An entity record representing a host, stored in the Entity Store latest index. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object + properties: + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + host: + additionalProperties: false + description: Elastic Common Schema (ECS) host fields collected on the entity. + type: object + properties: + architecture: + description: Observed CPU architectures. + items: + type: string + type: array + domain: + description: Observed host domains. + items: + type: string + type: array + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + hostname: + description: Observed hostnames. + items: + type: string + type: array + id: + description: Observed host IDs. + items: + type: string + type: array + ip: + description: Observed IP addresses. + items: + type: string + type: array + mac: + description: Observed MAC addresses. + items: + type: string + type: array + name: + description: Primary host name. + type: string + os: + additionalProperties: false + description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + oneOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + oneOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + type: + description: Observed host types. + items: + type: string + type: array + required: + - name + required: + - entity + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + - service.name + - entity.id + type: string + Security_Entity_Analytics_API_IndexPattern: + description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. + example: logs-* + type: string + Security_Entity_Analytics_API_InspectQuery: + description: Debug information about the Elasticsearch query executed. + type: object + properties: + dsl: + description: Elasticsearch query DSL that was executed. + items: + type: string + type: array + response: + description: Raw Elasticsearch responses. + items: + type: string + type: array + required: + - dsl + - response + Security_Entity_Analytics_API_Integrations: type: object properties: - attributes: - additionalProperties: false - description: Boolean flags describing characteristics of the entity. - type: object - properties: - asset: - description: Whether the entity is classified as an asset. - type: boolean - managed: - description: >- - Whether the entity is managed (for example, via a directory - service). - type: boolean - mfa_enabled: - description: Whether multi-factor authentication is enabled for the entity. - type: boolean - privileged: - description: Whether the entity has elevated privileges. - type: boolean - behaviors: - additionalProperties: false - description: Boolean flags indicating observed behavioral signals. - type: object - properties: - brute_force_victim: - description: Whether the entity has been targeted by brute-force attacks. - type: boolean - new_country_login: - description: Whether the entity has logged in from a new country. - type: boolean - used_usb_device: - description: Whether the entity has used a USB device. - type: boolean - EngineMetadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' - id: - description: Unique identifier for this entity. - example: arn:aws:iam::123456789012:user/jane.doe - type: string - lifecycle: - additionalProperties: false - description: Timestamps tracking the entity lifecycle. + syncData: + description: integrations latest full sync and update syncData type: object properties: - first_seen: - description: When the entity was first observed. - format: date-time - type: string - last_activity: - description: When the entity last generated activity. + lastFullSync: + description: Timestamp of the last full sync from integrations format: date-time type: string - last_seen: - description: When the entity was last observed. + lastUpdateProcessed: + description: Timestamp of the last update processed from integrations format: date-time type: string - name: - description: Human-readable name of the entity. - example: jane.doe + syncMarkerIndex: + description: Index to read latest sync markers from type: string - relationships: - additionalProperties: false - description: Connections between this entity and other entities. - type: object - properties: - accessed_frequently_by: - description: Entity IDs that frequently access this entity. - items: - type: string - type: array - accesses_frequently: - description: Entity IDs this entity accesses frequently. - items: - type: string - type: array - accesses_infrequently: - description: Entity IDs this entity accesses infrequently. - items: - type: string - type: array - communicates_with: - description: Entity IDs this entity communicates with. - items: - type: string - type: array - dependent_of: - description: Entity IDs that depend on this entity. - items: + Security_Entity_Analytics_API_Interval: + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + Security_Entity_Analytics_API_Matcher: + type: object + properties: + fields: + items: + type: string + type: array + values: + description: | + Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. + oneOf: + - items: type: string type: array - depends_on: - description: Entity IDs this entity depends on. - items: - type: string + - items: + type: boolean type: array - owned_by: - description: Entity IDs that own this entity. + required: + - fields + - values + Security_Entity_Analytics_API_Metadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' + Security_Entity_Analytics_API_MonitoredUserDoc: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + - type: object + properties: + '@timestamp': + format: date-time + type: string + event: + type: object + properties: + '@timestamp': + format: date-time + type: string + ingested: + format: date-time + type: string + user: + type: object + properties: + entity: + type: object + properties: + attributes: + type: object + properties: + Privileged: + description: Indicates if the user is privileged. + type: boolean + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoredUserUpdateDoc: + type: object + properties: + entity_analytics_monitoring: + type: object + properties: + labels: items: - type: string + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' type: array - owns: - description: Entity IDs owned by this entity. + id: + type: string + labels: + type: object + properties: + source_ids: items: type: string type: array - supervised_by: - description: Entity IDs that supervise this entity. + source_integrations: items: type: string type: array - supervises: - description: Entity IDs supervised by this entity. + sources: items: - type: string + enum: + - csv + - index_sync + - api type: array - risk: - additionalProperties: false - description: Risk scoring information for the entity. + user: type: object properties: - calculated_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - source: - description: The source that produced this entity record. + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + Security_Entity_Analytics_API_MonitoringEngineDescriptor: + type: object + properties: + error: + type: object + properties: + message: + description: Error message typically only present if the engine is in error state + type: string + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + required: + - status + Security_Entity_Analytics_API_MonitoringEntitySource: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' + - type: object + properties: + id: + type: string + required: + - type + - name + - id + - managed + Security_Entity_Analytics_API_MonitoringEntitySourceProperties: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' + - type: object + properties: + managed: + type: boolean + Security_Entity_Analytics_API_MonitoringLabel: + type: object + properties: + field: type: string - sub_type: - description: Optional sub-type classification for the entity. + source: type: string - type: - description: The entity type. - example: user + value: type: string required: - - id - Security_Entity_Analytics_API_EntityRiskLevels: + - field + - value + - source + Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: + description: The status of the Privilege Monitoring Engine enum: - - Unknown - - Low - - Moderate - - High - - Critical + - started + - error + - disabled + - not_installed type: string - Security_Entity_Analytics_API_EntityRiskScoreRecord: + Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: type: object properties: - '@timestamp': - description: The time at which the risk score was calculated. - example: '2017-07-21T17:32:28Z' - format: date-time + index: + nullable: true + type: integer + message: type: string - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - calculation_run_id: - description: Unique identifier for the scoring run that produced this document. + username: + nullable: true type: string - category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). + required: + - message + - index + - username + Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: + type: object + properties: + failedOperations: type: integer - category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. - format: double - type: number - category_2_count: + successfulOperations: type: integer - category_2_score: + totalOperations: + type: integer + uploaded: + type: integer + required: + - successfulOperations + - uploaded + - failedOperations + - totalOperations + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + type: object + properties: + full_error: + type: string + message: + type: string + required: + - message + - full_error + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: + type: object + properties: + success: + type: boolean + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. + type: object + properties: + category: + description: The risk category of the risk input document. + example: category_1 + type: string + contribution_score: format: double type: number - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - criticality_modifier: + description: + description: A human-readable description of the risk input document. + example: 'Generated from Detection Engine Rule: Malware Prevention Alert' + type: string + entity_id: + description: The EUID of the entity within the graph that generated this alert. + type: string + id: + description: The unique identifier (`_id`) of the original source document + example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + type: string + index: + description: The unique index (`_index`) of the original source document + example: .internal.alerts-security.alerts-default-000001 + type: string + risk_score: + description: The weighted risk score of the risk input document. format: double + maximum: 100 + minimum: 0 type: number - id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. - example: host.name + timestamp: + description: The @timestamp of the risk input document. + example: '2017-07-21T17:32:28Z' type: string - id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. - example: example.host + required: + - id + - index + - description + - category + Security_Entity_Analytics_API_ServiceEntity: + additionalProperties: false + description: An entity record representing a service, stored in the Entity Store latest index. + type: object + properties: + '@timestamp': + description: The time the entity record was last updated. + format: date-time type: string - inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' - type: array - modifiers: - description: A list of modifiers that were applied to the risk score calculation. - items: - type: object - properties: - contribution: - format: double - type: number - metadata: - additionalProperties: true - type: object - modifier_value: - format: double - type: number - subtype: - type: string - type: - type: string - required: - - type - - contribution - type: array - notes: - items: - type: string - type: array - related_entities: - items: - type: object - properties: - entity_id: - type: string - relationship_type: - type: string - type: array - score_type: - description: Distinguishes base, propagated, and resolution scores. - enum: - - base - - propagated - - resolution + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + type: object + properties: + ingested: + description: When the event was ingested into Elasticsearch. + format: date-time + type: string + service: + additionalProperties: false + description: Elastic Common Schema (ECS) service fields collected on the entity. + type: object + properties: + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + name: + description: Primary service name. + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + required: + - name + required: + - entity + Security_Entity_Analytics_API_StoreStatus: + description: The overall operational status of the Entity Store. + enum: + - not_installed + - installing + - running + - stopped + - error + type: string + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + type: object + properties: + message: type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + Security_Entity_Analytics_API_TransformStatsMetadata: + description: Statistics from the underlying Elasticsearch transform. + type: object + properties: + delete_time_in_ms: + description: Total time spent deleting documents, in milliseconds. + type: integer + documents_deleted: + description: Total number of documents deleted from the destination index. + type: integer + documents_indexed: + description: Total number of documents written to the destination index. + type: integer + documents_processed: + description: Total number of source documents processed. + type: integer + exponential_avg_checkpoint_duration_ms: + description: Exponential moving average of checkpoint duration, in milliseconds. + type: integer + exponential_avg_documents_indexed: + description: Exponential moving average of documents indexed per checkpoint. + type: integer + exponential_avg_documents_processed: + description: Exponential moving average of documents processed per checkpoint. + type: integer + index_failures: + description: Total number of failed index operations. + type: integer + index_time_in_ms: + description: Total time spent indexing documents, in milliseconds. + type: integer + index_total: + description: Total number of index operations. + type: integer + pages_processed: + description: Number of composite aggregation pages processed. + type: integer + processing_time_in_ms: + description: Total time spent processing results, in milliseconds. + type: integer + processing_total: + description: Total number of processing operations. + type: integer + search_failures: + description: Total number of failed search operations. + type: integer + search_time_in_ms: + description: Total time spent on search queries, in milliseconds. + type: integer + search_total: + description: Total number of search operations. + type: integer + trigger_count: + description: Number of times the transform has been triggered. + type: integer required: - - '@timestamp' - - id_field - - id_value - - calculated_level - - calculated_score - - calculated_score_norm - - category_1_score - - category_1_count - - inputs - - notes - Security_Entity_Analytics_API_EntitySourceType: - enum: - - index - - entity_analytics_integration - - store - type: string - Security_Entity_Analytics_API_EntityType: - description: The type of entity. - enum: - - user - - host - - service - - generic - type: string - Security_Entity_Analytics_API_Filter: - type: object - properties: - kuery: - oneOf: - - type: string - - type: object - Security_Entity_Analytics_API_GenericEntity: - additionalProperties: false - description: >- - A generic entity record. Maps only the `entity` and `asset` namespaces. - Add additional field mappings here as needed. + - pages_processed + - documents_processed + - documents_indexed + - trigger_count + - index_time_in_ms + - index_total + - index_failures + - search_time_in_ms + - search_total + - search_failures + - processing_time_in_ms + - processing_total + - exponential_avg_checkpoint_duration_ms + - exponential_avg_documents_indexed + - exponential_avg_documents_processed + Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - required: - - entity - Security_Entity_Analytics_API_HostEntity: + indexPattern: + type: string + integrationName: + type: string + integrations: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + Security_Entity_Analytics_API_UserEntity: additionalProperties: false - description: >- - An entity record representing a host, stored in the Entity Store latest - index. + description: An entity record representing a user, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -50501,80 +122297,44 @@ components: description: When the event was ingested into Elasticsearch. format: date-time type: string - host: + user: additionalProperties: false - description: Elastic Common Schema (ECS) host fields collected on the entity. + description: Elastic Common Schema (ECS) user fields collected on the entity. type: object properties: - architecture: - description: Observed CPU architectures. - items: - type: string - type: array domain: - description: Observed host domains. + description: Observed user domains. items: type: string type: array - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - hostname: - description: Observed hostnames. + email: + description: Observed email addresses. items: type: string type: array - id: - description: Observed host IDs. + full_name: + description: Observed full names of the user. items: type: string type: array - ip: - description: Observed IP addresses. + hash: + description: Observed user hashes. items: type: string type: array - mac: - description: Observed MAC addresses. + id: + description: Observed user IDs. items: type: string type: array name: - description: Primary host name. + description: Primary user name. type: string - os: - additionalProperties: false - description: >- - Elastic Common Schema (ECS) host.os fields collected on the - entity latest index. - type: object - properties: - family: - type: string - full: - type: string - kernel: - type: string - name: - oneOf: - - type: string - - items: - type: string - type: array - platform: - type: string - type: - oneOf: - - type: string - - items: - type: string - type: array - version: - type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - type: - description: Observed host types. + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + additionalProperties: false + roles: + description: Observed roles assigned to the user. items: type: string type: array @@ -50582,746 +122342,1274 @@ components: - name required: - entity - Security_Entity_Analytics_API_IdField: - enum: - - host.name - - user.name - - service.name - - entity.id - type: string - Security_Entity_Analytics_API_IndexPattern: - description: >- - An additional Elasticsearch index pattern to include as a source for - entity data. Merged with the default data view indices when the engine - runs. - example: logs-* - type: string - Security_Entity_Analytics_API_InspectQuery: - description: Debug information about the Elasticsearch query executed. + Security_Entity_Analytics_API_UserName: type: object properties: - dsl: - description: Elasticsearch query DSL that was executed. + entity_analytics_monitoring: + description: Entity analytics monitoring configuration for the user + type: object + properties: + labels: + description: Array of labels associated with the user + items: + type: object + properties: + field: + description: The field name for the label + type: string + source: + description: The source where this label was created (api, csv, or index_sync) + enum: + - api + - csv + - index_sync + type: string + value: + description: The value of the label + type: string + type: array + user: + type: object + properties: + name: + description: The name of the user. + type: string + Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: + example: + matchedEntities: 1 + status: success + type: object + properties: + error: + description: Error message if the row failed to process + example: Invalid entity type + type: string + matchedEntities: + description: Number of entities matched for this row + example: 1 + type: integer + status: + enum: + - success + - failure + - unmatched + example: success + type: string + required: + - status + - matchedEntities + Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: + example: + euid: user:john.doe + status: success + type: object + properties: + error: + description: Error message if the entity failed to process + example: Invalid entity type + type: string + euid: + description: The EUID of the entity + example: user:john.doe + type: string + status: + enum: + - success + - failure + - not_found + example: success + type: string + required: + - euid + - status + Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: + example: + euid: user:john.doe + status: success + type: object + properties: + error: + description: Error message if the entity failed to process + example: Invalid entity type + type: string + euid: + description: The EUID of the entity + example: user:john.doe + type: string + status: + enum: + - success + - failure + - not_found + example: success + type: string + required: + - euid + - status + Security_Entity_Analytics_API_WatchlistObject: + example: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + type: object + properties: + createdAt: + description: Timestamp indicating when the watchlist was created + format: date-time + type: string + description: + description: Description of the watchlist + type: string + entityCount: + description: Number of entities in the watchlist + type: number + entitySourceIds: + description: List of entity source IDs associated with the watchlist items: type: string type: array - response: - description: Raw Elasticsearch responses. + id: + description: The unique ID of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: The name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + type: number + updatedAt: + description: Timestamp indicating when the watchlist was last updated + format: date-time + type: string + required: + - name + - riskModifier + - managed + Security_Exceptions_API_BlocklistHashOrPathEntry: + type: object + properties: + field: + description: File hash or path field + enum: + - file.hash.md5 + - file.hash.sha1 + - file.hash.sha256 + - file.path + - file.path.caseless + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match_any for blocklists + enum: + - match_any + type: string + value: + description: Array of hash values or file paths items: type: string + minItems: 1 type: array required: - - dsl - - response - Security_Entity_Analytics_API_Integrations: + - field + - type + - value + - operator + Security_Exceptions_API_BlocklistLinuxProperties: + description: Blocklist list item properties (Linux, code signature not supported). type: object properties: - syncData: - description: integrations latest full sync and update syncData - type: object - properties: - lastFullSync: - description: Timestamp of the last full sync from integrations - format: date-time - type: string - lastUpdateProcessed: - description: Timestamp of the last update processed from integrations - format: date-time - type: string - syncMarkerIndex: - description: Index to read latest sync markers from + entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + items: + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_blocklists + example: endpoint_blocklists type: string - Security_Entity_Analytics_API_Interval: - description: >- - Interval in which enrich policy runs. For example, `"1h"` means the rule - runs every hour. Must be less than or equal to half the duration of the - lookback period, - example: 1h - pattern: ^[1-9]\d*[smh]$ - type: string - Security_Entity_Analytics_API_Matcher: + os_types: + description: Linux-only + items: + enum: + - linux + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_BlocklistMacProperties: + description: Blocklist list item properties (macOS, code signature not supported). type: object properties: - fields: + entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + items: + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_blocklists + example: endpoint_blocklists + type: string + os_types: + description: macOS-only items: + enum: + - macos type: string + maxItems: 1 + minItems: 1 type: array - values: - description: > - Matcher values. Must be either an array of strings (e.g. group or - role names) or an array of booleans (e.g. integration-derived flags - like privileged_group_member). Mixed types are intentionally not - supported for simplicity and predictability. - oneOf: - - items: + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: Nested subject_name entries + items: + type: object + properties: + field: + description: Certificate subject name + enum: + - subject_name type: string - type: array - - items: - type: boolean - type: array + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Match type for subject name + enum: + - match + - match_any + type: string + value: + oneOf: + - description: Single subject name (used with match) + type: string + - description: Array of subject names (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + field: + description: Windows code signature field + enum: + - file.Ext.code_signature + type: string + type: + description: Must be nested for Windows code signature + enum: + - nested + type: string required: - - fields - - values - Security_Entity_Analytics_API_Metadata: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata - Security_Entity_Analytics_API_MonitoredUserDoc: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - - type: object - properties: - '@timestamp': - format: date-time - type: string - event: - type: object - properties: - '@timestamp': - format: date-time - type: string - ingested: - format: date-time - type: string - user: - type: object - properties: - entity: - type: object - properties: - attributes: - type: object - properties: - Privileged: - description: Indicates if the user is privileged. - type: boolean - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoredUserUpdateDoc: + - field + - type + - entries + Security_Exceptions_API_BlocklistWindowsProperties: + description: Blocklist list item properties (Windows, supports code signature). type: object properties: - entity_analytics_monitoring: - type: object - properties: - labels: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel - type: array - id: + entries: + description: | + **Validation rules:** + * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) + * Path entry: only 1 allowed + * Code signature entry: only 1 allowed + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_blocklists + example: endpoint_blocklists type: string - labels: - type: object - properties: - source_ids: - items: - type: string - type: array - source_integrations: - items: - type: string - type: array - sources: - items: - enum: - - csv - - index_sync - - api - type: array - user: - type: object - properties: - is_privileged: - description: Indicates if the user is privileged. - type: boolean - name: - type: string - Security_Entity_Analytics_API_MonitoringEngineDescriptor: + os_types: + description: Windows-only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_CreateExceptionListItemBase: type: object properties: - error: - type: object - properties: - message: - description: >- - Error message typically only present if the engine is in error - state - type: string - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + comments: + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - - status - Security_Entity_Analytics_API_MonitoringEntitySource: + - type + - name + - description + Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties - - type: object + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' + Security_Exceptions_API_CreateExceptionListItemBlocklistMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' + Security_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' + type: array + Security_Exceptions_API_CreateExceptionListItemEndpointList: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_CreateExceptionListItemEventFilters: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_CreateExceptionListItemGeneric: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - example: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object properties: - id: - type: string + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] required: - - type - - name - - id - - managed - Security_Entity_Analytics_API_MonitoringEntitySourceProperties: + - list_id + - entries + Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties - - type: object - properties: - managed: - type: boolean - Security_Entity_Analytics_API_MonitoringLabel: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' + Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' + Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: - field: - type: string - source: - type: string - value: - type: string + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - field - - value - - source - Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: - description: The status of the Privilege Monitoring Engine - enum: - - started - - error - - disabled - - not_installed - type: string - Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: + - comment + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: - index: - nullable: true - type: integer - message: - type: string - username: - nullable: true + comments: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + format: date-time type: string + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - - message - - index - - username - Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: + - type + - name + - description + - entries + Security_Exceptions_API_EndpointArtifactTags: + default: [] + description: | + Tags for categorization. Special tags for scope control: + * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) + * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) + items: + type: string + type: array + Security_Exceptions_API_EndpointListProperties: + description: Elastic Endpoint exception list item properties. type: object properties: - failedOperations: - type: integer - successfulOperations: - type: integer - totalOperations: - type: integer - uploaded: - type: integer + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for endpoint security exceptions (used to prevent detection rule alerts). + + **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. + list_id: + enum: + - endpoint_list + example: endpoint_list + type: string + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - successfulOperations - - uploaded - - failedOperations - - totalOperations - Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + - list_id + Security_Exceptions_API_EventFiltersProperties: + description: Event filters list item properties. type: object properties: - full_error: - type: string - message: + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for the event filter. + + **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) + + **Minimum requirement:** At least 1 entry required + list_id: + enum: + - endpoint_event_filters + example: endpoint_event_filters type: string + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - message - - full_error - Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: + - list_id + Security_Exceptions_API_ExceptionList: type: object properties: - success: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + immutable: type: boolean - Security_Entity_Analytics_API_RiskScoreInput: - description: A generic representation of a document contributing to a Risk Score. + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + example: This list tracks allowlisted values. + type: string + Security_Exceptions_API_ExceptionListHumanId: + description: | + The exception list's human-readable string identifier. + + For endpoint artifacts, use one of the following values: + + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + example: simple_list + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItem: type: object properties: - category: - description: The risk category of the risk input document. - example: category_1 + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string - contribution_score: - format: double - type: number - description: - description: A human-readable description of the risk input document. - example: 'Generated from Detection Engine Rule: Malware Prevention Alert' + comments: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' + created_at: + description: Autogenerated date of object creation. + format: date-time type: string - entity_id: - description: The EUID of the entity within the graph that generated this alert. + created_by: + description: Autogenerated value - user that created object. type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: - description: The unique identifier (`_id`) of the original source document - example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. type: string - index: - description: The unique index (`_index`) of the original source document - example: .internal.alerts-security.alerts-default-000001 + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + updated_at: + description: Autogenerated date of last object update. + format: date-time type: string - risk_score: - description: The weighted risk score of the risk input document. - format: double - maximum: 100 - minimum: 0 - type: number - timestamp: - description: The @timestamp of the risk input document. - example: '2017-07-21T17:32:28Z' + updated_by: + description: Autogenerated value - user that last updated object. type: string required: - id - - index + - item_id + - list_id + - type + - name - description - - category - Security_Entity_Analytics_API_ServiceEntity: - additionalProperties: false - description: >- - An entity record representing a service, stored in the Entity Store - latest index. + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListItemComment: type: object properties: - '@timestamp': - description: The time the entity record was last updated. + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. format: date-time type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false - type: object - properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time - type: string - service: - additionalProperties: false - description: Elastic Common Schema (ECS) service fields collected on the entity. + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' + type: array + Security_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' + discriminator: + propertyName: type + Security_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: type: object properties: - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - name: - description: Primary service name. - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' required: - - name + - id + - type + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - list + type: string required: - - entity - Security_Entity_Analytics_API_StoreStatus: - description: The overall operational status of the Entity Store. - enum: - - not_installed - - installing - - running - - stopped - - error - type: string - Security_Entity_Analytics_API_TaskManagerUnavailableResponse: - description: Task manager is unavailable + - type + - field + - list + - operator + Security_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: - message: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match type: string - status_code: - minimum: 400 - type: integer + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - status_code - - message - Security_Entity_Analytics_API_TransformStatsMetadata: - description: Statistics from the underlying Elasticsearch transform. + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: - delete_time_in_ms: - description: Total time spent deleting documents, in milliseconds. - type: integer - documents_deleted: - description: Total number of documents deleted from the destination index. - type: integer - documents_indexed: - description: Total number of documents written to the destination index. - type: integer - documents_processed: - description: Total number of source documents processed. - type: integer - exponential_avg_checkpoint_duration_ms: - description: Exponential moving average of checkpoint duration, in milliseconds. - type: integer - exponential_avg_documents_indexed: - description: Exponential moving average of documents indexed per checkpoint. - type: integer - exponential_avg_documents_processed: - description: Exponential moving average of documents processed per checkpoint. - type: integer - index_failures: - description: Total number of failed index operations. - type: integer - index_time_in_ms: - description: Total time spent indexing documents, in milliseconds. - type: integer - index_total: - description: Total number of index operations. - type: integer - pages_processed: - description: Number of composite aggregation pages processed. - type: integer - processing_time_in_ms: - description: Total time spent processing results, in milliseconds. - type: integer - processing_total: - description: Total number of processing operations. - type: integer - search_failures: - description: Total number of failed search operations. - type: integer - search_time_in_ms: - description: Total time spent on search queries, in milliseconds. - type: integer - search_total: - description: Total number of search operations. - type: integer - trigger_count: - description: Number of times the transform has been triggered. - type: integer + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match_any + type: string + value: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 + type: array required: - - pages_processed - - documents_processed - - documents_indexed - - trigger_count - - index_time_in_ms - - index_total - - index_failures - - search_time_in_ms - - search_total - - search_failures - - processing_time_in_ms - - processing_total - - exponential_avg_checkpoint_duration_ms - - exponential_avg_documents_indexed - - exponential_avg_documents_processed - Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: - enabled: - type: boolean - filter: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' - identifierField: - description: Field used to query the entity store for index-type sources - type: string - indexPattern: - type: string - integrationName: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - wildcard type: string - integrations: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' - matchers: + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + minItems: 1 type: array - name: - type: string - queryRule: - description: KQL query used to filter data from the provided index patterns - type: string - range: - $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' - Security_Entity_Analytics_API_UserEntity: - additionalProperties: false - description: >- - An entity record representing a user, stored in the Entity Store latest - index. + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + Security_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Exceptions_API_ExceptionListItemExpireTime: + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + example: simple_list_item + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + description: String array containing words and phrases to help categorize exception items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Exceptions_API_ExceptionListName: + description: The name of the exception list. + example: My exception list + type: string + Security_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: - '@timestamp': - description: The time the entity record was last updated. - format: date-time - type: string - asset: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' - additionalProperties: false - entity: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' - event: - additionalProperties: false + error: type: object properties: - ingested: - description: When the event was ingested into Elasticsearch. - format: date-time + message: type: string - user: - additionalProperties: false - description: Elastic Common Schema (ECS) user fields collected on the entity. - type: object - properties: - domain: - description: Observed user domains. - items: - type: string - type: array - email: - description: Observed email addresses. - items: - type: string - type: array - full_name: - description: Observed full names of the user. - items: + status_code: + type: integer + required: + - status_code + - message + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + required: + - error + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' + type: array + Security_Exceptions_API_ExceptionListTags: + description: String array containing words and phrases to help categorize exception containers. + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + description: The type of exception list to be created. Different list types may denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionNamespaceType: + description: | + Determines whether the exception container is available in all Kibana spaces or just the space + in which it is created, where: + + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. + + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. + enum: + - agnostic + - single + type: string + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + example: exception-list.attributes.name:%Detection%20List + type: string + Security_Exceptions_API_HostIsolationProperties: + description: Host isolation exceptions list item properties. + type: object + properties: + entries: + description: Exactly one entry allowed for host isolation exceptions + items: + type: object + properties: + field: + description: Must be destination.ip + enum: + - destination.ip type: string - type: array - hash: - description: Observed user hashes. - items: + operator: + description: Must be the value "included" + enum: + - included type: string - type: array - id: - description: Observed user IDs. - items: + type: + description: Must be match + enum: + - match type: string - type: array - name: - description: Primary user name. - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - additionalProperties: false - roles: - description: Observed roles assigned to the user. - items: + value: + description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") type: string - type: array - required: - - name + required: + - field + - type + - value + - operator + maxItems: 1 + minItems: 1 + type: array + list_id: + enum: + - endpoint_host_isolation_exceptions + example: endpoint_host_isolation_exceptions + type: string + os_types: + description: Must include all three operating systems (windows, linux, macos) + items: + enum: + - windows + - linux + - macos + type: string + maxItems: 3 + minItems: 3 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - entity - Security_Entity_Analytics_API_UserName: - type: object - properties: - entity_analytics_monitoring: - description: Entity analytics monitoring configuration for the user - type: object - properties: - labels: - description: Array of labels associated with the user - items: - type: object - properties: - field: - description: The field name for the label - type: string - source: - description: >- - The source where this label was created (api, csv, or - index_sync) - enum: - - api - - csv - - index_sync - type: string - value: - description: The value of the label - type: string - type: array - user: - type: object - properties: - name: - description: The name of the user. - type: string - Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: - example: - matchedEntities: 1 - status: success + - list_id + Security_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_PlatformErrorResponse: type: object properties: error: - description: Error message if the row failed to process - example: Invalid entity type type: string - matchedEntities: - description: Number of entities matched for this row - example: 1 - type: integer - status: - enum: - - success - - failure - - unmatched - example: success + message: type: string + statusCode: + type: integer required: - - status - - matchedEntities - Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: - example: - euid: user:john.doe - status: success + - statusCode + - error + - message + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: type: object properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type - type: string - euid: - description: The EUID of the entity - example: user:john.doe - type: string - status: - enum: - - success - - failure - - not_found - example: success + message: type: string + status_code: + type: integer required: - - euid - - status - Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: - example: - euid: user:john.doe - status: success + - status_code + - message + Security_Exceptions_API_TrustedAppHashEntry: type: object properties: - error: - description: Error message if the entity failed to process - example: Invalid entity type + field: + description: Process hash field + enum: + - process.hash.md5 + - process.hash.sha1 + - process.hash.sha256 type: string - euid: - description: The EUID of the entity - example: user:john.doe + operator: + enum: + - included type: string - status: + type: + description: Hash entries only support match type enum: - - success - - failure - - not_found - example: success + - match + type: string + value: + description: Hash value (MD5, SHA1, or SHA256) type: string required: - - euid - - status - Security_Entity_Analytics_API_WatchlistObject: - example: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: type: object properties: - createdAt: - description: Timestamp indicating when the watchlist was created - format: date-time - type: string - description: - description: Description of the watchlist - type: string - entityCount: - description: Number of entities in the watchlist - type: number - entitySourceIds: - description: List of entity source IDs associated with the watchlist + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted items: - type: string + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 type: array - id: - description: The unique ID of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: The name of the watchlist + field: + description: macOS code signature field + enum: + - process.code_signature type: string - riskModifier: - description: Risk score modifier associated with the watchlist - type: number - updatedAt: - description: Timestamp indicating when the watchlist was last updated - format: date-time + type: + enum: + - nested type: string required: - - name - - riskModifier - - managed - Security_Exceptions_API_BlocklistHashOrPathEntry: + - field + - type + - entries + Security_Exceptions_API_TrustedAppPathEntry: type: object properties: field: - description: File hash or path field + description: Process executable path field enum: - - file.hash.md5 - - file.hash.sha1 - - file.hash.sha256 - - file.path - - file.path.caseless + - process.executable.caseless type: string operator: - description: Must be the value "included" enum: - included type: string type: - description: Must be match_any for blocklists + description: Path supports both match and wildcard types enum: - - match_any + - match + - wildcard type: string value: - description: Array of hash values or file paths - items: - type: string - minItems: 1 - type: array + description: Executable path + type: string required: - field - type - value - operator - Security_Exceptions_API_BlocklistLinuxProperties: - description: Blocklist list item properties (Linux, code signature not supported). + Security_Exceptions_API_TrustedAppsLinuxProperties: + description: Trusted applications list item properties (Linux). type: object properties: entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed + description: Process hash or executable path entries (code signature not supported on Linux) items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' minItems: 1 type: array list_id: enum: - - endpoint_blocklists - example: endpoint_blocklists + - endpoint_trusted_apps + example: endpoint_trusted_apps type: string os_types: - description: Linux-only + description: Must be Linux only items: enum: - linux @@ -51333,27 +123621,26 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_BlocklistMacProperties: - description: Blocklist list item properties (macOS, code signature not supported). + Security_Exceptions_API_TrustedAppsMacProperties: + description: Trusted applications list item properties (macOS). type: object properties: entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed + description: Process hash, executable path, or code signature entries items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' minItems: 1 type: array list_id: enum: - - endpoint_blocklists - example: endpoint_blocklists + - endpoint_trusted_apps + example: endpoint_trusted_apps type: string os_types: - description: macOS-only + description: Must be macOS only items: enum: - macos @@ -51365,18 +123652,125 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: + Security_Exceptions_API_TrustedAppsWindowsProperties: + description: Trusted applications list item properties (Windows). type: object properties: entries: - description: Nested subject_name entries + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Windows only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: Windows code signature field + enum: + - process.Ext.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedDevicesMacProperties: + description: Trusted devices list item properties (macOS-only, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: field: - description: Certificate subject name + description: Device field to match against enum: - - subject_name + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name type: string operator: description: Must be the value "included" @@ -51384,16 +123778,17 @@ components: - included type: string type: - description: Match type for subject name + description: Entry match type enum: - match + - wildcard - match_any type: string value: oneOf: - - description: Single subject name (used with match) + - description: Single value (used with match or wildcard) type: string - - description: Array of subject names (used with match_any) + - description: Array of values (used with match_any) items: type: string minItems: 1 @@ -51405,45 +123800,147 @@ components: - operator minItems: 1 type: array - field: - description: Windows code signature field + list_id: enum: - - file.Ext.code_signature + - endpoint_trusted_devices + example: endpoint_trusted_devices type: string - type: - description: Must be nested for Windows code signature + os_types: + description: macOS-only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsMacProperties: + description: Trusted devices list item properties (Windows + macOS, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) + items: + type: object + properties: + field: + description: Device field to match against (username not available for multi-OS) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: enum: - - nested + - endpoint_trusted_devices + example: endpoint_trusted_devices type: string + os_types: + description: Must include both Windows and macOS (username field not allowed) + items: + enum: + - windows + - macos + type: string + maxItems: 2 + minItems: 2 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - field - - type - - entries - Security_Exceptions_API_BlocklistWindowsProperties: - description: Blocklist list item properties (Windows, supports code signature). + - list_id + Security_Exceptions_API_TrustedDevicesWindowsProperties: + description: Trusted devices list item properties (Windows-only, allows username field). type: object properties: entries: - description: | - **Validation rules:** - * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) - * Path entry: only 1 allowed - * Code signature entry: only 1 allowed + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry + type: object + properties: + field: + description: Device field to match against (user.name is Windows-only) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + - user.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator minItems: 1 type: array list_id: enum: - - endpoint_blocklists - example: endpoint_blocklists + - endpoint_trusted_devices + example: endpoint_trusted_devices type: string os_types: - description: Windows-only + description: Must be Windows-only to allow username field items: enum: - windows @@ -51455,22 +123952,25 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_CreateExceptionListItemBase: + Security_Exceptions_API_UpdateExceptionListItemBase: type: object properties: + _version: + description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. + type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -51484,839 +123984,322 @@ components: - type - name - description - Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: + Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties - Security_Exceptions_API_CreateExceptionListItemBlocklistMac: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: + Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties - Security_Exceptions_API_CreateExceptionListItemComment: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment - Security_Exceptions_API_CreateExceptionListItemCommentArray: + Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' type: array - Security_Exceptions_API_CreateExceptionListItemEndpointList: + Security_Exceptions_API_UpdateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_CreateExceptionListItemEventFilters: + Security_Exceptions_API_UpdateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_CreateExceptionListItemGeneric: + Security_Exceptions_API_UpdateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - example: - description: This is a sample detection type exception item. + comments: [] + description: Updated description entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - field: host.name operator: included - type: match_any - value: - - saturn - - jupiter + type: match + value: rock01 item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item + name: Updated name namespace_type: single - os_types: - - linux - tags: - - malware + tags: [] type: simple type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags - default: [] + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' required: - - list_id - entries - Security_Exceptions_API_CreateExceptionListItemHostIsolation: + Security_Exceptions_API_UpdateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties - Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties - Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties - Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties - Security_Exceptions_API_CreateRuleExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment - type: array - Security_Exceptions_API_CreateRuleExceptionListItemProps: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - Security_Exceptions_API_EndpointArtifactTags: - default: [] - description: > - Tags for categorization. Special tags for scope control: - - * `"policy:all"` - Global artifact (applies to all Elastic Defend - policies) - - * `"policy:"` - Private artifact (applies to specific Elastic - Defend policy only, where `` is the Elastic Defend - integration policy ID) - items: - type: string - type: array - Security_Exceptions_API_EndpointListProperties: - description: Elastic Endpoint exception list item properties. - type: object - properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for endpoint security exceptions (used to prevent - detection rule alerts). - - - **Fully flexible:** Supports any field name for maximum - compatibility with detection rules. No field restrictions are - enforced. - list_id: - enum: - - endpoint_list - example: endpoint_list - type: string - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_EventFiltersProperties: - description: Event filters list item properties. - type: object - properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for the event filter. - - - **Flexible field support:** Any event field name is allowed (e.g., - `process.name`, `file.path`, `event.action`, `dns.question.name`, - etc.) - - - **Minimum requirement:** At least 1 entry required - list_id: - enum: - - endpoint_event_filters - example: endpoint_event_filters - type: string - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_ExceptionList: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_FindListsCursor: + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_List: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string created_at: description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. + example: elastic type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + $ref: '#/components/schemas/Security_Lists_API_ListId' immutable: type: boolean - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + $ref: '#/components/schemas/Security_Lists_API_ListName' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. + example: elastic type: string version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - - list_id - type - name - description - immutable - - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by - Security_Exceptions_API_ExceptionListDescription: - description: Describes the exception list. - example: This list tracks allowlisted values. - type: string - Security_Exceptions_API_ExceptionListHumanId: - description: > - The exception list's human-readable string identifier. - - - For endpoint artifacts, use one of the following values: - - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) - example: simple_list + Security_Lists_API_ListDescription: + description: Describes the value list. format: nonempty minLength: 1 type: string - Security_Exceptions_API_ExceptionListId: - description: Exception list's identifier. - example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + Security_Lists_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string - Security_Exceptions_API_ExceptionListItem: + Security_Lists_API_ListItem: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray created_at: description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. + example: elastic type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: '#/components/schemas/Security_Lists_API_ListId' meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - type: string - required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - created_at: - description: Autogenerated date of object creation. - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - updated_at: - description: Autogenerated date of last object update. - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Exceptions_API_ExceptionListItemCommentArray: - description: | - Array of comment fields: - - - comment (string): Comments about the exception item. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' - type: array - Security_Exceptions_API_ExceptionListItemDescription: - description: Describes the exception list. - type: string - Security_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Exceptions_API_ExceptionListItemEntryList: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - list: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ListType' - required: - - id - - type - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchAny: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any - type: string - value: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - wildcard - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryNested: - type: object - properties: - entries: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string - required: - - type - - field - - entries - Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - Security_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. - format: date-time - type: string - Security_Exceptions_API_ExceptionListItemHumanId: - description: Human readable string identifier, e.g. `trusted-linux-processes` - example: simple_list_item - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemId: - description: Exception's identifier. - example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListItemName: - description: Exception list name. - format: nonempty - minLength: 1 - type: string - Security_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListItemTags: - items: - description: >- - String array containing words and phrases to help categorize exception - items. - format: nonempty - minLength: 1 - type: string - type: array - Security_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Exceptions_API_ExceptionListMeta: - additionalProperties: true - description: Placeholder for metadata about the list container. - type: object - Security_Exceptions_API_ExceptionListName: - description: The name of the exception list. - example: My exception list - type: string - Security_Exceptions_API_ExceptionListOsType: - description: Use this field to specify the operating system. - enum: - - linux - - macos - - windows - type: string - Security_Exceptions_API_ExceptionListOsTypeArray: - description: Use this field to specify the operating system. Only enter one value. - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListsImportBulkError: - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - required: - - error - Security_Exceptions_API_ExceptionListsImportBulkErrorArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError - type: array - Security_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. - items: - type: string - type: array - Security_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_trusted_devices - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Exceptions_API_ExceptionListVersion: - description: The document version, automatically increasd on updates. - minimum: 1 - type: integer - Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. - enum: - - agnostic - - single - type: string - Security_Exceptions_API_FindExceptionListItemsFilter: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_FindExceptionListsFilter: - example: exception-list.attributes.name:%Detection%20List + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + description: Value list item's identifier. + example: 54b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 type: string - Security_Exceptions_API_HostIsolationProperties: - description: Host isolation exceptions list item properties. + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: type: object properties: - entries: - description: Exactly one entry allowed for host isolation exceptions - items: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean type: object - properties: - field: - description: Must be destination.ip - enum: - - destination.ip - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Must be match - enum: - - match - type: string - value: - description: >- - Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or - "10.0.0.0/8") - type: string - required: - - field - - type - - value - - operator - maxItems: 1 - minItems: 1 - type: array - list_id: - enum: - - endpoint_host_isolation_exceptions - example: endpoint_host_isolation_exceptions + type: object + username: type: string - os_types: - description: Must include all three operating systems (windows, linux, macos) - items: - enum: - - windows - - linux - - macos - type: string - maxItems: 3 - minItems: 3 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - - list_id - Security_Exceptions_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. format: nonempty minLength: 1 type: string - Security_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + example: List of bad IPs + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -52342,12 +124325,17 @@ components: - short - text type: string - Security_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 + Security_Lists_API_ListVersion: + description: The document version number. + example: 1 + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. + example: WzIsMV0= type: string - Security_Exceptions_API_PlatformErrorResponse: + Security_Lists_API_PlatformErrorResponse: type: object properties: error: @@ -52360,9 +124348,7 @@ components: - statusCode - error - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: + Security_Lists_API_SiemErrorResponse: type: object properties: message: @@ -52372,1020 +124358,878 @@ components: required: - status_code - message - Security_Exceptions_API_TrustedAppHashEntry: + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: type: object properties: - field: - description: Process hash field - enum: - - process.hash.md5 - - process.hash.sha1 - - process.hash.sha256 - type: string - operator: - enum: - - included - type: string - type: - description: Hash entries only support match type - enum: - - match - type: string - value: - description: Hash value (MD5, SHA1, or SHA256) - type: string - required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CopyPacksResponse: + description: The response for copying a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted - items: - oneOf: - - type: object + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object properties: - field: - enum: - - subject_name + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: type: string - operator: - enum: - - included + interval: + type: integer + platform: type: string - type: - enum: - - match + query: type: string - value: - description: Certificate subject name + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: type: string - required: - - field - - type - - value - - operator - - type: object + type: array + saved_object_id: + description: The saved object ID of the copied pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match + key: type: string value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: macOS code signature field - enum: - - process.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedAppPathEntry: - type: object - properties: - field: - description: Process executable path field - enum: - - process.executable.caseless - type: string - operator: - enum: - - included - type: string - type: - description: Path supports both match and wildcard types - enum: - - match - - wildcard - type: string - value: - description: Executable path - type: string - required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppsLinuxProperties: - description: Trusted applications list item properties (Linux). - type: object - properties: - entries: - description: >- - Process hash or executable path entries (code signature not - supported on Linux) - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Linux only - items: - enum: - - linux - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppsMacProperties: - description: Trusted applications list item properties (macOS). - type: object - properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be macOS only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + type: number + type: array + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - list_id - Security_Exceptions_API_TrustedAppsWindowsProperties: - description: Trusted applications list item properties (Windows). + - data + Security_Osquery_API_CopySavedQueryResponse: + description: The response for copying a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Windows only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + required: + - saved_object_id + - id required: - - list_id - Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + - data + Security_Osquery_API_CreateLiveQueryRequestBody: + example: + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + agent_all: + description: When `true`, the query runs on all agents. + type: boolean + agent_ids: + description: A list of agent IDs to run the query on. items: - oneOf: - - type: object - properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name - type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 + type: string type: array - field: - description: Windows code signature field - enum: - - process.Ext.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedDevicesMacProperties: - description: >- - Trusted devices list item properties (macOS-only, username not - supported). - type: object - properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + agent_platforms: + description: A list of agent platforms to run the query on. items: - type: object - properties: - field: - description: Device field to match against - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 + type: string type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: macOS-only + agent_policy_ids: + description: A list of agent policy IDs to run the query on. items: - enum: - - macos type: string - maxItems: 1 - minItems: 1 type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: >- - Trusted devices list item properties (Windows + macOS, username not - supported). - type: object - properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed, username not available when targeting both OS) + alert_ids: + description: A list of alert IDs associated with the live query. items: - type: object - properties: - field: - description: >- - Device field to match against (username not available for - multi-OS) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any - type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 + type: string type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: Must include both Windows and macOS (username field not allowed) + case_ids: + description: A list of case IDs associated with the live query. items: - enum: - - windows - - macos type: string - maxItems: 2 - minItems: 2 type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: >- - Trusted devices list item properties (Windows-only, allows username - field). + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + event_ids: + description: A list of event IDs associated with the live query. + items: + type: string + type: array + metadata: + description: Custom metadata object associated with the live query. + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + Security_Osquery_API_CreateLiveQueryResponse: + description: The response for creating a live query. + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agent_ids: [] + agent_platforms: [] + agent_policy_ids: [] + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + metadata: + execution_context: + name: osquery + url: /app/osquery/live_queries/new + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) - items: - type: object - properties: - field: - description: Device field to match against (user.name is Windows-only) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - - user.name + data: + type: object + properties: + '@timestamp': + description: The timestamp when the action was created. + format: date-time + type: string + action_id: + description: The ID of the action. + type: string + agent_all: + description: Whether the query targets all agents. + type: boolean + agent_ids: + description: The agent IDs targeted by the action. + items: type: string - operator: - description: Must be the value "included" - enum: - - included + type: array + agent_platforms: + description: The agent platforms targeted. + items: type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + type: array + agent_policy_ids: + description: The agent policy IDs targeted. + items: type: string - value: - oneOf: - - description: Single value (used with match or wildcard) + type: array + agents: + description: The resolved list of agent IDs. + items: + type: string + type: array + expiration: + description: The expiration date of the action. + format: date-time + type: string + input_type: + description: The input type. + type: string + metadata: + description: Custom metadata associated with the action. + type: object + pack_id: + description: The pack ID if the query was run from a pack. + type: string + queries: + description: The queries in this action. + items: + type: object + properties: + action_id: type: string - - description: Array of values (used with match_any) + agents: items: type: string - minItems: 1 type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: Must be Windows-only to allow username field - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_UpdateExceptionListItemBase: - type: object - properties: - _version: - description: >- - The version ID, normally returned by the API when the item is - retrieved. Use it to ensure updates are made against the latest - version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment - type: array - Security_Exceptions_API_UpdateExceptionListItemEndpointList: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_UpdateExceptionListItemEventFilters: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_UpdateExceptionListItemGeneric: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - example: - comments: [] - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - item_id: simple_list_item - name: Updated name - namespace_type: single - tags: [] - type: simple - type: object - properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + type: string + platform: + type: string + query: + type: string + saved_query_id: + type: string + timeout: + type: integer + version: + type: string + type: array + type: + description: The action type. + type: string + user_id: + description: The user who created the action. + type: string required: - - entries - Security_Exceptions_API_UpdateExceptionListItemHostIsolation: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Lists_API_FindListItemsCursor: - description: >- - Returns the items that come after the last item returned in the previous - call (use the `cursor` value returned in the previous call). This - parameter uses the `tie_breaker_id` field to ensure all items are sorted - and returned correctly. - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListItemsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_FindListsCursor: - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 - type: string - Security_Lists_API_FindListsFilter: - example: value:127.0.0.1 - type: string - Security_Lists_API_List: + - action_id + required: + - data + Security_Osquery_API_CreatePacksRequestBody: + example: + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + - fleet-server-policy + queries: + my_query: + ecs_mapping: + client.port: + field: port + tags: + value: + - tag1 + - tag2 + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + shards: + fleet-server-policy: 58 + my_policy_id: 35 type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic - type: string description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - immutable: - type: boolean - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic - type: string - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - type - - name - - description - - immutable - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListDescription: - description: Describes the value list. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListItem: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_CreatePacksResponse: + description: The response for creating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + data: + type: object + properties: + created_at: + description: The date and time the pack was created. + format: date-time + type: string + created_by: + description: The user who created the pack. + nullable: true + type: string + created_by_profile_uid: + description: The profile UID of the user who created the pack. + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: + type: string + value: + type: number + type: array + updated_at: + description: The date and time the pack was last updated. + format: date-time + type: string + updated_by: + description: The user who last updated the pack. + nullable: true + type: string + updated_by_profile_uid: + description: The profile UID of the user who last updated the pack. + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - id - - type - - list_id - - value - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListItemId: - description: Value list item's identifier. - example: 54b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListItemMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list item. + - data + Security_Osquery_API_CreateSavedQueryRequestBody: + example: + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + version: 2.8.0 type: object - Security_Lists_API_ListItemPrivileges: + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CreateSavedQueryResponse: + description: The response for creating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 type: object properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean + data: type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + description: An interval, in seconds, on which to run the query. May be returned as number or string. + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + description: Whether the saved query is prebuilt. type: boolean - type: object - type: object - username: - type: string + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + description: The saved object ID of the saved query. + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + description: The query timeout in seconds. + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The saved query version. + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - description: The value used to evaluate exceptions. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list. + - data + Security_Osquery_API_DefaultSuccessResponse: + example: {} type: object - Security_Lists_API_ListName: - description: Value list's name. - example: List of bad IPs - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListPrivileges: + properties: {} + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields + example: + host.uptime: + field: total_seconds + type: object + Security_Osquery_API_ECSMappingArray: + description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). + items: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + type: array + Security_Osquery_API_ECSMappingArrayItem: + description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: + key: + description: The ECS field name. type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - - - - `keyword`: Many ECS fields are Elasticsearch keywords - - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Lists_API_ListVersion: - description: The document version number. - example: 1 - minimum: 1 - type: integer - Security_Lists_API_ListVersionId: - description: > - The version id, normally returned by the API when the document is - retrieved. Use it ensure updates are done against the latest version. - example: WzIsMV0= - type: string - Security_Lists_API_PlatformErrorResponse: + value: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + Security_Osquery_API_ECSMappingArrayOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + nullable: true + Security_Osquery_API_ECSMappingItem: type: object properties: - error: - type: string - message: + field: + description: The ECS field to map to. + example: host.uptime type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Lists_API_SiemErrorResponse: + value: + description: The value to map to the ECS field. + example: total_seconds + oneOf: + - type: string + - items: + type: string + type: array + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + description: Enables the pack. + example: true + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryDetailsResponse: + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 0 + ecs_mapping: + host.uptime: + field: total_seconds + failed: 1 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + status: completed + successful: 0 + status: completed + user_id: elastic type: object properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Osquery_API_ArrayQueries: - description: An array of queries to run. - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: + data: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + pack_name: + type: string + prebuilt_pack: + type: boolean + queries: + description: The queries with their execution status. + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + docs: + description: Number of result documents. + type: integer + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + failed: + description: Number of failed queries. + type: integer + id: + type: string + pending: + description: Number of pending agents. + type: integer + query: + type: string + responded: + description: Total responded agents. + type: integer + saved_query_id: + type: string + status: + description: Status of this individual query. + enum: + - completed + - running + type: string + successful: + description: Number of successful agents. + type: integer + type: array + status: + description: Global status of the live query (completed, running). + enum: + - completed + - running + type: string + tags: + items: + type: string + type: array + user_id: + type: string + user_profile_uid: + type: string + Security_Osquery_API_FindLiveQueryResponse: + example: + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + result_counts: + error_agents: 0 + responded_agents: 1 + successful_agents: 1 + total_rows: 42 + user_id: elastic + total: 1 type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CopyPacksResponse: - description: The response for copying a pack. + data: + type: object + properties: + items: + description: An array of live query action items. + items: + type: object + properties: + _source: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + queries: + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + type: string + query: + type: string + saved_query_id: + type: string + type: array + result_counts: + description: Result count statistics (present when withResultCounts is true). + type: object + properties: + error_agents: + type: integer + responded_agents: + type: integer + successful_agents: + type: integer + total_rows: + type: integer + user_id: + type: string + type: array + total: + description: The total number of live queries. + type: integer + Security_Osquery_API_FindPackResponse: + description: The details of a single query pack. example: data: - created_at: '2025-02-26T13:37:30.452Z' + created_at: '2022-07-25T19:41:10.263Z' created_by: elastic - description: My pack - enabled: false - name: my_pack_copy + description: '' + enabled: true + name: test_pack + namespaces: + - default policy_ids: [] queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' + uptime: + ecs_mapping: + message: + field: days + interval: 3600 + query: select * from uptime + read_only: false + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + shards: {} + type: osquery-pack + updated_at: '2022-07-25T20:12:01.455Z' updated_by: elastic + version: 1 type: object properties: data: + description: The pack details. type: object properties: created_at: @@ -53397,54 +125241,31 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. + namespaces: + description: The namespaces the pack belongs to. items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string + type: string type: array + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean saved_object_id: - description: The saved object ID of the copied pack. + description: The saved object ID of the pack. type: string shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number - type: array + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: + description: The saved object type. + type: string updated_at: format: date-time type: string @@ -53461,26 +125282,134 @@ components: - name required: - data - Security_Osquery_API_CopySavedQueryResponse: - description: The response for copying a saved query. + Security_Osquery_API_FindPacksResponse: + description: A paginated list of query packs. example: data: - created_at: '2025-02-26T13:37:30.452Z' + - created_at: '2023-10-31T00:00:00Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: My pack description + enabled: true + name: My Pack + policy_ids: [] + queries: + - ecs_mapping: + - key: host.uptime + value: + field: total_seconds + id: uptime + interval: 3600 + query: select * from uptime; + read_only: false + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2023-10-31T00:00:00Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + page: 1 + per_page: 10 + total: 1 + type: object + properties: + data: + description: An array of pack objects. + items: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name + type: array + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of packs. + type: integer + required: + - page + - per_page + - total + - data + Security_Osquery_API_FindSavedQueryDetailResponse: + description: The details of a single saved query. + example: + data: + created_at: '2022-07-26T09:28:08.597Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds - id: my_saved_query_copy + id: saved_query_id interval: '60' platform: linux,darwin + prebuilt: false query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic + version: 2.8.0 type: object properties: data: @@ -53495,10 +125424,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -53506,15 +125434,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -53525,228 +125455,620 @@ components: type: string updated_by_profile_uid: type: string + version: + oneOf: + - type: integer + - type: string required: - saved_object_id - id required: - data - Security_Osquery_API_CreateLiveQueryRequestBody: + Security_Osquery_API_FindSavedQueryResponse: + description: A paginated list of saved queries. example: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; + data: + - created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + version: 2.8.0 + page: 1 + per_page: 100 + total: 11 + type: object + properties: + data: + description: An array of saved query objects. + items: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id + type: array + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of saved queries. + type: integer + required: + - page + - per_page + - total + - data + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + example: + data: + edges: + - _id: doc1 + _source: {} + - _id: doc2 + _source: {} + total: 2 + type: object + properties: + data: + type: object + properties: + edges: + description: The result rows from the query execution. + items: + type: object + properties: + _id: + type: string + _source: + description: The Elasticsearch document source containing query results. + type: object + type: array + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 type: object properties: - agent_all: - description: When `true`, the query runs on all agents. - type: boolean - agent_ids: - description: A list of agent IDs to run the query on. - items: - type: string - type: array - agent_platforms: - description: A list of agent platforms to run the query on. - items: - type: string - type: array - agent_policy_ids: - description: A list of agent policy IDs to run the query on. - items: - type: string - type: array - alert_ids: - description: A list of alert IDs associated with the live query. - items: - type: string - type: array - case_ids: - description: A list of case IDs associated with the live query. - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - event_ids: - description: A list of event IDs associated with the live query. + aggregations: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. items: - type: string + type: object type: array - metadata: - description: Custom metadata object associated with the live query. - nullable: true + inspect: + description: Debug/inspection data for the search query. type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - Security_Osquery_API_CreateLiveQueryResponse: - description: The response for creating a live query. + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. example: data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agent_ids: [] - agent_platforms: [] - agent_policy_ids: [] - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - metadata: - execution_context: - name: osquery - url: /app/osquery/live_queries/new - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: + edges: + - _id: row-001 + fields: host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 type: object properties: data: + description: The query results data wrapper. type: object properties: - '@timestamp': - description: The timestamp when the action was created. - format: date-time - type: string - action_id: - description: The ID of the action. - type: string - agent_all: - description: Whether the query targets all agents. - type: boolean - agent_ids: - description: The agent IDs targeted by the action. + edges: + description: The paginated list of query result rows. items: - type: string + type: object type: array - agent_platforms: - description: The agent platforms targeted. + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + type: object + properties: + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. + type: string + required: + - data + - hasMore + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + example: '60' + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' + nullable: true + type: string + Security_Osquery_API_LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. items: type: string type: array - agent_policy_ids: - description: The agent policy IDs targeted. + agentPlatforms: + description: List of targeted agent platforms. items: type: string type: array - agents: - description: The resolved list of agent IDs. + agentPolicyIds: + description: List of targeted agent policy IDs. items: type: string type: array - expiration: - description: The expiration date of the action. - format: date-time + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: The saved query ID, if the live query was based on a saved query. type: string - input_type: - description: The input type. + source: + description: Whether this was a manually run live query or triggered by a rule. + enum: + - Live + - Rule type: string - metadata: - description: Custom metadata associated with the action. - type: object - pack_id: - description: The pack ID if the query was run from a pack. + sourceType: + description: Identifies this as a live query history row. + enum: + - live type: string - queries: - description: The queries in this action. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - platform: - type: string - query: - type: string - saved_query_id: - type: string - timeout: - type: integer - version: - type: string - type: array - type: - description: The action type. + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. type: string - user_id: - description: The user who created the action. + userProfileUid: + description: The user profile UID of the user who ran the query. type: string required: - - action_id + - sourceType + - source + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. + type: object + Security_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_PackDescription: + description: The pack description. + example: Pack description + type: string + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + Security_Osquery_API_PackId: + description: The ID of the pack. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + description: The pack name. + example: my_pack + type: string + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + example: 1 + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + example: 20 + nullable: true + type: integer + Security_Osquery_API_Platform: + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. + example: linux,darwin + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + example: + - policyId1 + - policyId2 + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + example: select * from uptime; + type: string + Security_Osquery_API_QueryId: + description: The ID of the query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + example: false + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + example: Saved query description + type: string + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query within the pack. + type: string + queryText: + description: The SQL query that was executed. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. + example: + policy_id: 50 + type: object + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + example: true + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + example: desc + type: string + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + example: createdAt + nullable: true + type: string + Security_Osquery_API_UnifiedHistoryRow: + discriminator: + mapping: + live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + propertyName: sourceType + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: + type: object + properties: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. + type: string + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer required: - - data - Security_Osquery_API_CreatePacksRequestBody: + - id + - timestamp + - queryText + - agentCount + Security_Osquery_API_UpdatePacksRequestBody: example: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - - fleet-server-policy - queries: - my_query: - ecs_mapping: - client.port: - field: port - tags: - value: - - tag1 - - tag2 - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - shards: - fleet-server-policy: 58 - my_policy_id: 35 + name: updated_my_pack_name type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreatePacksResponse: - description: The response for creating a pack. + Security_Osquery_API_UpdatePacksResponse: + description: The response for updating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true - name: my_pack + name: updated_my_pack_name policy_ids: - my_policy_id queries: @@ -53763,471 +126085,12 @@ components: shards: 47638692-7c4c-4053-aa3e-7186f28df349: 35 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - type: object - properties: - data: - type: object - properties: - created_at: - description: The date and time the pack was created. - format: date-time - type: string - created_by: - description: The user who created the pack. - nullable: true - type: string - created_by_profile_uid: - description: The profile UID of the user who created the pack. - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number - type: array - updated_at: - description: The date and time the pack was last updated. - format: date-time - type: string - updated_by: - description: The user who last updated the pack. - nullable: true - type: string - updated_by_profile_uid: - description: The profile UID of the user who last updated the pack. - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_CreateSavedQueryRequestBody: - example: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - version: 2.8.0 - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CreateSavedQueryResponse: - description: The response for creating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: - data: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - description: >- - An interval, in seconds, on which to run the query. May be - returned as number or string. - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - description: Whether the saved query is prebuilt. - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - description: The saved object ID of the saved query. - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - description: The query timeout in seconds. - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_DefaultSuccessResponse: - example: {} - type: object - properties: {} - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: >- - Map osquery results columns or static values to Elastic Common Schema - (ECS) fields - example: - host.uptime: - field: total_seconds - type: object - Security_Osquery_API_ECSMappingArray: - description: >- - ECS mapping in saved-object storage format (array of key-value pairs). - The find and copy pack endpoints return this format. The read endpoint - returns object format (ECSMapping). - items: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' - type: array - Security_Osquery_API_ECSMappingArrayItem: - description: ECS mapping item in saved-object storage format (key-value pair). - type: object - properties: - key: - description: The ECS field name. - type: string - value: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - Security_Osquery_API_ECSMappingArrayOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - nullable: true - Security_Osquery_API_ECSMappingItem: - type: object - properties: - field: - description: The ECS field to map to. - example: host.uptime - type: string - value: - description: The value to map to the ECS field. - example: total_seconds - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - description: Enables the pack. - example: true - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryDetailsResponse: - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 0 - ecs_mapping: - host.uptime: - field: total_seconds - failed: 1 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - status: completed - successful: 0 - status: completed - user_id: elastic - type: object - properties: - data: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - pack_name: - type: string - prebuilt_pack: - type: boolean - queries: - description: The queries with their execution status. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - docs: - description: Number of result documents. - type: integer - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - failed: - description: Number of failed queries. - type: integer - id: - type: string - pending: - description: Number of pending agents. - type: integer - query: - type: string - responded: - description: Total responded agents. - type: integer - saved_query_id: - type: string - status: - description: Status of this individual query. - enum: - - completed - - running - type: string - successful: - description: Number of successful agents. - type: integer - type: array - status: - description: Global status of the live query (completed, running). - enum: - - completed - - running - type: string - tags: - items: - type: string - type: array - user_id: - type: string - user_profile_uid: - type: string - Security_Osquery_API_FindLiveQueryResponse: - example: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - result_counts: - error_agents: 0 - responded_agents: 1 - successful_agents: 1 - total_rows: 42 - user_id: elastic - total: 1 - type: object - properties: - data: - type: object - properties: - items: - description: An array of live query action items. - items: - type: object - properties: - _source: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - queries: - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - query: - type: string - saved_query_id: - type: string - type: array - result_counts: - description: >- - Result count statistics (present when withResultCounts - is true). - type: object - properties: - error_agents: - type: integer - responded_agents: - type: integer - successful_agents: - type: integer - total_rows: - type: integer - user_id: - type: string - type: array - total: - description: The total number of live queries. - type: integer - Security_Osquery_API_FindPackResponse: - description: The details of a single query pack. - example: - data: - created_at: '2022-07-25T19:41:10.263Z' - created_by: elastic - description: '' - enabled: true - name: test_pack - namespaces: - - default - policy_ids: [] - queries: - uptime: - ecs_mapping: - message: - field: days - interval: 3600 - query: select * from uptime - read_only: false - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - shards: {} - type: osquery-pack - updated_at: '2022-07-25T20:12:01.455Z' + updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic version: 1 type: object properties: data: - description: The pack details. type: object properties: created_at: @@ -54239,180 +126102,68 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' - namespaces: - description: The namespaces the pack belongs to. - items: - type: string - type: array policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean saved_object_id: description: The saved object ID of the pack. type: string shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' - type: - description: The saved object type. - type: string updated_at: format: date-time type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_FindPacksResponse: - description: A paginated list of query packs. - example: - data: - - created_at: '2023-10-31T00:00:00Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: My pack description - enabled: true - name: My Pack - policy_ids: [] - queries: - - ecs_mapping: - - key: host.uptime - value: - field: total_seconds - id: uptime - interval: 3600 - query: select * from uptime; - read_only: false - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2023-10-31T00:00:00Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - page: 1 - per_page: 10 - total: 1 + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + Security_Osquery_API_UpdateSavedQueryRequestBody: + example: + id: updated_my_saved_query_name type: object properties: - data: - description: An array of pack objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of packs. - type: integer - required: - - page - - per_page - - total - - data - Security_Osquery_API_FindSavedQueryDetailResponse: - description: The details of a single saved query. + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_UpdateSavedQueryResponse: + description: The response for updating a saved query. example: data: - created_at: '2022-07-26T09:28:08.597Z' + created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id + id: updated_my_saved_query_name interval: '60' - platform: linux,darwin - prebuilt: false query: select * from uptime; - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - updated_at: '2022-07-26T09:28:08.597Z' + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic - version: 2.8.0 + version: WzQzMTcsMV0= type: object properties: data: @@ -54427,10 +126178,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -54438,17 +126188,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -54460,1981 +126210,2256 @@ components: updated_by_profile_uid: type: string version: - oneOf: - - type: integer - - type: string + description: The saved query version. + type: string required: - saved_object_id - id required: - data - Security_Osquery_API_FindSavedQueryResponse: - description: A paginated list of saved queries. - example: - data: - - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: 2.8.0 - page: 1 - per_page: 100 - total: 11 + Security_Osquery_API_Version: + description: Uses the Osquery versions greater than or equal to the specified version string. + example: 1.0.0 + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_AssociatedFilterType: + description: | + How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan + type: string + Security_Timeline_API_BareNote: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: | + Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + nullable: true + type: string + note: + description: The text of the note + example: This is an example text + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + timelineId: + description: The `savedObjectId` of the timeline that this pinned event is associated with + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: type: object properties: - data: - description: An array of saved query objects. + aggregatable: + nullable: true + type: boolean + category: + nullable: true + type: string + columnHeaderType: + nullable: true + type: string + description: + nullable: true + type: string + example: + nullable: true + type: string + id: + nullable: true + type: string + indexes: items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id + type: string + nullable: true type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of saved queries. - type: integer + name: + nullable: true + type: string + placeholder: + nullable: true + type: string + searchable: + nullable: true + type: boolean + type: + nullable: true + type: string + Security_Timeline_API_DataProviderQueryMatch: + type: object + properties: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string required: - - page - - per_page - - total - - data - Security_Osquery_API_GetLiveQueryResultsResponse: - description: The response for getting live query results. + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. example: - data: - edges: - - _id: doc1 - _source: {} - - _id: doc2 - _source: {} - total: 2 + favoriteDate: 1741337636741 + userName: elastic type: object properties: - data: - type: object - properties: - edges: - description: The result rows from the query execution. - items: - type: object - properties: - _id: - type: string - _source: - description: >- - The Elasticsearch document source containing query - results. - type: object - type: array - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetScheduledActionResultsResponse: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' type: object properties: - aggregations: - $ref: >- - #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: type: object properties: - data: - description: The query results data wrapper. - type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: type: object properties: - data: - description: The list of unified history rows for the current page. + errors: + description: The list of failed Timeline imports items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: object + properties: + error: + description: The error containing the reason why the timeline could not be imported + type: object + properties: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON + type: string + status_code: + description: The HTTP status code of the error + example: 400 + type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string type: array - hasMore: - description: Whether there are more results beyond the current page. + success: + description: Indicates whether any of the Timelines were successfully imports type: boolean - nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. - type: string - required: - - data - - hasMore - Security_Osquery_API_Interval: - description: An interval, in seconds, on which to run the query. - example: '60' - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - description: The kuery to filter the results by. - example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' - nullable: true - type: string - Security_Osquery_API_LiveHistoryRow: + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. + eventNotes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true type: array - agentPlatforms: - description: List of targeted agent platforms. + globalNotes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true type: array - agentPolicyIds: - description: List of targeted agent policy IDs. + pinnedEventIds: items: type: string + nullable: true type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. - type: string - source: - description: >- - Whether this was a manually run live query or triggered by a - rule. - enum: - - Live - - Rule + savedObjectId: + nullable: true type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live + version: + nullable: true type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e type: string - userProfileUid: - description: The user profile UID of the user who ran the query. + version: + description: The version of the note + example: WzQ2LDFd type: string required: - - sourceType - - source - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - description: An object of queries. - type: object - Security_Osquery_API_ObjectQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_PackDescription: - description: The pack description. - example: Pack description - type: string - Security_Osquery_API_PackDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - nullable: true - Security_Osquery_API_PackId: - description: The ID of the pack. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - description: The pack name. - example: my_pack - type: string - Security_Osquery_API_PageOrUndefined: - description: The page number to return. The default is 1. - example: 1 - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - description: The number of results to return per page. The default is 20. - example: 20 - nullable: true - type: integer - Security_Osquery_API_Platform: - description: >- - Restricts the query to a specified platform. The default is all - platforms. To specify multiple platforms, use commas. For example, - `linux,darwin`. - example: linux,darwin - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - description: A list of agents policy IDs. - example: - - policyId1 - - policyId2 - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - description: The SQL query you want to run. - example: select * from uptime; - type: string - Security_Osquery_API_QueryId: - description: The ID of the query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - description: Indicates whether the query is removed. - example: false - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryDescription: - description: The saved query description. - example: Saved query description - type: string - Security_Osquery_API_SavedQueryDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - nullable: true - Security_Osquery_API_SavedQueryId: - description: The ID of a saved query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: type: object properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true type: string - packName: - description: The name of the pack containing the query. + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true type: string - queryName: - description: The name of the query within the pack. + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true type: string - queryText: - description: The SQL query that was executed. + displayValue: + nullable: true type: string - scheduleId: - description: The schedule ID for the scheduled query. + field: + nullable: true type: string - timestamp: - description: The timestamp of the most recent response for this execution. + operator: + nullable: true type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled + value: + oneOf: + - nullable: true type: string - required: - - sourceType - - source - Security_Osquery_API_Shards: - additionalProperties: - type: number - description: >- - An object with shard configuration for policies included in the pack. - For each policy, set the shard configuration to a percentage (1–100) of - target hosts. - example: - policy_id: 50 + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: type: object - Security_Osquery_API_Snapshot: - description: Indicates whether the query is a snapshot. - example: true - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - description: Specifies the sort order. + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + required: + - timeline + - outcome + Security_Timeline_API_ResponseNote: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: enum: - - asc - - desc - example: desc + - savedObjectConversion + - savedObjectImport type: string - Security_Osquery_API_SortOrUndefined: - default: createdAt - description: The field that is used to sort the results. - example: createdAt - nullable: true + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict type: string - Security_Osquery_API_UnifiedHistoryRow: - discriminator: - mapping: - live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - propertyName: sourceType - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: + Security_Timeline_API_SavedTimeline: type: object properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. type: string - successCount: - description: The number of successful agent responses. + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. type: string - totalRows: - description: The total number of result rows returned across all agents. + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount - Security_Osquery_API_UpdatePacksRequestBody: - example: - name: updated_my_pack_name - type: object - properties: + type: object + properties: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdatePacksResponse: - description: The response for updating a pack. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: updated_my_pack_name - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: 1 - type: object - properties: - data: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true + type: string + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' + nullable: true type: object properties: - created_at: - format: date-time - type: string - created_by: + eventCategoryField: nullable: true type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. + query: + nullable: true type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - updated_at: - format: date-time + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true type: string - updated_by: + timestampField: nullable: true type: string - updated_by_profile_uid: + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all + nullable: true + type: string + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + example: + - .logs* + items: + type: string + nullable: true + type: array + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search + nullable: true + type: string + kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e + nullable: true + type: string + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + example: 12 + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true + type: string + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the Timeline + example: casetester + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: - description: The pack version number. - type: integer - Security_Osquery_API_UpdateSavedQueryRequestBody: - example: - id: updated_my_saved_query_name - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_UpdateSavedQueryResponse: - description: The response for updating a saved query. + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string + required: + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - id: updated_my_saved_query_name - interval: '60' - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: WzQzMTcsMV0= + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: - data: + filterQuery: + nullable: true type: object properties: - created_at: - format: date-time - type: string - created_by: + kuery: nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: nullable: true type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_Version: - description: >- - Uses the Osquery versions greater than or equal to the specified version - string. - example: 1.0.0 - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: > - How the note is associated with a Timeline saved object and/or an event - (`eventId`). `all`: no association-based restriction from this - parameter. `document_only`: document-linked notes (non-empty `eventId`) - without timeline association in the API's internal sense; post-filtering - drops notes without a usable `eventId`. `saved_object_only`: timeline - notes with no linked event (`eventId` empty or absent); post-filtering - keeps timeline-only notes. `document_and_saved_object`: notes on a - timeline and linked to an event; post-filtering enforces a real - `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter - than missing `eventId` in some cases). + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan + - title + - description + - updated + - created type: string - Security_Timeline_API_BareNote: + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid + example: + columnId: '@timestamp' + sortDirection: desc + type: object + properties: + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Timeline_API_TimelineResponse: allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' - type: object properties: - eventId: - description: > - Elasticsearch document `_id` for the event or alert this note - refers to. Same value as the `documentIds` query parameter when - fetching notes via GET /api/note. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - note: - description: The text of the note - example: This is an example text + type: array + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e + items: + type: string + nullable: true + type: array + notes: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true + type: array + savedObjectId: type: string - timelineId: - description: >- - The `savedObjectId` of the Timeline this note belongs to (not - the note's own ID). - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: type: string required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata - - type: object + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + Short_URL_APIs_urlResponse: + type: object + properties: + accessCount: + type: integer + accessDate: + type: string + createDate: + type: string + id: + description: The identifier for the short URL. + type: string + locator: + type: object properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + id: + description: The identifier for the locator. type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that this pinned event is - associated with - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + state: + description: The locator parameters. + type: object + version: + description: The version of Kibana when the short URL was created. type: string - required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: + slug: + description: | + A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. + type: string + SLOs_400_response: + title: Bad request type: object properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true + error: + example: Bad Request type: string - columnHeaderType: - nullable: true + message: + example: 'Invalid value ''foo'' supplied to: [...]' type: string - description: - nullable: true + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized type: string - example: - nullable: true + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string - id: - nullable: true + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden + type: object + properties: + error: + example: Forbidden type: string - indexes: + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references + items: + type: object + properties: + id: + description: Dashboard saved-object id + type: string + required: + - id + type: array + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - nullable: true type: array - name: - nullable: true + required: + - list + title: Bulk delete SLO request + type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status + properties: + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string - placeholder: - nullable: true + title: Bulk delete SLO response + type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. + properties: + error: + description: The error message if the bulk deletion operation failed + example: Task not found type: string - searchable: - nullable: true + isDone: + description: Indicates if the bulk deletion operation is completed + example: true type: boolean - type: - nullable: true + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO + items: + type: object + properties: + error: + description: The error message if the deletion operation failed for this SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean + type: array + title: The status of the bulk deletion + type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string + type: object + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + properties: + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - Security_Timeline_API_DataProviderQueryMatch: + title: Bulk Purge Rollup data response type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - kqlQuery: - nullable: true + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + example: my-super-slo-id type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: - nullable: true + description: A name for the SLO. type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response type: object properties: - and: + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId type: array - enabled: - nullable: true + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + example: true type: boolean - excluded: + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: nullable: true + type: string + controlledBy: + type: string + disabled: type: boolean - id: - nullable: true + field: type: string - kqlQuery: - nullable: true + group: type: string - name: - nullable: true + index: type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: + isMultiIndex: + type: boolean + key: type: string - templateTimelineId: - nullable: true + negate: + type: boolean + params: + type: object + type: type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: + value: type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: + - type: object + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id + items: + type: string + type: array + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - favoriteDate: - nullable: true + page: + example: 1 + type: number + perPage: + example: 25 type: number - fullName: - nullable: true - type: string - userName: - nullable: true + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: type: string - Security_Timeline_API_FilterTimelineResult: + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' + - - service.name + - service.name + - - service.name + - service.environment + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type type: object properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true + environment: + description: The APM service environment or "*" + example: production type: string - formattedValue: - nullable: true + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string index: - nullable: true - type: string - key: - nullable: true + description: The index used by APM metrics + example: metrics-apm*,apm* type: string - negate: - nullable: true - type: boolean - params: - nullable: true + service: + description: The APM service name + example: o11y-app type: string - type: - nullable: true + transactionName: + description: The APM transaction name or "*" + example: GET /my/api type: string - value: - nullable: true + transactionType: + description: The APM transaction type or "*" + example: request type: string - missing: - nullable: true - type: string - query: - nullable: true - type: string - range: - nullable: true - type: string - script: - nullable: true + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - description: >- - Number of notes returned (may be adjusted after the query when - `associatedFilter` applies post-filtering). - type: number required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type type: object properties: - errors: - description: The list of failed Timeline imports - items: - type: object - properties: - error: - description: >- - The error containing the reason why the timeline could not be - imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - type: string - type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 - type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 - type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - savedObjectId: - nullable: true + environment: + description: The APM service environment or "*" + example: production type: string - version: - nullable: true + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e + index: + description: The index used by APM metrics + example: metrics-apm*,apm* type: string - version: - description: The version of the note - example: WzQ2LDFd + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request type: string required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true - type: string - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - version: - description: The version of this pinned event - example: WzQ2LDFe + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: - type: object - properties: - created: - description: >- - The time the pinned event was created, using a 13-digit Epoch - timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true - type: string - updated: - description: >- - The last time the pinned event was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom type: string - Security_Timeline_API_QueryMatchResult: + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string - field: - nullable: true - type: string - operator: - nullable: true - type: string - value: - oneOf: - - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true - type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: >- - id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: >- - d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true - type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true - type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - eventCategoryField: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - query: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - size: - oneOf: - - nullable: true + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count type: string - - nullable: true + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 type: number - tiebreakerField: - nullable: true + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* type: string timestampField: - nullable: true - type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true - type: string - excludedRowRendererIds: - description: >- - A list of row renderers that should not be used when in `Event - renderers` mode - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - description: A list of filters that should be applied to the query - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - description: >- - A list of index names to use in the query (e.g. when the default - data view has been modified) - example: - - .logs* - items: - type: string - nullable: true - type: array - kqlMode: - description: >- - Indicates whether the KQL bar filters the query results or searches - for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true - type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: >- - A unique ID (UUID) for Timeline templates. For Timelines, the value - is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: >- - Timeline template version number. For Timelines, the value is - `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true - type: string - updated: - description: >- - The last time the Timeline was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true - type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd + description: | + The timestamp field used in the source indice. + example: timestamp type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. - example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: >- - {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object properties: - filterQuery: - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - kuery: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not type: object properties: - expression: - nullable: true + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT type: string - kind: - nullable: true + equation: + description: The equation to calculate the metric. + example: A type: string - serializedQuery: - nullable: true + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - sortDirection: - nullable: true + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - type: object properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: >- - A list of all the ids of notes that are associated to this - Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: >- - A list of all the ids of pinned events that are associated to - this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: >- - A list of all the pinned events that are associated to this - Timeline. + filters: items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string - type: object properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: + filters: items: - type: string - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - pinnedEventsSaveObject: + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - savedObjectId: - type: string - version: + kqlQuery: type: string - required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - Short_URL_APIs_urlResponse: + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - accessCount: - type: integer - accessDate: + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + example: 5m type: string - createDate: + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + example: 5m type: string - id: - description: The identifier for the short URL. + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + example: 5m type: string - locator: - type: object - properties: - id: - description: The identifier for the locator. - type: string - state: - description: The locator parameters. - type: object - version: - description: The version of Kibana when the short URL was created. - type: string - slug: - description: > - A random human-readable slug is automatically generated if the - `humanReadableSlug` parameter is set to `true`. If it is set to - `false`, a random short string is generated. + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + example: event.ingested type: string - SLOs_400_response: - title: Bad request + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - error: - example: Bad Request + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' + description: + description: The description of the SLO. + example: My SLO description type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO type: string - statusCode: - example: 401 + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden - type: object - properties: - error: - example: Forbidden - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - statusCode: - example: 403 + version: + description: The internal SLO version + example: 2 type: number required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object properties: - error: - example: Not Found + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + description: + description: The description of the SLO. + example: My SLO description type: string - statusCode: - example: 404 - type: number - required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict - type: object - properties: - error: - example: Conflict + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde type: string - statusCode: - example: 409 + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags items: - type: object - properties: - id: - description: Dashboard saved-object id - type: string - required: - - id + type: string type: array - title: Artifacts + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. + SLOs_summary_status: enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status type: string - SLOs_bulk_delete_request: - description: > - The bulk delete SLO request takes a list of SLOs Definition id to - delete. - properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - required: - - list - title: Bulk delete SLO request + SLOs_time_window: + description: Defines properties for the SLO time window type: object - SLOs_bulk_delete_response: - description: > - The bulk delete SLO response returns a taskId that can be used to poll - for its status properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + example: 30d type: string - title: Bulk delete SLO response + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string + required: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: type: object - SLOs_bulk_delete_status_response: - description: >- - Indicates if the bulk deletion is completed, with the detailed results - of the operation. properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true - type: boolean - results: - description: >- - The results of the bulk deletion operation, including the success - status and any errors for each SLO - items: - type: object - properties: - error: - description: >- - The error message if the deletion operation failed for this - SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object - SLOs_bulk_purge_rollup_request: - description: > - The bulk purge rollup data request takes a list of SLO ids and a purge - policy, then deletes the rollup data according to the purge policy. This - API can be used to remove the staled data of an instance SLO that no - longer get updated. properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: >- - The duration to determine which documents to purge, - formatted as {duration}{unit}. This value should be greater - than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: >- - The timestamp to determine which documents to purge, - formatted in ISO. This value should be older than the - applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string - type: object + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string required: - - list - - purgePolicy - title: Bulk Purge Rollup data request + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: type: object - SLOs_bulk_purge_rollup_response: - description: > - The bulk purge rollup data response returns a task id from the - elasticsearch deleteByQuery response. properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - title: Bulk Purge Rollup data response - type: object - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. properties: artifacts: $ref: '#/components/schemas/SLOs_artifacts' @@ -56445,12 +128470,6 @@ components: type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id - type: string indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' @@ -56473,2028 +128492,2355 @@ components: type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + Synthetics_browserMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + ignore_https_errors: + default: false + description: Ignore HTTPS errors. + type: boolean + inline_script: + description: The inline script. + type: string + playwright_options: + description: Playwright options. + type: object + screenshots: + default: 'on' + description: The screenshot option. + enum: + - 'on' + - 'off' + - only-on-failure + type: string + synthetics_args: + description: Synthetics agent CLI arguments. + items: + type: string + type: array + type: + description: The monitor type. + enum: + - browser + type: string + required: + - inline_script + - type + title: Browser monitor fields + Synthetics_commonMonitorFields: + title: Common monitor fields + type: object + properties: + alert: + description: | + The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. + type: object + enabled: + default: true + description: Specify whether the monitor is enabled. + type: boolean + labels: + additionalProperties: + type: string + description: | + Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors. + type: object + locations: + description: | + The location to deploy the monitor. + Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. + To list available locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. + externalDocs: + url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + items: + type: string + type: array + name: + description: The monitor name. + type: string + namespace: + default: default + description: | + The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. + type: string + params: + description: The monitor parameters. + type: string + private_locations: + description: | + The private locations to which the monitors will be deployed. + These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. + You can specify a private location using the location's name. + To list available private locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. + + > info + > You can provide `locations` or `private_locations` or both. At least one is required. + items: + type: string + type: array + retest_on_failure: + default: true + description: | + Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. + type: boolean + schedule: + description: | + The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. + type: number + service.name: + description: The APM service name. + type: string + tags: + description: An array of tags. + items: + type: string + type: array + timeout: + default: 16 + description: | + The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. + + For browser monitors, the minimum timeout is 30 seconds. Browser monitor timeouts are only applied when the monitor runs on private locations. If a browser monitor specifies a timeout but has no private locations configured, the timeout will have no effect and a warning will be returned in the response. + type: number required: - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response + Synthetics_getParameterResponse: + title: Get parameter response type: object properties: + description: + description: | + The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + type: string id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: The unique identifier of the parameter. + type: string + key: + description: The key of the parameter. + type: string + namespaces: + description: | + The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + items: + type: string + type: array + tags: + description: | + An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + items: + type: string + type: array + value: + description: | + The value associated with the parameter. It will be included in the response if the user has write permissions. + type: string + Synthetics_getPrivateLocation: + additionalProperties: true + properties: + agentPolicyId: + description: The ID of the agent policy associated with the private location. + type: string + geo: + description: Geographic coordinates (WGS84) for the location. + type: object + properties: + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + id: + description: The unique identifier of the private location. + type: string + isInvalid: + description: | + Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. + type: boolean + label: + description: A label for the private location. + type: string + namespace: + description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. + type: string + title: Post a private location + type: object + Synthetics_httpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + check: + description: The check request settings. + type: object + properties: + request: + description: An optional request to send to the remote host. + type: object + properties: + body: + description: Optional request body content. + type: string + headers: + description: | + A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. + type: object + method: + description: The HTTP method to use. + enum: + - HEAD + - GET + - POST + - OPTIONS + type: string + response: + additionalProperties: true + description: The expected response. + type: object + properties: + body: + type: object + headers: + description: A dictionary of expected HTTP headers. If the header is not found, the check fails. + type: object + ipv4: + default: true + description: If `true`, ping using the ipv4 protocol. + type: boolean + ipv6: + default: true + description: If `true`, ping using the ipv6 protocol. + type: boolean + max_redirects: + default: 0 + description: The maximum number of redirects to follow. + type: number + mode: + default: any + description: | + The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. + enum: + - all + - any + type: string + password: + description: | + The password for authenticating with the server. The credentials are passed with the request. + type: string + proxy_headers: + description: Additional headers to send to proxies during CONNECT requests. + type: object + proxy_url: + description: The URL of the proxy to use for this monitor. + type: string + response: + description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. + type: object + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - http + type: string + url: + description: The URL to monitor. + type: string + username: + description: | + The username for authenticating with the server. The credentials are passed with the request. + type: string + required: + - type + - url + title: HTTP monitor fields + Synthetics_icmpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + host: + description: The host to ping. + type: string + type: + description: The monitor type. + enum: + - icmp + type: string + wait: + default: 1 + description: The wait time in seconds. + type: number + required: + - host + - type + title: ICMP monitor fields + Synthetics_monitorWarning: + title: Monitor warning + type: object + properties: + message: + description: A human-readable warning message. + type: string + monitorId: + description: The monitor ID associated with the warning. + type: string + publicLocationIds: + description: The public location IDs associated with the warning. + items: + type: string + type: array + Synthetics_parameterRequest: + title: Parameter request + type: object + properties: + description: + description: A description of the parameter. + type: string + key: + description: The key of the parameter. + type: string + share_across_spaces: + description: Specify whether the parameter should be shared across spaces. + type: boolean + tags: + description: An array of tags to categorize the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. type: string required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. + - key + - value + Synthetics_postParameterResponse: + title: Post parameter response + type: object properties: - list: - description: An array of slo id and instance id + description: + description: A description of the parameter. + type: string + id: + description: The unique identifier for the parameter. + type: string + key: + description: The parameter key. + type: string + share_across_spaces: + description: Indicates whether the parameter is shared across spaces. + type: boolean + tags: + description: An array of tags associated with the parameter. items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId + type: string type: array + value: + description: The value associated with the parameter. + type: string + Synthetics_tcpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + host: + description: | + The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". + type: string + proxy_url: + description: | + The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. + type: string + proxy_use_local_resolver: + default: false + description: | + Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. + type: boolean + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - tcp + type: string + required: + - host + - type + title: TCP monitor fields + Task_manager_health_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_APIs_health_response: + title: Task health response properties + type: object + properties: + id: + type: string + last_update: + type: string + stats: + type: object + properties: + capacity_estimation: + description: | + This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. + type: object + configuration: + $ref: '#/components/schemas/Task_manager_health_APIs_configuration' + runtime: + description: | + This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. + type: object + workload: + $ref: '#/components/schemas/Task_manager_health_APIs_workload' + status: + type: string + timestamp: + type: string + Task_manager_health_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. + type: object + bedrock_config: + title: Connector request properties for an Amazon Bedrock connector + description: Defines properties for connectors when type is `.bedrock`. + type: object required: - - list - title: Delete SLO instances request + - apiUrl + properties: + apiUrl: + type: string + description: The Amazon Bedrock request URL. + region: + type: string + description: | + Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). + defaultModel: + type: string + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + crowdstrike_config: + title: Connector request config properties for a Crowdstrike connector + required: + - url + description: Defines config properties for connectors when type is `.crowdstrike`. type: object - SLOs_error_budget: - title: Error budget + properties: + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + d3security_config: + title: Connector request properties for a D3 Security connector + description: Defines properties for connectors when type is `.d3security`. type: object + required: + - url properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true + url: + type: string + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + email_config: + title: Connector request properties for an email connector + description: Defines properties for connectors when type is `.email`. + required: + - from + type: object + properties: + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string + nullable: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. + type: string + hasAuth: + description: | + Specifies whether a user and password are required inside the secrets configuration. + default: true type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + type: string + nullable: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. + type: string + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string + nullable: true + gemini_config: + title: Connector request properties for an Google Gemini connector + description: Defines properties for connectors when type is `.gemini`. + type: object required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter + - apiUrl + - gcpRegion + - gcpProjectID properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter + apiUrl: + type: string + description: The Google Gemini request URL. + defaultModel: + type: string + description: The generative artificial intelligence model for Google Gemini to use. + default: gemini-2.5-pro + gcpRegion: + type: string + description: The GCP region where the Vertex AI endpoint enabled. + gcpProjectID: + type: string + description: The Google ProjectID that has Vertex AI endpoint enabled. + resilient_config: + title: Connector request properties for a IBM Resilient connector + required: + - apiUrl + - orgId + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + apiUrl: + description: The IBM Resilient instance URL. + type: string + orgId: + description: The IBM Resilient organization ID. + type: string + index_config: + title: Connector request properties for an index connector + required: + - index + description: Defines properties for connectors when type is `.index`. type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: - nullable: true + executionTimeField: + description: A field that indicates when the document was indexed. + default: null type: string - controlledBy: + nullable: true + index: + description: The Elasticsearch index to be written to. type: string - disabled: + refresh: + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + default: false type: boolean - field: + jira_config: + title: Connector request properties for a Jira connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + apiUrl: + description: The Jira instance URL. type: string - group: + projectKey: + description: The Jira project key. type: string - index: + defender_config: + title: Connector request properties for a Microsoft Defender for Endpoint connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. + type: object + properties: + apiUrl: type: string - isMultiIndex: - type: boolean - key: + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + clientId: type: string - negate: - type: boolean - params: - type: object - type: + description: The application (client) identifier for your app in the Azure portal. + oAuthScope: type: string - value: + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + oAuthServerUrl: type: string - title: FilterMeta - type: object - SLOs_find_slo_definitions_response: + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + genai_azure_config: + title: Connector request properties for an OpenAI connector that uses Azure OpenAI description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. type: object - SLOs_find_slo_response: + required: + - apiProvider + - apiUrl + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Azure OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + genai_openai_config: + title: Connector request properties for an OpenAI connector description: | - A paginated response of SLOs matching the query. + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. + type: object + required: + - apiProvider + - apiUrl properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: + apiProvider: type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response + description: The OpenAI API provider. + enum: + - OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + opsgenie_config: + title: Connector request properties for an Opsgenie connector + required: + - apiUrl + description: Defines properties for connectors when type is `.opsgenie`. type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type + properties: + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + pagerduty_config: + title: Connector request properties for a PagerDuty connector + description: Defines properties for connectors when type is `.pagerduty`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiUrl: + description: The PagerDuty event URL. type: string + nullable: true + example: https://events.pagerduty.com/v2/enqueue + sentinelone_config: + title: Connector request properties for a SentinelOne connector required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - url + description: Defines properties for connectors when type is `.sentinelone`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string + servicenow_config: + title: Connector request properties for a ServiceNow ITSM connector required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string + usesTableApi: + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + default: true + type: boolean + servicenow_itom_config: + title: Connector request properties for a ServiceNow ITOM connector required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow-itom`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + slack_api_config: + title: Connector request properties for a Slack connector + description: Defines properties for connectors when type is `.slack_api`. + type: object + properties: + allowedChannels: + type: array + description: A list of valid Slack channels. + items: + type: object + required: + - id + - name + maxItems: 25 + properties: + id: + type: string + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + name: + type: string + description: The Slack channel name. + minLength: 1 + swimlane_config: + title: Connector request properties for a Swimlane connector + required: + - apiUrl + - appId + - connectorType + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + type: string + enum: + - all + - alerts + - cases + mappings: + title: Connector mappings properties for a Swimlane connector + description: The field mapping. type: object properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation + alertIdConfig: + title: Alert identifier mapping + description: Mapping for the alert ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "good" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseIdConfig: + title: Case identifier mapping + description: Mapping for the case ID. + type: object required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseNameConfig: + title: Case name mapping + description: Mapping for the case name. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "total" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + commentsConfig: + title: Case comment mapping + description: Mapping for the case comments. + type: object required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + descriptionConfig: + title: Case description mapping + description: Mapping for the case description. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + ruleNameConfig: + title: Rule name mapping + description: Mapping for the name of the alert's rule. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom - type: string - required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + severityConfig: + title: Severity mapping + description: Mapping for the severity. type: object + required: + - fieldType + - id + - key + - name properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT + fieldType: type: string - equation: - description: The equation to calculate the metric. - example: A + description: The type of field in Swimlane. + id: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - discriminator: - mapping: - avg: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - cardinality: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - doc_count: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - last_value: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - max: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - min: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - percentile: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - std_deviation: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - sum: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - propertyName: aggregation - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice - type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + thehive_config: + title: Connector request properties for a TheHive connector + description: Defines configuration properties for connectors when type is `.thehive`. + type: object required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' + - url + properties: + organisation: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + url: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + tines_config: + title: Connector request properties for a Tines connector + description: Defines properties for connectors when type is `.tines`. type: object + required: + - url properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. type: string + torq_config: + title: Connector request properties for a Torq connector + description: Defines properties for connectors when type is `.torq`. + type: object required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. + - webhookIntegrationUrl properties: - frequency: - default: 1m - description: >- - The interval between checks for changes in the source data. The - minimum value is 1m and the maximum is 59m. The default value is 1 - minute. - example: 5m + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. type: string - preventInitialBackfill: - default: false - description: >- - Start aggregating data from the time the SLO is created, instead of - backfilling data from the beginning of the time window. - example: true - type: boolean - syncDelay: - default: 1m - description: >- - The time delay in minutes between the current time and the latest - source data time. Increasing the value will delay any alerting. The - default value is 1 minute. The minimum value is 1m and the maximum - is 359m. It should always be greater then source index refresh - interval. - example: 5m + auth_type: + title: Authentication type + type: string + nullable: true + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + description: | + The type of authentication to use: basic, SSL, or none. + ca: + title: Certificate authority + type: string + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + cert_type: + title: Certificate type + type: string + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + has_auth: + title: Has authentication + type: boolean + description: If true, a username and password for login type authentication must be provided. + default: true + verification_mode: + title: Verification mode + type: string + enum: + - certificate + - full + - none + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + webhook_config: + title: Connector request properties for a Webhook connector + description: Defines properties for connectors when type is `.webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: object + nullable: true + description: A set of key-value pairs sent as headers with the request. + method: type: string - syncField: - description: >- - The date field that is used to identify new documents in the source. - It is strongly recommended to use a field that contains the ingest - timestamp. If you use a different field, you might need to set the - delay such that it accounts for data transmission delays. When - unspecified, we use the indicator timestamp field. - example: event.ingested + default: post + enum: + - post + - put + description: | + The HTTP request method, either `post` or `put`. + url: type: string - title: Settings - type: object - SLOs_slo_definition_response: - title: SLO definition response + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + verificationMode: + $ref: '#/components/schemas/verification_mode' + cases_webhook_config: + title: Connector request properties for Webhook - Case Management connector + required: + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: type: string - description: - description: The description of the SLO. - example: My SLO description + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: '{"body": {{{case.comment}}}}' + createCommentMethod: type: string - enabled: - description: Indicate if the SLO is enabled - example: true + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + createCommentUrl: + type: string + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.id}}}/comment + createIncidentJson: + type: string + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + createIncidentMethod: + type: string + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + default: post + createIncidentResponseKey: + type: string + description: The JSON key in the create external case response that contains the case ID. + createIncidentUrl: + type: string + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + getIncidentResponseExternalTitleKey: + type: string + description: The JSON key in get external case response that contains the case title. + getIncidentUrl: + type: string + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: https://example.com/issue/{{{external.system.id}}} + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: string + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + updateIncidentJson: + type: string + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + updateIncidentMethod: + type: string + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + updateIncidentUrl: + type: string + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.ID}}} + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + type: string + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + xmatters_config: + title: Connector request properties for an xMatters connector + description: Defines properties for connectors when type is `.xmatters`. + type: object + properties: + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. + type: string + nullable: true + usesBasic: + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + default: true + bedrock_secrets: + title: Connector secrets properties for an Amazon Bedrock connector + description: Defines secrets for connectors when type is `.bedrock`. + type: object + required: + - accessKey + - secret + properties: + accessKey: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + description: The AWS access key for authentication. + secret: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + description: The AWS secret for authentication. + crowdstrike_secrets: + title: Connector secrets properties for a Crowdstrike connector + description: Defines secrets for connectors when type is `.crowdstrike`. + type: object + required: + - clientId + - clientSecret + properties: + clientId: + description: The CrowdStrike API client identifier. type: string - version: - description: The internal SLO version - example: 2 - type: number + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. + type: string + d3security_secrets: + title: Connector secrets properties for a D3 Security connector + description: Defines secrets for connectors when type is `.d3security`. required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response + - token type: object properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + token: type: string - description: - description: The description of the SLO. - example: My SLO description + description: The D3 Security token. + email_secrets: + title: Connector secrets properties for an email connector + description: Defines secrets for connectors when type is `.email`. + type: object + properties: + clientSecret: type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + password: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + user: type: string - name: - description: The name of the SLO. - example: My Service SLO + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + gemini_secrets: + title: Connector secrets properties for a Google Gemini connector + description: Defines secrets for connectors when type is `.gemini`. + type: object + required: + - credentialsJson + properties: + credentialsJson: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + resilient_secrets: + title: Connector secrets properties for IBM Resilient connector + required: + - apiKeyId + - apiKeySecret + description: Defines secrets for connectors when type is `.resilient`. + type: object + properties: + apiKeyId: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: The authentication key ID for HTTP Basic authentication. + apiKeySecret: + type: string + description: The authentication key secret for HTTP Basic authentication. + jira_secrets: + title: Connector secrets properties for a Jira connector required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - apiToken + - email + description: Defines secrets for connectors when type is `.jira`. + type: object properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' + apiToken: + description: The Jira API authentication token for HTTP basic authentication. + type: string + email: + description: The account email for HTTP Basic authentication. + type: string + teams_secrets: + title: Connector secrets properties for a Microsoft Teams connector + description: Defines secrets for connectors when type is `.teams`. + type: object required: - - status - - sliValue - - errorBudget - title: Summary + - webhookUrl + properties: + webhookUrl: + type: string + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + genai_secrets: + title: Connector secrets properties for an OpenAI connector + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + properties: + apiKey: + type: string + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + certificateData: + type: string + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + privateKeyData: + type: string + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + caData: + type: string + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + opsgenie_secrets: + title: Connector secrets properties for an Opsgenie connector + required: + - apiKey + description: Defines secrets for connectors when type is `.opsgenie`. type: object properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. - enum: - - rolling - - calendarAligned - example: rolling + pagerduty_secrets: + title: Connector secrets properties for a PagerDuty connector + description: Defines secrets for connectors when type is `.pagerduty`. + type: object + required: + - routingKey + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. type: string + sentinelone_secrets: + title: Connector secrets properties for a SentinelOne connector + description: Defines secrets for connectors when type is `.sentinelone`. + type: object required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - token + properties: + token: + description: The A SentinelOne API token. + type: string + servicenow_secrets: + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. type: object properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum + clientSecret: type: string - field: - description: The field of the metric. - example: processor.processed + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + password: type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + privateKey: type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + privateKeyPassword: + type: string + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + username: type: string + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + slack_api_secrets: + title: Connector secrets properties for a Web API Slack connector + description: Defines secrets for connectors when type is `.slack`. required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + - token type: object properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + token: type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + description: Slack bot user OAuth token. + swimlane_secrets: + title: Connector secrets properties for a Swimlane connector + description: Defines secrets for connectors when type is `.swimlane`. + type: object + properties: + apiToken: + description: Swimlane API authentication token. type: string + thehive_secrets: + title: Connector secrets properties for a TheHive connector + description: Defines secrets for connectors when type is `.thehive`. required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + - apiKey type: object properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed + apiKey: type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + description: The API key for authentication in TheHive. + tines_secrets: + title: Connector secrets properties for a Tines connector + description: Defines secrets for connectors when type is `.tines`. + type: object + required: + - email + - token + properties: + email: + description: The email used to sign in to Tines. type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + token: + description: The Tines API token. type: string - percentile: - description: The percentile value. - example: 95 - type: number + torq_secrets: + title: Connector secrets properties for a Torq connector + description: Defines secrets for connectors when type is `.torq`. + type: object required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + - token properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. + token: + description: The secret of the webhook authentication header. type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + crt: + title: Certificate + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + key: + title: Certificate key + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + pfx: + title: Personal information exchange + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + webhook_secrets: + title: Connector secrets properties for a Webhook connector + description: Defines secrets for connectors when type is `.webhook`. + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + cases_webhook_secrets: + title: Connector secrets properties for Webhook - Case Management connector type: object - Synthetics_browserMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true - type: object - properties: - ignore_https_errors: - default: false - description: Ignore HTTPS errors. - type: boolean - inline_script: - description: The inline script. - type: string - playwright_options: - description: Playwright options. - type: object - screenshots: - default: 'on' - description: The screenshot option. - enum: - - 'on' - - 'off' - - only-on-failure - type: string - synthetics_args: - description: Synthetics agent CLI arguments. - items: - type: string - type: array - type: - description: The monitor type. - enum: - - browser - type: string - required: - - inline_script - - type - title: Browser monitor fields - Synthetics_commonMonitorFields: - title: Common monitor fields + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: + type: string + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + xmatters_secrets: + title: Connector secrets properties for an xMatters connector + description: Defines secrets for connectors when type is `.xmatters`. type: object properties: - alert: - description: > - The alert configuration. The default is `{ status: { enabled: true - }, tls: { enabled: true } }`. + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. + type: string + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + genai_openai_other_config: + title: Connector request properties for an OpenAI connector with Other provider + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. + type: object + required: + - apiProvider + - apiUrl + - defaultModel + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Other + apiUrl: + type: string + description: The OpenAI-compatible API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + certificateData: + type: string + description: PEM-encoded certificate content. + minLength: 1 + privateKeyData: + type: string + description: PEM-encoded private key content. + minLength: 1 + caData: + type: string + description: PEM-encoded CA certificate content. + minLength: 1 + verificationMode: + type: string + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + default: full + headers: type: object - enabled: - default: true - description: Specify whether the monitor is enabled. - type: boolean - labels: + description: Custom headers to include in requests. additionalProperties: type: string - description: > - Key-value pairs of labels to associate with the monitor. Labels can - be used for filtering and grouping monitors. - type: object - locations: - description: > - The location to deploy the monitor. - - Monitors can be deployed in multiple locations so that you can - detect differences in availability and response times across those - locations. - - To list available locations you can: - - - - Run the `elastic-synthetics locations` command with the - deployment's Kibana URL. - - - Go to *Synthetics > Management* and click *Create monitor*. - Locations will be listed in *Locations*. - externalDocs: - url: >- - https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts - items: - type: string - type: array - name: - description: The monitor name. + defender_secrets: + title: Connector secrets properties for a Microsoft Defender for Endpoint connector + required: + - clientSecret + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + type: object + properties: + clientSecret: + description: The client secret for your app in the Azure portal. type: string - namespace: - default: default - description: > - The namespace field should be lowercase and not contain spaces. The - namespace must not include any of the following characters: `*`, - `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or - `-`. + run_acknowledge_resolve_pagerduty: + title: PagerDuty connector parameters + description: Test an action that acknowledges or resolves a PagerDuty alert. + type: object + required: + - dedupKey + - eventAction + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. type: string - params: - description: The monitor parameters. + maxLength: 255 + eventAction: + description: The type of event. type: string - private_locations: - description: > - The private locations to which the monitors will be deployed. - - These private locations refer to locations hosted and managed by - you, whereas `locations` are hosted by Elastic. - - You can specify a private location using the location's name. - - To list available private locations you can: - - - - Run the `elastic-synthetics locations` command with the - deployment's Kibana URL. - - - Go to *Synthetics > Settings* and click *Private locationsr*. - Private locations will be listed in the table. - - - > info - - > You can provide `locations` or `private_locations` or both. At - least one is required. + enum: + - acknowledge + - resolve + run_documents: + title: Index connector parameters + description: Test an action that indexes a document into Elasticsearch. + type: object + required: + - documents + properties: + documents: + type: array + description: The documents in JSON format for index connectors. + items: + type: object + additionalProperties: true + run_message_email: + title: Email connector parameters + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. + type: object + required: + - message + - subject + properties: + bcc: + type: array items: type: string + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + cc: type: array - retest_on_failure: - default: true - description: > - Turn retesting for when a monitor fails on or off. By default, - monitors are automatically retested if the monitor goes from "up" to - "down". If the result of the retest is also "down", an error will be - created and if configured, an alert sent. The monitor will then - resume running according to the defined schedule. Using - `retest_on_failure` can reduce noise related to transient problems. - type: boolean - schedule: - description: > - The monitor's schedule in minutes. Supported values are `1`, `3`, - `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is - `3` minutes for HTTP, TCP, and ICMP monitors. The default value is - `10` minutes for Browser monitors. - type: number - service.name: - description: The APM service name. - type: string - tags: - description: An array of tags. items: type: string + description: | + A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + message: + type: string + description: The email message text. Markdown format is supported. + subject: + type: string + description: The subject line of the email. + to: type: array - timeout: - default: 16 - description: > - The monitor timeout in seconds. The monitor will fail if it doesn't - complete within this time. - - - For browser monitors, the minimum timeout is 30 seconds. Browser - monitor timeouts are only applied when the monitor runs on private - locations. If a browser monitor specifies a timeout but has no - private locations configured, the timeout will have no effect and a - warning will be returned in the response. - type: number + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + items: + type: string + run_message_serverlog: + title: Server log connector parameters + description: Test an action that writes an entry to the Kibana server log. + type: object required: - - name - Synthetics_getParameterResponse: - title: Get parameter response + - message + properties: + level: + type: string + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + default: info + message: + type: string + description: The message for server log connectors. + run_message_slack: + title: Slack connector parameters + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object + required: + - message properties: - description: - description: > - The description of the parameter. It is included in the response if - the user has read-only permissions to the Synthetics app. + message: type: string - id: - description: The unique identifier of the parameter. + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + run_trigger_pagerduty: + title: PagerDuty connector parameters + description: Test an action that triggers a PagerDuty alert. + type: object + required: + - eventAction + properties: + class: + description: The class or type of the event. type: string - key: - description: The key of the parameter. + example: cpu load + component: + description: The component of the source machine that is responsible for the event. type: string - namespaces: - description: > - The namespaces associated with the parameter. It is included in the - response if the user has read-only permissions to the Synthetics - app. - items: - type: string + example: eth0 + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. + type: string + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - trigger + group: + description: The logical grouping of components of a service. + type: string + example: app-stack + links: + description: A list of links to add to the event. type: array - tags: - description: > - An array of tags associated with the parameter. It is included in - the response if the user has read-only permissions to the Synthetics - app. items: - type: string - type: array - value: - description: > - The value associated with the parameter. It will be included in the - response if the user has write permissions. + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + severity: + description: The severity of the event on the affected system. type: string - Synthetics_getPrivateLocation: - additionalProperties: true + enum: + - critical + - error + - info + - warning + default: info + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + type: string + maxLength: 1024 + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + format: date-time + run_addevent: + title: The addEvent subaction + type: object + required: + - subAction + description: The `addEvent` subaction for ServiceNow ITOM connectors. properties: - agentPolicyId: - description: The ID of the agent policy associated with the private location. + subAction: type: string - geo: - description: Geographic coordinates (WGS84) for the location. + description: The action to test. + enum: + - addEvent + subActionParams: type: object + description: The set of configuration properties for the action. properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - id: - description: The unique identifier of the private location. - type: string - isInvalid: - description: > - Indicates whether the location is invalid. If `true`, the location - is invalid, which means the agent policy associated with the - location is deleted. - type: boolean - label: - description: A label for the private location. - type: string - namespace: - description: >- - The namespace of the location, which is the same as the namespace of - the agent policy associated with the location. + additional_info: + type: string + description: Additional information about the event. + description: + type: string + description: The details about the event. + event_class: + type: string + description: A specific instance of the source. + message_key: + type: string + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + metric_name: + type: string + description: The name of the metric. + node: + type: string + description: The host that the event was triggered for. + resource: + type: string + description: The name of the resource. + severity: + type: string + description: The severity of the event. + source: + type: string + description: The name of the event source type. + time_of_event: + type: string + description: The time of the event. + type: + type: string + description: The type of event. + run_closealert: + title: The closeAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: type: string - title: Post a private location + description: The action to test. + enum: + - closeAlert + subActionParams: + type: object + required: + - alias + properties: + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + note: + type: string + description: Additional information for the alert. + source: + type: string + description: The display name for the source of the alert. + user: + type: string + description: The display name for the owner. + run_closeincident: + title: The closeIncident subaction type: object - Synthetics_httpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + required: + - subAction + - subActionParams + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeIncident + subActionParams: type: object + required: + - incident properties: - check: - description: The check request settings. + incident: type: object + anyOf: + - required: + - correlation_id + - required: + - externalId properties: - request: - description: An optional request to send to the remote host. - type: object - properties: - body: - description: Optional request body content. - type: string - headers: - description: > - A dictionary of additional HTTP headers to send. By - default, Synthetics will set the User-Agent header to - identify itself. - type: object - method: - description: The HTTP method to use. - enum: - - HEAD - - GET - - POST - - OPTIONS - type: string - response: - additionalProperties: true - description: The expected response. - type: object - properties: - body: - type: object - headers: - description: >- - A dictionary of expected HTTP headers. If the header is - not found, the check fails. - type: object - ipv4: - default: true - description: If `true`, ping using the ipv4 protocol. - type: boolean - ipv6: - default: true - description: If `true`, ping using the ipv6 protocol. - type: boolean - max_redirects: - default: 0 - description: The maximum number of redirects to follow. - type: number - mode: - default: any - description: > - The mode of the monitor. If it is `all`, the monitor pings all - resolvable IPs for a hostname. If it is `any`, the monitor pings - only one IP address for a hostname. If you're using a DNS-load - balancer and want to ping every IP address for the specified - hostname, you should use `all`. + correlation_id: + type: string + nullable: true + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + default: '{{rule.id}}:{{alert.id}}' + externalId: + type: string + nullable: true + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + run_createalert: + title: The createAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - createAlert + subActionParams: + type: object + properties: + actions: + type: array + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. + description: + type: string + description: A description that provides detailed information about the alert. + details: + type: object + description: The custom properties of the alert in Opsgenie connectors. + additionalProperties: true + example: + key1: value1 + key2: value2 + entity: + type: string + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + message: + type: string + description: The alert message in Opsgenie connectors. + note: + type: string + description: Additional information for the alert in Opsgenie connectors. + priority: + type: string + description: The priority level for the alert in Opsgenie connectors. enum: - - all - - any + - P1 + - P2 + - P3 + - P4 + - P5 + responders: + type: array + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + username: + type: string + description: A valid email address for the user. + severity: + type: integer + minimum: 1 + maximum: 4 + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + source: type: string - password: - description: > - The password for authenticating with the server. The credentials - are passed with the request. + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + sourceRef: type: string - proxy_headers: - description: Additional headers to send to proxies during CONNECT requests. - type: object - proxy_url: - description: The URL of the proxy to use for this monitor. + description: A source reference for the alert in TheHive connectors. + tags: + type: array + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + title: type: string - response: - description: >- - Controls the indexing of the HTTP response body contents to the - `http.response.body.contents field`. - type: object - ssl: - description: > - The TLS/SSL connection settings for use with the HTTPS endpoint. - If you don't specify settings, the system defaults are used. - type: object + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). type: - description: The monitor type. - enum: - - http - type: string - url: - description: The URL to monitor. type: string - username: - description: > - The username for authenticating with the server. The credentials - are passed with the request. + description: The type of alert in TheHive connectors. + user: type: string - required: - - type - - url - title: HTTP monitor fields - Synthetics_icmpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + description: The display name for the owner. + visibleTo: + type: array + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + type: object + required: + - type + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: Valid values are `team` and `user`. + enum: + - team + - user + username: + type: string + description: The user name. This property is required only when the `type` is `user`. + run_fieldsbyissuetype: + title: The fieldsByIssueType subaction + type: object + required: + - subAction + - subActionParams + description: The `fieldsByIssueType` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - fieldsByIssueType + subActionParams: type: object + required: + - id properties: - host: - description: The host to ping. - type: string - type: - description: The monitor type. - enum: - - icmp + id: type: string - wait: - default: 1 - description: The wait time in seconds. - type: number - required: - - host - - type - title: ICMP monitor fields - Synthetics_monitorWarning: - title: Monitor warning + description: The Jira issue type identifier. + example: 10024 + run_getagentdetails: + title: The getAgentDetails subaction type: object + required: + - subAction + - subActionParams + description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: - message: - description: A human-readable warning message. - type: string - monitorId: - description: The monitor ID associated with the warning. + subAction: type: string - publicLocationIds: - description: The public location IDs associated with the warning. - items: - type: string - type: array - Synthetics_parameterRequest: - title: Parameter request + description: The action to test. + enum: + - getAgentDetails + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - ids + properties: + ids: + type: array + description: An array of CrowdStrike agent identifiers. + items: + type: string + run_getagents: + title: The getAgents subaction type: object + required: + - subAction + description: The `getAgents` subaction for SentinelOne connectors. properties: - description: - description: A description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - share_across_spaces: - description: Specify whether the parameter should be shared across spaces. - type: boolean - tags: - description: An array of tags to categorize the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + subAction: type: string - required: - - key - - value - Synthetics_postParameterResponse: - title: Post parameter response + description: The action to test. + enum: + - getAgents + run_getchoices: + title: The getChoices subaction type: object + required: + - subAction + - subActionParams + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - description: - description: A description of the parameter. - type: string - id: - description: The unique identifier for the parameter. + subAction: type: string - key: - description: The parameter key. + description: The action to test. + enum: + - getChoices + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - fields + properties: + fields: + type: array + description: An array of fields. + items: + type: string + run_getfields: + title: The getFields subaction + type: object + required: + - subAction + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + properties: + subAction: type: string - share_across_spaces: - description: Indicates whether the parameter is shared across spaces. - type: boolean - tags: - description: An array of tags associated with the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + description: The action to test. + enum: + - getFields + run_getincident: + title: The getIncident subaction + type: object + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + required: + - subAction + - subActionParams + properties: + subAction: type: string - Synthetics_tcpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + description: The action to test. + enum: + - getIncident + subActionParams: type: object + required: + - externalId properties: - host: - description: > - The host to monitor; it can be an IP address or a hostname. The - host can include the port using a colon, for example - "example.com:9200". - type: string - proxy_url: - description: > - The URL of the SOCKS5 proxy to use when connecting to the - server. The value must be a URL with a scheme of `socks5://`. If - the SOCKS5 proxy server requires client authentication, then a - username and password can be embedded in the URL. When using a - proxy, hostnames are resolved on the proxy server instead of on - the client. You can change this behavior by setting the - `proxy_use_local_resolver` option. + externalId: type: string - proxy_use_local_resolver: - default: false - description: > - Specify that hostnames are resolved locally instead of being - resolved on the proxy server. If `false`, name resolution occurs - on the proxy server. - type: boolean - ssl: - description: > - The TLS/SSL connection settings for use with the HTTPS endpoint. - If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. - enum: - - tcp + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + example: 71778 + run_issue: + title: The issue subaction + type: object + required: + - subAction + description: The `issue` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issue + subActionParams: + type: object + required: + - id + properties: + id: type: string + description: The Jira issue identifier. + example: 71778 + run_issues: + title: The issues subaction + type: object + required: + - subAction + - subActionParams + description: The `issues` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issues + subActionParams: + type: object required: - - host - - type - title: TCP monitor fields - Task_manager_health_APIs_configuration: - description: > - This object summarizes the current configuration of Task Manager. This - includes dynamic configurations that change over time, such as - `poll_interval` and `max_workers`, which can adjust in reaction to - changing load on the system. + - title + properties: + title: + type: string + description: The title of the Jira issue. + run_issuetypes: + title: The issueTypes subaction type: object - Task_manager_health_APIs_health_response: - title: Task health response properties + required: + - subAction + description: The `issueTypes` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issueTypes + run_postmessage: + title: The postMessage subaction type: object + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams properties: - id: + subAction: type: string - last_update: + description: The action to test. + enum: + - postMessage + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + channelIds: + type: array + maxItems: 1 + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + channels: + type: array + deprecated: true + description: | + The name of a channel that your Slack app has access to. + maxItems: 1 + items: + type: string + text: + type: string + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + run_pushtoservice: + title: The pushToService subaction + type: object + required: + - subAction + - subActionParams + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: type: string - stats: + description: The action to test. + enum: + - pushToService + subActionParams: type: object + description: The set of configuration properties for the action. properties: - capacity_estimation: - description: > - This object provides a rough estimate about the sufficiency of - its capacity. These are estimates based on historical data and - should not be used as predictions. - type: object - configuration: - $ref: '#/components/schemas/Task_manager_health_APIs_configuration' - runtime: - description: > - This object tracks runtime performance of Task Manager, tracking - task drift, worker load, and stats broken down by type, - including duration and run results. + comments: + type: array + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + type: object + properties: + comment: + type: string + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + commentId: + type: integer + description: A unique identifier for the comment. + incident: type: object - workload: - $ref: '#/components/schemas/Task_manager_health_APIs_workload' - status: - type: string - timestamp: - type: string - Task_manager_health_APIs_workload: - description: > - This object summarizes the work load across the cluster, including the - tasks in the system, their types, and current status. + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + type: string + nullable: true + maxLength: 20 + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + alertId: + type: string + description: The alert identifier for Swimlane connectors. + caseId: + type: string + description: The case identifier for the incident for Swimlane connectors. + caseName: + type: string + description: The case name for the incident for Swimlane connectors. + category: + type: string + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_display: + type: string + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_id: + type: string + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + description: + type: string + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + externalId: + type: string + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + id: + type: string + description: The external case identifier for Webhook - Case Management connectors. + impact: + type: string + description: The impact of the incident for ServiceNow ITSM connectors. + issueType: + type: integer + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + labels: + type: array + items: + type: string + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + malware_url: + type: string + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + otherFields: + type: object + additionalProperties: true + maxProperties: 20 + description: | + Custom field identifiers and their values for Jira connectors. + parent: + type: string + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + priority: + type: string + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + ruleName: + type: string + description: The rule name for Swimlane connectors. + severity: + type: integer + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + short_description: + type: string + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + status: + type: string + description: The status of the incident for Webhook - Case Management connectors. + subcategory: + type: string + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + summary: + type: string + description: A summary of the incident for Jira connectors. + tags: + type: array + items: + type: string + description: A list of tags for TheHive and Webhook - Case Management connectors. + title: + type: string + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + urgency: + type: string + description: The urgency of the incident for ServiceNow ITSM connectors. + run_validchannelid: + title: The validChannelId subaction type: object + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: + type: string + description: The action to test. + enum: + - validChannelId + subActionParams: + type: object + required: + - channelId + properties: + channelId: + type: string + description: The Slack channel identifier. + example: C123ABC456 securitySchemes: apiKeyAuth: - description: > - These APIs use key-based authentication. You must create an API key and - use the encoded value in the request header. For example: - `Authorization: ApiKey base64AccessApiKey` + description: | + These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http -security: - - apiKeyAuth: [] - - basicAuth: [] -tags: - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: > - Configure APM source maps. A source map allows minified files to be mapped - back to original source code--allowing you to maintain the speed advantage - of minified code, without losing the ability to quickly and easily debug - your application. - - For best results, uploading source maps should become a part of your - deployment procedure, and not something you only do when you see unhelpful - errors. That's because uploading source maps after errors happen won't - make old errors magically readable--errors must occur again for source - mapping to occur. - name: APM sourcemaps - - description: Case APIs enable you to open and track issues. - name: cases - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - description: > - Programmatically integrate with Logstash configuration management. - - > warn - - > Do not directly access the `.logstash` index. The structure of the - `.logstash` index is subject to change, which could cause your integration - to break. Instead, use the Logstash configuration management APIs. - externalDocs: - description: Centralized pipeline management - url: >- - https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management - name: logstash - x-displayName: Logstash configuration management - - description: Machine learning - name: ml - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: >- - https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - Use the Attack discovery APIs to generate and manage Attack discoveries. - Attack Discovery leverages large language models (LLMs) to analyze alerts - in your environment and identify threats. Each "discovery" represents a - potential attack and describes relationships among multiple alerts to tell - you which users and hosts are involved, how alerts correspond to the MITRE - ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: > - Use the detections APIs to create and manage detection rules. Detection - rules search events and external alerts sent to Elastic Security and - generate detection alerts from any hits. Alerts are displayed on the - **Alerts** page and can be assigned and triaged, using the alert status to - mark them as open, closed, or acknowledged. - - - This API supports both key-based authentication and basic authentication. - - - To use key-based authentication, create an API key, then specify the key - in the header of your API calls. - - - To use basic authentication, provide a username and password; this - automatically creates an API key that matches the current user’s - privileges. - - - In both cases, the API key is subsequently used for authorization when the - rule runs. - - > warn - - > If the API key used for authorization has different privileges than the - key that created or most recently updated a rule, the rule behavior might - change. - - - > If the API key that created a rule is deleted, or the user that created - the rule becomes inactive, the rule will stop running. - - - To create and run rules, the user must meet specific requirements for the - Kibana space. Refer to the [Detections - requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) - for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: > - Exceptions are associated with detection and endpoint rules, and are used - to prevent a rule from generating an alert from incoming events, even when - the rule's other criteria are met. They can help reduce the number of - false positives and prevent trusted processes and network activity from - generating unnecessary alerts. - - - Exceptions are made up of: - - - * **Exception containers**: A container for related exceptions. Generally, - a single exception container contains all the exception items relevant for - a subset of rules. For example, a container can be used to group together - network-related exceptions that are relevant for a large number of network - rules. The container can then be associated with all the relevant rules. - - * **Exception items**: The query (fields, values, and logic) used to - prevent rules from generating alerts. When an exception item's query - evaluates to `true`, the rule does not generate an alert. - - - For detection rules, you can also use lists to define rule exceptions. A - list holds multiple values of the same Elasticsearch data type, such as IP - addresses. These values are used to determine when an exception prevents - an alert from being generated. - - > info - - > You cannot use lists with endpoint rule exceptions. - - - > info - - > Only exception containers can be associated with rules. You cannot - directly associate an exception item or a list container with a rule. To - use list exceptions, create an exception item that references the relevant - list container. - - - ## Exceptions requirements - - - Before you can start working with exceptions that use value lists, you - must create the `.lists` and `.items` data streams for the relevant Kibana - space. To do this, use the [Create list data - streams](../operation/operation-createlistindex) endpoint. Once these data - streams are created, your role needs privileges to manage rules. For a - complete list of requirements, refer to [Enable and access - detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: > - Lists can be used with detection rule exceptions to define values that - prevent a rule from generating alerts. - - - Lists are made up of: - - - * **List containers**: A container for values of the same Elasticsearch - data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception - prevents an alert from being generated. - - - All list items in the same list container must be of the same data type, - and each item defines a single value. For example, an IP list container - named `internal-ip-addresses-southport` contains five items, where each - item defines one internal IP address: - - 1. `192.168.1.1` - - 2. `192.168.1.3` - - 3. `192.168.1.18` - - 4. `192.168.1.12` - - 5. `192.168.1.7` - - - To use these IP addresses as values for defining rule exceptions, use the - Security exceptions API to [create an exception list - item](../operation/operation-createexceptionlistitem) that references the - `internal-ip-addresses-southport` list. - - > info - - > Lists cannot be added directly to rules, nor do they define the - operators used to determine when exceptions are applied (`is in list`, `is - not in list`). Use an exception item to define the operator and associate - it with an [exception - container](../operation/operation-createexceptionlist). You can then add - the exception container to a rule's `exceptions_list` object. - - - ## Lists requirements - - - Before you can start using lists, you must create the `.lists` and - `.items` data streams for the relevant Kibana space. To do this, use the - [Create list data streams](../operation/operation-createlistindex) - endpoint. Once these data streams are created, your role needs privileges - to manage rules. Refer to [Enable and access - detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) - for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: Manage Kibana short URLs. - name: short url - x-displayName: Short URLs - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - - name: synthetics - - description: System - name: system - - description: >- - Task manager APIs enable you to check the health of the Kibana task - manager, which is used by features such as alerting, actions, and - reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: >- - https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager - - description: > - The Kibana Upgrade Assistant API helps you prepare for the next major - Elasticsearch release. +x-topics: + - title: Kibana spaces + content: | + Spaces enable you to organize your dashboards and other saved objects into meaningful categories. + You can use the default space or create your own spaces. - > warn + To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. + For example: - > This is a Kibana REST API (not an Elasticsearch API) and requests must - target your Kibana URL: + ```bash + curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + ``` - > * Self-managed URL pattern: `https://localhost:5601` + If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - > * Elastic Cloud URL pattern: - `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` - name: upgrade - x-displayName: Upgrade assistant - - description: Uptime APIs enable you to view and update uptime monitoring settings. - externalDocs: - description: Uptime monitoring - url: https://www.elastic.co/docs/solutions/observability/uptime - name: uptime - x-displayName: Uptime - - name: user session - x-displayName: User session management + To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). From 4738539a819cff6a64beeb6b4d2d0ffc6fe1bd23 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Wed, 22 Apr 2026 14:23:36 -0700 Subject: [PATCH 04/14] ran generate for lists, detections --- .../set_alert_assignees_route.gen.ts | 9 ++- .../find_rules/find_rules_route.gen.ts | 6 ++ .../common/api/quickstart_client.gen.ts | 66 ++++++++++++++----- 3 files changed, 63 insertions(+), 18 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts index 0cec0df318866..e7600df370ed2 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts @@ -14,11 +14,16 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod/v4'; -import { lazySchema } from '@kbn/zod/v4'; +import { z, lazySchema } from '@kbn/zod/v4'; import { SetAlertAssigneesBody } from '../model/set_alert_assignees_body.gen'; export const SetAlertAssigneesRequestBody = lazySchema(() => SetAlertAssigneesBody); export type SetAlertAssigneesRequestBody = z.infer; export type SetAlertAssigneesRequestBodyInput = z.input; + +/** + * Elasticsearch update by query or update by IDs response + */ +export const SetAlertAssigneesResponse = lazySchema(() => z.object({}).catchall(z.unknown())); +export type SetAlertAssigneesResponse = z.infer; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.gen.ts index c5343dd68deb0..6b84e426a2488 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.gen.ts @@ -46,6 +46,12 @@ export const FindRulesSortFieldEnum = FindRulesSortField.enum; export const FindRulesRequestQuery = lazySchema(() => z.object({ + /** + * List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). +If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or +use comma-separated values when supported by your client. + + */ fields: ArrayFromString(z.string()).optional(), /** * Search query diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts index be17a724e287f..11ba9723cf99d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts @@ -20,7 +20,10 @@ import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import { replaceParams } from '@kbn/openapi-common/shared'; import { catchAxiosErrorFormatAndThrow } from '@kbn/securitysolution-utils'; -import type { SetAlertAssigneesRequestBodyInput } from './detection_engine/alert_assignees/set_alert_assignees_route.gen'; +import type { + SetAlertAssigneesRequestBodyInput, + SetAlertAssigneesResponse, +} from './detection_engine/alert_assignees/set_alert_assignees_route.gen'; import type { SetAlertTagsRequestBodyInput, SetAlertTagsResponse, @@ -575,13 +578,13 @@ export class Client { this.log = options.log; } /** - * Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of -the migration process. A successful migration will result in both the old and new indices being present. -As such, the old, orphaned index can (and likely should) be deleted. + * **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites. +**WARNING:** This schedules deletions; ensure no production reads still point at the source index. -While you can delete these indices manually, -the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted -after 30 days. It also deletes other artifacts specific to the migration implementation. +Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of +the migration process. A successful migration can leave both the old and new indices present, so the old +index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy +to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts. */ async alertsMigrationCleanup(props: AlertsMigrationCleanupProps) { @@ -784,8 +787,12 @@ rules and alerts without calling this API. .catch(catchAxiosErrorFormatAndThrow); } /** - * Initiate a migration of detection alerts. -Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + * **DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new +integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. +**WARNING:** Migrations can be resource intensive and should be planned during a maintenance window. + +Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive +and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly. */ async createAlertsMigration(props: CreateAlertsMigrationProps) { @@ -1085,6 +1092,12 @@ For detailed information on Kibana actions and alerting, and additional API call }) .catch(catchAxiosErrorFormatAndThrow); } + /** + * Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts +stored in it. Use with caution; prefer lifecycle policies or the UI when available. +Call `GET /api/detection_engine/index` first to confirm the index that will be removed. + + */ async deleteAlertsIndex() { this.log.info(`${new Date().toISOString()} Calling API DeleteAlertsIndex`); return this.kbnClient @@ -1668,9 +1681,12 @@ The entity will be immediately deleted from the latest index. It will remain av .catch(catchAxiosErrorFormatAndThrow); } /** - * Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. -The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, -finalize it. + * **DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code. +**WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling. + +Finalize successful migrations of detection alerts. This replaces the original index's alias with the +successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration +finishes and then call this operation once. */ async finalizeAlertsMigration(props: FinalizeAlertsMigrationProps) { @@ -2849,6 +2865,12 @@ Requires the **Timeline and Notes** write privilege (`notes_write`). }) .catch(catchAxiosErrorFormatAndThrow); } + /** + * Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and +whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating +or running rules that write alerts to it. + + */ async readAlertsIndex() { this.log.info(`${new Date().toISOString()} Calling API ReadAlertsIndex`); return this.kbnClient @@ -2862,8 +2884,14 @@ Requires the **Timeline and Notes** write privilege (`notes_write`). .catch(catchAxiosErrorFormatAndThrow); } /** - * Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. - */ + * **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use +for new automations; there is no supported replacement in this public API. +**WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations. + +Retrieves indices that contain detection alerts of a particular age, along with migration information for +each of those indices. + + */ async readAlertsMigrationStatus(props: ReadAlertsMigrationStatusProps) { this.log.info(`${new Date().toISOString()} Calling API ReadAlertsMigrationStatus`); return this.kbnClient @@ -3031,6 +3059,12 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule }) .catch(catchAxiosErrorFormatAndThrow); } + /** + * Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short +time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample +matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. + + */ async rulePreview(props: RulePreviewProps) { this.log.info(`${new Date().toISOString()} Calling API RulePreview`); return this.kbnClient @@ -3158,7 +3192,7 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule async setAlertAssignees(props: SetAlertAssigneesProps) { this.log.info(`${new Date().toISOString()} Calling API SetAlertAssignees`); return this.kbnClient - .request({ + .request({ path: '/api/detection_engine/signals/assignees', headers: { [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31', @@ -3185,7 +3219,7 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule .catch(catchAxiosErrorFormatAndThrow); } /** - * And tags to detection alerts, and remove them from alerts. + * Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. > info > You cannot add and remove the same alert tag in the same request. From 8aa6471f06d994e1c1801b60931c820b2026862a Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Wed, 22 Apr 2026 14:24:31 -0700 Subject: [PATCH 05/14] ran generate for lists, detections --- .../delete_exception_list.gen.ts | 5 ++ .../delete_exception_list_item.gen.ts | 4 ++ .../duplicate_exception_list.gen.ts | 6 ++ .../export_exception_list.gen.ts | 10 ++++ .../find_exception_list_items.gen.ts | 4 ++ .../read_exception_list.gen.ts | 5 ++ .../read_exception_list_item.gen.ts | 5 ++ .../read_exception_list_summary.gen.ts | 5 ++ .../supertest/detections.gen.ts | 59 ++++++++++++++----- 9 files changed, 89 insertions(+), 14 deletions(-) diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.gen.ts index e48a3e1d93838..1d7c4ffd2910b 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.gen.ts @@ -33,6 +33,11 @@ export const DeleteExceptionListRequestQuery = lazySchema(() => * Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. */ list_id: ExceptionListHumanId.optional(), + /** + * `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the +list you are removing when using `list_id` or `id`. + + */ namespace_type: ExceptionNamespaceType.optional().default('single'), }) ); diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.gen.ts index f3962ad4f689c..227a141523afa 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.gen.ts @@ -33,6 +33,10 @@ export const DeleteExceptionListItemRequestQuery = lazySchema(() => * Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified */ item_id: ExceptionListItemHumanId.optional(), + /** + * `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + + */ namespace_type: ExceptionNamespaceType.optional().default('single'), }) ); diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.gen.ts index eaa504627bb73..3b497483d74b9 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.gen.ts @@ -24,7 +24,13 @@ import { export const DuplicateExceptionListRequestQuery = lazySchema(() => z.object({ + /** + * The `list_id` of the existing exception list to copy (source list). + */ list_id: ExceptionListHumanId, + /** + * Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + */ namespace_type: ExceptionNamespaceType, /** * Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.gen.ts index c0bf4523a8671..84d81dea3d7d0 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.gen.ts @@ -24,8 +24,18 @@ import { export const ExportExceptionListRequestQuery = lazySchema(() => z.object({ + /** + * Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. + */ id: ExceptionListId, + /** + * Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. + */ list_id: ExceptionListHumanId, + /** + * `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + + */ namespace_type: ExceptionNamespaceType, /** * Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.gen.ts index 8e3532c60f8de..a79ec42caaee5 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.gen.ts @@ -45,6 +45,10 @@ or available in all spaces (`agnostic` or `single`) */ namespace_type: ArrayFromString(ExceptionNamespaceType).optional().default(['single']), + /** + * Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + + */ search: z.string().optional(), /** * The page number to return diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.gen.ts index 8b2ae497bc4c9..02b237814096a 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.gen.ts @@ -33,6 +33,11 @@ export const ReadExceptionListRequestQuery = lazySchema(() => * Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. */ list_id: ExceptionListHumanId.optional(), + /** + * When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global +(space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + + */ namespace_type: ExceptionNamespaceType.optional().default('single'), }) ); diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.gen.ts index 092febe31abf0..5f23a3cd0aeb2 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.gen.ts @@ -33,6 +33,11 @@ export const ReadExceptionListItemRequestQuery = lazySchema(() => * Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. */ item_id: ExceptionListItemHumanId.optional(), + /** + * `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must +match how the list was created. + + */ namespace_type: ExceptionNamespaceType.optional().default('single'), }) ); diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.gen.ts index e801ed6d3b0d0..cda57dc88c0ce 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.gen.ts @@ -32,6 +32,11 @@ export const ReadExceptionListSummaryRequestQuery = lazySchema(() => * Exception list's human readable identifier. */ list_id: ExceptionListHumanId.optional(), + /** + * `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must +line up with `id` / `list_id` used to look up the list. + + */ namespace_type: ExceptionNamespaceType.optional().default('single'), /** * Search filter clause diff --git a/x-pack/solutions/security/packages/test-api-clients/supertest/detections.gen.ts b/x-pack/solutions/security/packages/test-api-clients/supertest/detections.gen.ts index 2af13f0308e05..25c7b5137ddc8 100644 --- a/x-pack/solutions/security/packages/test-api-clients/supertest/detections.gen.ts +++ b/x-pack/solutions/security/packages/test-api-clients/supertest/detections.gen.ts @@ -65,13 +65,13 @@ import { getRouteUrlForSpace } from '@kbn/spaces-plugin/common'; const securitySolutionApiServiceFactory = (supertest: SuperTest.Agent) => ({ /** - * Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of -the migration process. A successful migration will result in both the old and new indices being present. -As such, the old, orphaned index can (and likely should) be deleted. + * **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites. +**WARNING:** This schedules deletions; ensure no production reads still point at the source index. -While you can delete these indices manually, -the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted -after 30 days. It also deletes other artifacts specific to the migration implementation. +Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of +the migration process. A successful migration can leave both the old and new indices present, so the old +index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy +to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts. */ alertsMigrationCleanup(props: AlertsMigrationCleanupProps, kibanaSpace: string = 'default') { @@ -108,8 +108,12 @@ rules and alerts without calling this API. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, /** - * Initiate a migration of detection alerts. -Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + * **DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new +integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. +**WARNING:** Migrations can be resource intensive and should be planned during a maintenance window. + +Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive +and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly. */ createAlertsMigration(props: CreateAlertsMigrationProps, kibanaSpace: string = 'default') { @@ -185,6 +189,12 @@ For detailed information on Kibana actions and alerting, and additional API call .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .send(props.body as object); }, + /** + * Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts +stored in it. Use with caution; prefer lifecycle policies or the UI when available. +Call `GET /api/detection_engine/index` first to confirm the index that will be removed. + + */ deleteAlertsIndex(kibanaSpace: string = 'default') { return supertest .delete(getRouteUrlForSpace('/api/detection_engine/index', kibanaSpace)) @@ -233,9 +243,12 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule .query(props.query); }, /** - * Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. -The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, -finalize it. + * **DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code. +**WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling. + +Finalize successful migrations of detection alerts. This replaces the original index's alias with the +successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration +finishes and then call this operation once. */ finalizeAlertsMigration(props: FinalizeAlertsMigrationProps, kibanaSpace: string = 'default') { @@ -343,6 +356,12 @@ The edit action is idempotent, meaning that if you add a tag to a rule that alre .send(props.body as object) .query(props.query); }, + /** + * Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and +whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating +or running rules that write alerts to it. + + */ readAlertsIndex(kibanaSpace: string = 'default') { return supertest .get(getRouteUrlForSpace('/api/detection_engine/index', kibanaSpace)) @@ -351,8 +370,14 @@ The edit action is idempotent, meaning that if you add a tag to a rule that alre .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, /** - * Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. - */ + * **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use +for new automations; there is no supported replacement in this public API. +**WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations. + +Retrieves indices that contain detection alerts of a particular age, along with migration information for +each of those indices. + + */ readAlertsMigrationStatus( props: ReadAlertsMigrationStatusProps, kibanaSpace: string = 'default' @@ -436,6 +461,12 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, + /** + * Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short +time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample +matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. + + */ rulePreview(props: RulePreviewProps, kibanaSpace: string = 'default') { return supertest .post(getRouteUrlForSpace('/api/detection_engine/rules/preview', kibanaSpace)) @@ -493,7 +524,7 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule .send(props.body as object); }, /** - * And tags to detection alerts, and remove them from alerts. + * Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. > info > You cannot add and remove the same alert tag in the same request. From 075111ecbffa672c288d7bfbb4f048b1854672f0 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Wed, 22 Apr 2026 14:48:17 -0700 Subject: [PATCH 06/14] did not want to introduce any schema changes --- .../alert_assignees/set_alert_assignees_route.gen.ts | 9 ++------- .../set_alert_assignees_route.schema.yaml | 5 +---- .../common/api/quickstart_client.gen.ts | 7 ++----- ...olution_detections_api_2023_10_31.bundled.schema.yaml | 5 +---- ...olution_detections_api_2023_10_31.bundled.schema.yaml | 5 +---- 5 files changed, 7 insertions(+), 24 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts index e7600df370ed2..0cec0df318866 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.gen.ts @@ -14,16 +14,11 @@ * version: 2023-10-31 */ -import { z, lazySchema } from '@kbn/zod/v4'; +import type { z } from '@kbn/zod/v4'; +import { lazySchema } from '@kbn/zod/v4'; import { SetAlertAssigneesBody } from '../model/set_alert_assignees_body.gen'; export const SetAlertAssigneesRequestBody = lazySchema(() => SetAlertAssigneesBody); export type SetAlertAssigneesRequestBody = z.infer; export type SetAlertAssigneesRequestBodyInput = z.input; - -/** - * Elasticsearch update by query or update by IDs response - */ -export const SetAlertAssigneesResponse = lazySchema(() => z.object({}).catchall(z.unknown())); -export type SetAlertAssigneesResponse = z.infer; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml index f8b54ffb15455..2b2eeb63c8db3 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml @@ -32,10 +32,7 @@ paths: description: Indicates a successful call. content: application/json: - schema: - type: object - additionalProperties: true - description: Elasticsearch update by query or update by IDs response + description: Elasticsearch update by query or update by IDs response examples: add: value: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts index 11ba9723cf99d..2fa2d404e632c 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts @@ -20,10 +20,7 @@ import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import { replaceParams } from '@kbn/openapi-common/shared'; import { catchAxiosErrorFormatAndThrow } from '@kbn/securitysolution-utils'; -import type { - SetAlertAssigneesRequestBodyInput, - SetAlertAssigneesResponse, -} from './detection_engine/alert_assignees/set_alert_assignees_route.gen'; +import type { SetAlertAssigneesRequestBodyInput } from './detection_engine/alert_assignees/set_alert_assignees_route.gen'; import type { SetAlertTagsRequestBodyInput, SetAlertTagsResponse, @@ -3192,7 +3189,7 @@ matching documents, and inspect execution logs. Pair `invocationCount` and `time async setAlertAssignees(props: SetAlertAssigneesProps) { this.log.info(`${new Date().toISOString()} Calling API SetAlertAssignees`); return this.kbnClient - .request({ + .request({ path: '/api/detection_engine/signals/assignees', headers: { [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31', diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index da18a8150dcd8..b2630bfbfeb9a 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -3847,6 +3847,7 @@ paths: '200': content: application/json: + description: Elasticsearch update by query or update by IDs response examples: add: value: @@ -3865,10 +3866,6 @@ paths: total: 1 updated: 1 version_conflicts: 0 - schema: - additionalProperties: true - description: Elasticsearch update by query or update by IDs response - type: object description: Indicates a successful call. '400': content: diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 44d6eb40cfe2c..744ddd6caba33 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -3459,6 +3459,7 @@ paths: '200': content: application/json: + description: Elasticsearch update by query or update by IDs response examples: add: value: @@ -3477,10 +3478,6 @@ paths: total: 1 updated: 1 version_conflicts: 0 - schema: - additionalProperties: true - description: Elasticsearch update by query or update by IDs response - type: object description: Indicates a successful call. '400': content: From 3953a14f2bb04dcb3afa0c759bbd140da291b5b2 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 22 Apr 2026 22:28:24 +0000 Subject: [PATCH 07/14] Changes from yarn openapi:generate --- .../api/delete_list/delete_list.gen.ts | 3 +++ .../api/find_list_items/find_list_items.gen.ts | 7 +++++++ .../api/quickstart_client.gen.ts | 16 ++++++++++++++-- .../api/read_list/read_list.gen.ts | 3 +++ .../test-api-clients/supertest/lists.gen.ts | 16 ++++++++++++++-- 5 files changed, 41 insertions(+), 4 deletions(-) diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts index fe4900d4cb926..41d6e1bcac2f2 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts @@ -22,6 +22,9 @@ import { List } from '../model/list_schemas.gen'; export const DeleteListRequestQuery = lazySchema(() => z.object({ + /** + * Value list identifier to delete, including all of its list items. + */ id: ListId, /** * Determines whether exception items referencing this value list should be deleted. diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts index 3a0e95f7ec132..cf8e25a3c619c 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts @@ -33,6 +33,9 @@ export type FindListItemsFilter = z.infer; export const FindListItemsRequestQuery = lazySchema(() => z.object({ + /** + * Parent value list's `id` to page through items for. + */ list_id: ListId, /** * The page number to return. @@ -50,6 +53,10 @@ export const FindListItemsRequestQuery = lazySchema(() => * Determines the sort order, which can be `desc` or `asc` */ sort_order: z.enum(['desc', 'asc']).optional(), + /** + * Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. + + */ cursor: FindListItemsCursor.optional(), /** * Filters the returned results according to the value of the specified field, diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts index 26fc8953b07f7..a139c71ed8477 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts @@ -92,8 +92,14 @@ export class Client { .catch(catchAxiosErrorFormatAndThrow); } /** - * Create `.lists` and `.items` data streams in the relevant space. - */ + * **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space +are now created as part of supported workflows; calling this explicitly is rarely required. +**WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming +indices exist with `GET /api/lists/index`. + +Creates the `.lists` and `.items` data streams in the current Kibana space. + + */ async createListIndex() { this.log.info(`${new Date().toISOString()} Calling API CreateListIndex`); return this.kbnClient @@ -331,6 +337,12 @@ You can import items to a new or existing list. }) .catch(catchAxiosErrorFormatAndThrow); } + /** + * Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` +privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list +APIs (`read` vs `all` operations) are available before you create or import lists. + + */ async readListPrivileges() { this.log.info(`${new Date().toISOString()} Calling API ReadListPrivileges`); return this.kbnClient diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts index 6abb4243af8e0..5d4605c988833 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts @@ -21,6 +21,9 @@ import { List } from '../model/list_schemas.gen'; export const ReadListRequestQuery = lazySchema(() => z.object({ + /** + * Value list identifier (`id`) returned when the list was created. + */ id: ListId, }) ); diff --git a/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts b/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts index 4be0818f8a5fc..0e2302127a8c7 100644 --- a/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts +++ b/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts @@ -53,8 +53,14 @@ const securitySolutionApiServiceFactory = (supertest: SuperTest.Agent) => ({ .send(props.body as object); }, /** - * Create `.lists` and `.items` data streams in the relevant space. - */ + * **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space +are now created as part of supported workflows; calling this explicitly is rarely required. +**WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming +indices exist with `GET /api/lists/index`. + +Creates the `.lists` and `.items` data streams in the current Kibana space. + + */ createListIndex(kibanaSpace: string = 'default') { return supertest .post(getRouteUrlForSpace('/api/lists/index', kibanaSpace)) @@ -214,6 +220,12 @@ You can import items to a new or existing list. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .query(props.query); }, + /** + * Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` +privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list +APIs (`read` vs `all` operations) are available before you create or import lists. + + */ readListPrivileges(kibanaSpace: string = 'default') { return supertest .get(getRouteUrlForSpace('/api/lists/privileges', kibanaSpace)) From 2ba2c044d95bfc863aed03894b4d0e9f249c5bd3 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 22 Apr 2026 22:54:47 +0000 Subject: [PATCH 08/14] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 556 ++++++++++++++++-- oas_docs/output/kibana.yaml | 771 ++++++++++++++++++++++--- 2 files changed, 1192 insertions(+), 135 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index e4696e257d931..9f5ead270186e 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -15017,12 +15017,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -15067,6 +15078,36 @@ paths: '200': content: application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. @@ -17307,6 +17348,13 @@ paths: requestBody: content: application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d schema: nullable: true type: object @@ -17328,6 +17376,12 @@ paths: '200': content: application/ndjson: + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} schema: description: | An `.ndjson` file containing the returned rules. @@ -17368,7 +17422,11 @@ paths: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. operationId: FindRules parameters: - - in: query + - description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. + in: query name: fields required: false schema: @@ -17611,6 +17669,11 @@ paths: requestBody: content: multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson schema: type: object properties: @@ -17722,6 +17785,30 @@ paths: requestBody: content: application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: example: items: @@ -17856,6 +17943,16 @@ paths: name: product_name /api/detection_engine/rules/preview: post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. operationId: RulePreview parameters: - description: Enables logging and returning in response ES queries, performed during rule execution @@ -17867,6 +17964,23 @@ paths: requestBody: content: application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query schema: anyOf: - allOf: @@ -17895,12 +18009,26 @@ paths: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' discriminator: propertyName: type - description: An object containing tags to add or remove and alert ids the changes will be applied + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. required: true responses: '200': content: application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: '2025-01-20T10:00:00.000Z' + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 schema: type: object properties: @@ -17918,6 +18046,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -17926,12 +18060,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -17941,12 +18086,6 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/detection_engine/signals/assignees: post: description: | @@ -17970,32 +18109,81 @@ paths: $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' schema: $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. required: true responses: '200': content: - application/ndjson: + application/json: + description: Elasticsearch update by query or update by IDs response examples: add: value: - batches: 1, - deleted: 0, + batches: 1 + deleted: 0 failures: [] - noops: 0, - requests_per_second: '-1,' + noops: 0 + requests_per_second: -1 retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 76, - total: 1, - updated: 1, - version_conflicts: 0, + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 description: Indicates a successful call. '400': - description: Invalid request. + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response summary: Assign and unassign users from detection alerts tags: - Security Detections API @@ -18087,6 +18275,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -18095,12 +18289,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -18214,6 +18419,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -18222,12 +18433,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -18246,7 +18468,7 @@ paths: Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - And tags to detection alerts, and remove them from alerts. + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. > info > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags @@ -18292,6 +18514,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -18300,12 +18528,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -22605,7 +22844,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. + examples: agnostic: value: agnostic single: @@ -22733,7 +22975,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + examples: agnostic: value: agnostic single: @@ -22853,6 +23098,18 @@ paths: requestBody: content: application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection schema: example: description: This is a sample detection type exception list. @@ -23059,6 +23316,18 @@ paths: requestBody: content: application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: example: description: Different description @@ -23207,12 +23476,14 @@ paths: Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - - in: query + - description: The `list_id` of the existing exception list to copy (source list). + in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + examples: agnostic: value: agnostic single: @@ -23304,14 +23575,19 @@ paths: examples: notFound: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + message: 'exception list id: "foo" does not exist' + status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Exception list not found '405': content: application/json: + examples: + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list to duplicate not found response @@ -23344,17 +23620,21 @@ paths: Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - - in: query + - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. + in: query name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - in: query + - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. + in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + examples: agnostic: value: agnostic single: @@ -23671,6 +23951,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson schema: type: object properties: @@ -23746,6 +24030,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: Multipart part `file` is required and must contain a valid .ndjson exception list export + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' @@ -23816,7 +24106,9 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: + - description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + examples: agnostic: value: agnostic single: @@ -23868,11 +24160,13 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - example: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' @@ -23952,7 +24246,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: + - description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. + examples: agnostic: value: agnostic single: @@ -24082,6 +24379,23 @@ paths: requestBody: content: application/json: + examples: + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' @@ -24367,6 +24681,14 @@ paths: requestBody: content: application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' @@ -24532,7 +24854,9 @@ paths: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - - in: query + - description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + in: query name: search required: false schema: @@ -24724,7 +25048,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. + examples: agnostic: value: agnostic single: @@ -57184,7 +57511,8 @@ paths: > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - - in: query + - description: Value list identifier to delete, including all of its list items. + in: query name: id required: true schema: @@ -57305,7 +57633,8 @@ paths: Get the details of a value list using the list ID. operationId: ReadList parameters: - - in: query + - description: Value list identifier (`id`) returned when the list was created. + in: query name: id required: true schema: @@ -57412,6 +57741,11 @@ paths: requestBody: content: application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED schema: example: id: ip_list @@ -57732,6 +58066,12 @@ paths: requestBody: content: application/json: + examples: + replaceList: + value: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: example: description: Latest list of bad ips @@ -58028,6 +58368,10 @@ paths: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -58039,6 +58383,11 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: 'Unable to delete value list data streams: invalid or missing index metadata' + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -58059,12 +58408,23 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams + statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream not found response @@ -58099,6 +58459,11 @@ paths: '200': content: application/json: + examples: + bothExist: + value: + list_index: true + list_item_index: true schema: type: object properties: @@ -58113,6 +58478,11 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: Unable to read value list data stream status for this space + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -58133,12 +58503,23 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/index] is not authorized; list read permissions are required + statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream(s) not found response @@ -58161,19 +58542,28 @@ paths: name: product_name post: deprecated: true - description: |- + description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create `.lists` and `.items` data streams in the relevant space. + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. operationId: CreateListIndex responses: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -58185,6 +58575,11 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -58206,6 +58601,12 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response @@ -58503,6 +58904,11 @@ paths: requestBody: content: application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 schema: example: id: pd1WRJQBs4HAK3VQeHFI @@ -58807,10 +59213,15 @@ paths: requestBody: content: application/json: - example: - id: ip_item - value: 255.255.255.255 + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 schema: + example: + id: ip_item + value: 255.255.255.255 type: object properties: _version: @@ -58935,6 +59346,12 @@ paths: '200': content: application/ndjson: + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: description: A `.txt` file containing list items from the specified list example: | @@ -58990,6 +59407,11 @@ paths: '404': content: application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response @@ -59022,7 +59444,8 @@ paths: Get all value list items in the specified list. operationId: FindListItems parameters: - - in: query + - description: Parent value list's `id` to page through items for. + in: query name: list_id required: true schema: @@ -59060,7 +59483,9 @@ paths: - asc example: asc type: string - - in: query + - description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. + in: query name: cursor required: false schema: @@ -59225,6 +59650,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt schema: type: object properties: @@ -59306,6 +59735,11 @@ paths: '409': content: application/json: + examples: + notFound: + value: + message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one + status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List with specified list_id does not exist response @@ -59328,6 +59762,16 @@ paths: name: product_name /api/lists/privileges: get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. operationId: ReadListPrivileges responses: '200': @@ -59418,6 +59862,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Unable to resolve list privileges: invalid or missing space context for this request' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -59464,12 +59914,6 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/maintenance_window: post: description: |- diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 4d9f56d69aad5..072478a993e93 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -16893,11 +16893,25 @@ paths: name: product_name /api/detection_engine/index: delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts + stored in it. Use with caution; prefer lifecycle policies or the UI when available. + Call `GET /api/detection_engine/index` first to confirm the index that will be removed. operationId: DeleteAlertsIndex responses: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -16909,24 +16923,45 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: + examples: + forbidden: + value: + message: API [DELETE /api/detection_engine/index] is unauthorized for the current user. The user needs alerts management permissions for the space. + status_code: 403 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: + examples: + notFound: + value: + message: The Elastic Security alerts index to delete was not found. + status_code: 404 schema: - type: string + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Index does not exist response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -16936,13 +16971,17 @@ paths: x-metaTags: - content: Kibana name: product_name - description: |- + get: + description: | **Spaces method and path for this operation:** -
delete /s/{space_id}/api/detection_engine/index
+
get /s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - get: + + Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and + whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating + or running rules that write alerts to it. operationId: ReadAlertsIndex responses: '200': @@ -16968,24 +17007,45 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: + examples: + forbidden: + value: + message: API [GET /api/detection_engine/index] is unauthorized for the current user. Check Security and Kibana feature privileges (detection engine / alerts) for the space. + status_code: 403 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: + examples: + notFound: + value: + message: Elastic Security alert index is not found for the current space. + status_code: 404 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -16995,12 +17055,6 @@ paths: x-metaTags: - content: Kibana name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/detection_engine/index
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: description: | **Spaces method and path for this operation:** @@ -17017,6 +17071,10 @@ paths: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -17028,24 +17086,45 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: + examples: + forbidden: + value: + message: API [POST /api/detection_engine/index] is unauthorized for the current user. The user must be able to create indices for the Elastic Security solution. + status_code: 403 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: + examples: + notFound: + value: + message: A prerequisite resource required to create the alerts index was not found. + status_code: 404 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -17123,12 +17202,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -17173,6 +17263,36 @@ paths: '200': content: application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. @@ -19413,6 +19533,13 @@ paths: requestBody: content: application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d schema: nullable: true type: object @@ -19434,6 +19561,12 @@ paths: '200': content: application/ndjson: + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} schema: description: | An `.ndjson` file containing the returned rules. @@ -19474,7 +19607,11 @@ paths: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. operationId: FindRules parameters: - - in: query + - description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. + in: query name: fields required: false schema: @@ -19717,6 +19854,11 @@ paths: requestBody: content: multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson schema: type: object properties: @@ -19828,6 +19970,30 @@ paths: requestBody: content: application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: example: items: @@ -20100,6 +20266,16 @@ paths: name: product_name /api/detection_engine/rules/preview: post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. operationId: RulePreview parameters: - description: Enables logging and returning in response ES queries, performed during rule execution @@ -20111,6 +20287,23 @@ paths: requestBody: content: application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query schema: anyOf: - allOf: @@ -20139,12 +20332,26 @@ paths: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' discriminator: propertyName: type - description: An object containing tags to add or remove and alert ids the changes will be applied + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. required: true responses: '200': content: application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: '2025-01-20T10:00:00.000Z' + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 schema: type: object properties: @@ -20162,6 +20369,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20170,12 +20383,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20185,12 +20409,6 @@ paths: x-metaTags: - content: Kibana name: product_name - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/detection_engine/rules/preview
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/detection_engine/signals/assignees: post: description: | @@ -20214,32 +20432,81 @@ paths: $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' schema: $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. required: true responses: '200': content: - application/ndjson: + application/json: + description: Elasticsearch update by query or update by IDs response examples: add: value: - batches: 1, - deleted: 0, + batches: 1 + deleted: 0 failures: [] - noops: 0, - requests_per_second: '-1,' + noops: 0 + requests_per_second: -1 retries: - - bulk: 0, - - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 76, - total: 1, - updated: 1, - version_conflicts: 0, + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 description: Indicates a successful call. '400': - description: Invalid request. + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response summary: Assign and unassign users from detection alerts tags: - Security Detections API @@ -20256,13 +20523,21 @@ paths: Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. - The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, - finalize it. + **DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code. + **WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling. + + Finalize successful migrations of detection alerts. This replaces the original index's alias with the + successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration + finishes and then call this operation once. operationId: FinalizeAlertsMigration requestBody: content: application/json: + examples: + oneMigration: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d schema: example: migration_ids: @@ -20302,6 +20577,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to finalize' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20310,12 +20591,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20335,17 +20627,22 @@ paths: Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of - the migration process. A successful migration will result in both the old and new indices being present. - As such, the old, orphaned index can (and likely should) be deleted. + **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites. + **WARNING:** This schedules deletions; ensure no production reads still point at the source index. - While you can delete these indices manually, - the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted - after 30 days. It also deletes other artifacts specific to the migration implementation. + Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of + the migration process. A successful migration can leave both the old and new indices present, so the old + index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy + to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts. operationId: AlertsMigrationCleanup requestBody: content: application/json: + examples: + cleanupMigrations: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d schema: example: migration_ids: @@ -20384,6 +20681,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to run cleanup' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20392,12 +20695,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20416,8 +20730,12 @@ paths: Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Initiate a migration of detection alerts. - Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + **DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new + integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. + **WARNING:** Migrations can be resource intensive and should be planned during a maintenance window. + + Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive + and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly. operationId: CreateAlertsMigration requestBody: content: @@ -20471,6 +20789,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].index: at least one index name is required to start a migration' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20479,12 +20803,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20497,14 +20832,19 @@ paths: /api/detection_engine/signals/migration_status: get: deprecated: true - description: |- + description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/signals/migration_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. + **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use + for new automations; there is no supported replacement in this public API. + **WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations. + + Retrieves indices that contain detection alerts of a particular age, along with migration information for + each of those indices. operationId: ReadAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts @@ -20559,6 +20899,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query].from: expected date-math, received null' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20567,12 +20913,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20667,6 +21024,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20675,12 +21038,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20794,6 +21168,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20802,12 +21182,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -20826,7 +21217,7 @@ paths: Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - And tags to detection alerts, and remove them from alerts. + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. > info > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags @@ -20872,6 +21263,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' @@ -20880,12 +21277,23 @@ paths: '401': content: application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response @@ -25253,7 +25661,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. + examples: agnostic: value: agnostic single: @@ -25381,7 +25792,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + examples: agnostic: value: agnostic single: @@ -25501,6 +25915,18 @@ paths: requestBody: content: application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection schema: example: description: This is a sample detection type exception list. @@ -25707,6 +26133,18 @@ paths: requestBody: content: application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: example: description: Different description @@ -25855,12 +26293,14 @@ paths: Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - - in: query + - description: The `list_id` of the existing exception list to copy (source list). + in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + examples: agnostic: value: agnostic single: @@ -25952,14 +26392,19 @@ paths: examples: notFound: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + message: 'exception list id: "foo" does not exist' + status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Exception list not found '405': content: application/json: + examples: + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list to duplicate not found response @@ -25992,17 +26437,21 @@ paths: Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - - in: query + - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. + in: query name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - in: query + - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. + in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + examples: agnostic: value: agnostic single: @@ -26319,6 +26768,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson schema: type: object properties: @@ -26394,6 +26847,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: Multipart part `file` is required and must contain a valid .ndjson exception list export + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' @@ -26464,7 +26923,9 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: + - description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + examples: agnostic: value: agnostic single: @@ -26516,11 +26977,13 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - example: - error: Bad Request - message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' - statusCode: 400 oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' @@ -26600,7 +27063,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - - examples: + - description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. + examples: agnostic: value: agnostic single: @@ -26730,6 +27196,23 @@ paths: requestBody: content: application/json: + examples: + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' @@ -27015,6 +27498,14 @@ paths: requestBody: content: application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' @@ -27180,7 +27671,9 @@ paths: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - - in: query + - description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + in: query name: search required: false schema: @@ -27372,7 +27865,10 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - examples: + - description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. + examples: agnostic: value: agnostic single: @@ -60276,7 +60772,8 @@ paths: > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - - in: query + - description: Value list identifier to delete, including all of its list items. + in: query name: id required: true schema: @@ -60397,7 +60894,8 @@ paths: Get the details of a value list using the list ID. operationId: ReadList parameters: - - in: query + - description: Value list identifier (`id`) returned when the list was created. + in: query name: id required: true schema: @@ -60504,6 +61002,11 @@ paths: requestBody: content: application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED schema: example: id: ip_list @@ -60824,6 +61327,12 @@ paths: requestBody: content: application/json: + examples: + replaceList: + value: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: example: description: Latest list of bad ips @@ -61120,6 +61629,10 @@ paths: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -61131,6 +61644,11 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: 'Unable to delete value list data streams: invalid or missing index metadata' + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -61151,12 +61669,23 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams + statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream not found response @@ -61191,6 +61720,11 @@ paths: '200': content: application/json: + examples: + bothExist: + value: + list_index: true + list_item_index: true schema: type: object properties: @@ -61205,6 +61739,11 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: Unable to read value list data stream status for this space + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -61225,12 +61764,23 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/index] is not authorized; list read permissions are required + statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream(s) not found response @@ -61253,19 +61803,28 @@ paths: name: product_name post: deprecated: true - description: |- + description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create `.lists` and `.items` data streams in the relevant space. + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. operationId: CreateListIndex responses: '200': content: application/json: + examples: + acknowledged: + value: + acknowledged: true schema: type: object properties: @@ -61277,6 +61836,11 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. + status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -61298,6 +61862,12 @@ paths: '403': content: application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response @@ -61595,6 +62165,11 @@ paths: requestBody: content: application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 schema: example: id: pd1WRJQBs4HAK3VQeHFI @@ -61899,10 +62474,15 @@ paths: requestBody: content: application/json: - example: - id: ip_item - value: 255.255.255.255 + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 schema: + example: + id: ip_item + value: 255.255.255.255 type: object properties: _version: @@ -62027,6 +62607,12 @@ paths: '200': content: application/ndjson: + examples: + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: description: A `.txt` file containing list items from the specified list example: | @@ -62082,6 +62668,11 @@ paths: '404': content: application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response @@ -62114,7 +62705,8 @@ paths: Get all value list items in the specified list. operationId: FindListItems parameters: - - in: query + - description: Parent value list's `id` to page through items for. + in: query name: list_id required: true schema: @@ -62152,7 +62744,9 @@ paths: - asc example: asc type: string - - in: query + - description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. + in: query name: cursor required: false schema: @@ -62317,6 +62911,10 @@ paths: requestBody: content: multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt schema: type: object properties: @@ -62398,6 +62996,11 @@ paths: '409': content: application/json: + examples: + notFound: + value: + message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one + status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List with specified list_id does not exist response @@ -62420,6 +63023,16 @@ paths: name: product_name /api/lists/privileges: get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. operationId: ReadListPrivileges responses: '200': @@ -62510,6 +63123,12 @@ paths: '400': content: application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Unable to resolve list privileges: invalid or missing space context for this request' + statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' @@ -62556,12 +63175,6 @@ paths: x-metaTags: - content: Kibana name: product_name - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/lists/privileges
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/logstash/pipeline/{id}: delete: description: | From ab08d299cfc5f41939c6a8da17e518529134100e Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:31:15 +0000 Subject: [PATCH 09/14] Changes from capture_oas_snapshot.sh --- .../private/kbn-validate-oas/src/oas_error_baseline.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json index febe760a7e1aa..0e2b9f312ec78 100644 --- a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json +++ b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json @@ -1,4 +1,4 @@ { - "./oas_docs/output/kibana.yaml": 662, - "./oas_docs/output/kibana.serverless.yaml": 595 + "./oas_docs/output/kibana.yaml": 570, + "./oas_docs/output/kibana.serverless.yaml": 531 } \ No newline at end of file From 445fd06c3f87f15f4079258cfdfc5b37122349b7 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 23 Apr 2026 13:57:18 +0000 Subject: [PATCH 10/14] Changes from capture_oas_snapshot.sh --- .../private/kbn-validate-oas/src/oas_error_baseline.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json index 2448594e5fae1..e47f435cecaaa 100644 --- a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json +++ b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json @@ -1,4 +1,4 @@ { - "./oas_docs/output/kibana.yaml": 628, - "./oas_docs/output/kibana.serverless.yaml": 593 + "./oas_docs/output/kibana.yaml": 536, + "./oas_docs/output/kibana.serverless.yaml": 529 } \ No newline at end of file From dbbcdf7907d0e1935511ee7b7c00bc3d0d932499 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 23 Apr 2026 17:48:16 +0000 Subject: [PATCH 11/14] Changes from capture_oas_snapshot.sh --- .../private/kbn-validate-oas/src/oas_error_baseline.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json index 20fe7d8adfa14..695e874857112 100644 --- a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json +++ b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json @@ -1,4 +1,4 @@ { - "./oas_docs/output/kibana.yaml": 583, - "./oas_docs/output/kibana.serverless.yaml": 548 + "./oas_docs/output/kibana.yaml": 491, + "./oas_docs/output/kibana.serverless.yaml": 484 } \ No newline at end of file From bb11922ed1bc0155a2afd34ddab47b9b40b98b04 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Fri, 24 Apr 2026 06:27:47 -0700 Subject: [PATCH 12/14] applying PR feedback --- .../api/delete_list/delete_list.gen.ts | 3 +++ .../api/find_list_items/find_list_items.gen.ts | 7 +++++++ .../import_list_items.schema.yaml | 2 +- .../patch_list_item/patch_list_item.schema.yaml | 3 --- .../api/quickstart_client.gen.ts | 16 ++++++++++++++-- .../api/read_list/read_list.gen.ts | 3 +++ ...tion_lists_api_2023_10_31.bundled.schema.yaml | 5 +---- ...tion_lists_api_2023_10_31.bundled.schema.yaml | 5 +---- .../test-api-clients/supertest/lists.gen.ts | 16 ++++++++++++++-- 9 files changed, 44 insertions(+), 16 deletions(-) diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts index fe4900d4cb926..41d6e1bcac2f2 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/delete_list/delete_list.gen.ts @@ -22,6 +22,9 @@ import { List } from '../model/list_schemas.gen'; export const DeleteListRequestQuery = lazySchema(() => z.object({ + /** + * Value list identifier to delete, including all of its list items. + */ id: ListId, /** * Determines whether exception items referencing this value list should be deleted. diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts index 3a0e95f7ec132..cf8e25a3c619c 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/find_list_items/find_list_items.gen.ts @@ -33,6 +33,9 @@ export type FindListItemsFilter = z.infer; export const FindListItemsRequestQuery = lazySchema(() => z.object({ + /** + * Parent value list's `id` to page through items for. + */ list_id: ListId, /** * The page number to return. @@ -50,6 +53,10 @@ export const FindListItemsRequestQuery = lazySchema(() => * Determines the sort order, which can be `desc` or `asc` */ sort_order: z.enum(['desc', 'asc']).optional(), + /** + * Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. + + */ cursor: FindListItemsCursor.optional(), /** * Filters the returned results according to the value of the specified field, diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml index ea76299da2690..b73849de31bdc 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/import_list_items/import_list_items.schema.yaml @@ -135,7 +135,7 @@ paths: schema: $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse' examples: - notFound: + conflict: value: message: 'List with the specified list_id does not exist, create the list or fix list_id to import to an existing one' status_code: 409 diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml index 373ddf4284802..f237c30d008f6 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/patch_list_item/patch_list_item.schema.yaml @@ -35,9 +35,6 @@ paths: description: Determines when changes made by the request are made visible to search. required: - id - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 examples: changeValue: value: diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts index 26fc8953b07f7..a139c71ed8477 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/quickstart_client.gen.ts @@ -92,8 +92,14 @@ export class Client { .catch(catchAxiosErrorFormatAndThrow); } /** - * Create `.lists` and `.items` data streams in the relevant space. - */ + * **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space +are now created as part of supported workflows; calling this explicitly is rarely required. +**WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming +indices exist with `GET /api/lists/index`. + +Creates the `.lists` and `.items` data streams in the current Kibana space. + + */ async createListIndex() { this.log.info(`${new Date().toISOString()} Calling API CreateListIndex`); return this.kbnClient @@ -331,6 +337,12 @@ You can import items to a new or existing list. }) .catch(catchAxiosErrorFormatAndThrow); } + /** + * Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` +privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list +APIs (`read` vs `all` operations) are available before you create or import lists. + + */ async readListPrivileges() { this.log.info(`${new Date().toISOString()} Calling API ReadListPrivileges`); return this.kbnClient diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts index 6abb4243af8e0..5d4605c988833 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/api/read_list/read_list.gen.ts @@ -21,6 +21,9 @@ import { List } from '../model/list_schemas.gen'; export const ReadListRequestQuery = lazySchema(() => z.object({ + /** + * Value list identifier (`id`) returned when the list was created. + */ id: ListId, }) ); diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml index 6657918a88935..4093193d90681 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml @@ -1441,9 +1441,6 @@ paths: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 type: object properties: _version: @@ -2297,7 +2294,7 @@ paths: content: application/json: examples: - notFound: + conflict: value: message: >- List with the specified list_id does not exist, create the diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml index c2dc24f87e75b..9ab4f63273b19 100644 --- a/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml @@ -1441,9 +1441,6 @@ paths: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 type: object properties: _version: @@ -2297,7 +2294,7 @@ paths: content: application/json: examples: - notFound: + conflict: value: message: >- List with the specified list_id does not exist, create the diff --git a/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts b/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts index 4be0818f8a5fc..0e2302127a8c7 100644 --- a/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts +++ b/x-pack/solutions/security/packages/test-api-clients/supertest/lists.gen.ts @@ -53,8 +53,14 @@ const securitySolutionApiServiceFactory = (supertest: SuperTest.Agent) => ({ .send(props.body as object); }, /** - * Create `.lists` and `.items` data streams in the relevant space. - */ + * **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space +are now created as part of supported workflows; calling this explicitly is rarely required. +**WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming +indices exist with `GET /api/lists/index`. + +Creates the `.lists` and `.items` data streams in the current Kibana space. + + */ createListIndex(kibanaSpace: string = 'default') { return supertest .post(getRouteUrlForSpace('/api/lists/index', kibanaSpace)) @@ -214,6 +220,12 @@ You can import items to a new or existing list. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .query(props.query); }, + /** + * Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` +privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list +APIs (`read` vs `all` operations) are available before you create or import lists. + + */ readListPrivileges(kibanaSpace: string = 'default') { return supertest .get(getRouteUrlForSpace('/api/lists/privileges', kibanaSpace)) From faf83600115395b9dd404146f110a5ebaac4d92d Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 24 Apr 2026 13:56:22 +0000 Subject: [PATCH 13/14] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 5 +---- oas_docs/output/kibana.yaml | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 2b033128383f7..4dc7c1195c981 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -59116,9 +59116,6 @@ paths: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 type: object properties: _version: @@ -59942,7 +59939,7 @@ paths: content: application/json: examples: - notFound: + conflict: value: message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one status_code: 409 diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 6b51a72591ba9..6061d275ea5db 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -62377,9 +62377,6 @@ paths: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 schema: - example: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 type: object properties: _version: @@ -63203,7 +63200,7 @@ paths: content: application/json: examples: - notFound: + conflict: value: message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one status_code: 409 From d89977017a41fe5ffab8fa26686db0289ff8a3bd Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:10:55 +0000 Subject: [PATCH 14/14] Changes from capture_oas_snapshot.sh --- .../private/kbn-validate-oas/src/oas_error_baseline.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json index 1972ba8064e5a..866f5614217f0 100644 --- a/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json +++ b/src/platform/packages/private/kbn-validate-oas/src/oas_error_baseline.json @@ -1,4 +1,4 @@ { - "./oas_docs/output/kibana.yaml": 554, - "./oas_docs/output/kibana.serverless.yaml": 519 + "./oas_docs/output/kibana.yaml": 462, + "./oas_docs/output/kibana.serverless.yaml": 455 } \ No newline at end of file